With NMAP service detection
Posted by Joris van de Vis, SAP Security researcher and co-founder at Protect4S
Introduction
When in the process of SAP penetration testing, an early step is to perform reconnaissance. This step is needed to better understand the environment you are dealing with and it can be executed in different ways.
One often-used technique is port scanning and service detection to find open ports and detect the software and versions running behind them. For this purpose, the guys from ERPScan have developed a lot of SAP probes for NMAP. Using these extended service probes, you can find the most common sap services like the RFC gateway, message server, GUI services, Hana Database services, etc.
However, when researching on SAP MDM servers (see link earlier blog) we were struggling to detect SAP MDM servers over the network as these were not yet supported. Therefore we wanted to figure out additional support for SAP MDM in NMAP to detect SAP MDM systems.
In this post, we explain how this was achieved.
Detecting SAP MDM systems
After setting up a test landscape with 2 different versions of SAP MDM we used Wireshark to sniff traffic while using the SAP MDM Clix client to request the version from the server. This was not that easy as SAP MDM uses a proprietary protocol and client-server communication that changes for each version. Both the client AND the server of SAP MDM need to be on the same version level to properly communicate with each other. If not, a “failed CRC check” error will be shown as can be seen in this example:
Yet it seemed that when sending some specially crafted packets we could match some string that robustly indicates the use of the so-called i2A protocol. This is the protocol used for communication with the SAP MDM server, proving we are dealing with a SAP MDM server. The below example shows a part of the TCP stream and indicates the “i2A” string.
While in the above example the version is also clearly mentioned, this is only the case if the specific command we sent is specific for that version of the server. But even in the cases of an error, we can find the “i2A” string indicating that we are dealing with an SAP MDM server.
Based on the above we were able to come up with the following matching pattern in the NMAP-service-probes file to detect an SAP MDM system:
##############################NEXT PROBE##############################
Probe TCP SAPMDM q|\x69\x12\x94\xa2\x00\x69\x32\x41\x09\x00\x00\x00\x01\x00\x01\x00\x43\x2e\x07\x82\x00|
ports 59750,59950
rarity 9
match sapmdm m|\x56\x65\x72\x73\x69\x6f\x6e (\d.{0,30})| p/sap mdm/ v/$1/
match sapmdm m|\xi2A| p/sap mdm/
##############################NEXT PROBE##############################
When adding the above pattern to the NMAP service probes file you can detect SAP MDM server:
Without SAP MDM Support: (NMAP standard probes)
With SAP MDM Support:
Or:
To use the pattern, please see Github or add it manually to the Nmap-services-probes file based on the pattern mentioned above.
Happy hunting!
Want to know more about SAP Security? Please get in touch for more information or request an SAP security assessment here and find out how vulnerable your SAP systems are within a few days.
