Getting Started

Tools & Environment used

We have conducted our tests using Ubuntu 22.04 and Windows OS, were necessary, but the tools installation can be done on any Linux distribution, macOS or Windows OS (installation steps on Windows & macOS are not mentioned)

Tool Name	Installation	Additional Notes
NMAP	`sudo apt install nmap`	Scan tool. Good for smaller subnets
SAPROUTER Utilities	SAP Download Manager	Need an S-User to download the utilities
GIT	`sudo apt install git`	Content tracker
Python	`sudo apt install python`	Can be used for automating detection mechanisms
Go	`sudo apt install golang-go`	Used by tools like nuclei and others
nuclei	`go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest`	Open Source Security scanner which can be easily customized and extended.
Metasploit Framework	`curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall`	Metasploit is a framework which contains tools, exploits, scanners and capabitlies which are helpfull for security professions. More can be found on their Gihub Repository
SAP Dissector Plugin for Wireshark	https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark#installation--build	This Wireshark plugin provides dissection of SAP's NI, Message Server, Router, Diag, Enqueue, IGS, SNC and HDB protocols
Shodan	https://www.shodan.io/ / `python3 -m pip install shodan` (CLI tool)	Shodan is a search engine for Internet-connected devices.
Hunter Search Engine	https://hunter.how/	Hunter is a search engine for Internet-connected devices. Hunter supports various SAP Protocols and applications aswell as all 65535 Ports.

Workflow

---
title: Attack Surface Discovery Flow
---
flowchart LR
    A["Portscan (nmap, masscan)"]
    B["Search engine (Shodan, Hunter)"]
    C["Discover open ports"]
    D["Format and merge ports"]
    E["Identify exposed Service (nuclei)"]
    F["Check for Misconfigurations/Vulnerabilities (nuclei)"]
    A --> C
    B --> C
    C --> D
    D --> E
    E --> F

Quickstart

To provide an fast and easy way to setup all the tools, scripts and environments explained and described in this Project, a "ready to run" Container images is provided. This includes all the tools and scripts already pre installed. In addtion can it be used as a sandbox environment which does not effect the underlaying operating system.

This section will provide an overview on how the Container is structured and how to get started with the environment.

demo.mp4

About the Container

The Container uses Alpine Linux as a base Image. On top, tools like nmap, nuclei, etc are already installed. In addtion, the necessary nuclei templates from this repository, additional tools are also included.

Folder structure
- /tools: include all scripts, nuclei templates and additional tools
- /work: is used for storing output form tools like nmap, etc. This can be also shared with the host to have a persitent information storage.

Reqirements

A container runtime like Docker needs to be installed. Use the following official Guides on how to install Docker at the Operating System of your choice.

More details can be found in the Docker Docs

The Container is build for x68 Architecture. In case of e.g. Apple Silicon Processors or other ARM based systems, Docker needs to be provided with an additional flag when running the container. More details can be found here

Getting started with the Container

To get the latest Container Image, run the following command:

docker pull ghcr.io/securitysilverbacks/sap-attacksurfacediscovery:latest

To update the Image to the latest release, use the same command as documented above.

To execute the Container and access the environment, use the following command:

# the option '--rm' will delete the container after exit
# the option '-it' allows to access the container in the interactive mode
docker run --rm -it ghcr.io/securitysilverbacks/sap-attacksurfacediscovery:latest

# In case, the /work folder should be shared with the host, use the following command
# This will mount the current working directory (pwd) to hte /work directory in the container
docker run --rm -it -v $(pwd):/work ghcr.io/securitysilverbacks/sap-attacksurfacediscovery:latest

Manual Setup

Setup NMAP ERPscan probes

After installing the appropriate tools, we start by detecting SAP services that can present a risk to your organization if misused or misconfigured.

Use NMAP-ERPSCAN service probes to find open SAP services for your organization. (External and internal testing is recommended)

git clone git://github.com/gelim/nmap-erpscan
cd nmap-erpscan
nmap -n --open --datadir . -sV -p $(./sap_ports.py) $TARGET
# Changing the data directory (--datadir) helps to better identify
# SAP services as they are not added to the default data directory of NMAP

Instead of using Nmap to identify SAP Services, Metasploit Framework provides the same capability with the following Module auxiliary/scanner/sap/sap_service_discovery

Setup nuclei custom SAP templates

To make use of the workflows and templates of nuclei, also clone the SAP Internet Research repository as this includes the necessary files within the nuclei-sap-templates folder.

git clone https://github.com/NO-MONKEY/SAP-Internet-Research

Install Nuclei

Nuclei is based on the go programming language. As of this, go version 1.20 is required to allow Nuclei to work properly. After installing go language, install Nuclei using the following command:

go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest

To use Homebrew (macOS) or Docker, follow the installation guide

For a detailed guide on how to use Nuclei, the Documentation provides detailed insights

Nuclei Quick Start

Nuclei is higly customizeable and allows to be configured through a hughe ammount of command line flags. In this section, some will be highlighted which are important for the use in combination with the provided templates.

Commandline Parameter	Description
`-t / -templates`	specify template / path to templates folder
`-u / -target`	specify target url/host
`-l / -list`	specify a list of target urls/hosts
`-o / -output`	output file to write found issues/vulnerabilities
`-v / -vv / ...`	verbose output; the more 'v', the more verbose
`-w / -workflows`	provide a workflow instead of a template
`-p / -proxy`	list of http/socks5 proxy to use

Nuclei input schema

The provided nuclei templates expect the following schema for targets:

<IP address>:<Port>
<IP address>
<FQDN>:<Port>
<FQDN>

There is no need to specify schemas like http:// or https://. If necessary, the template includes the schema by default.

For a successfull service identification, it is required that the related port is specified togeter with the IP address/FQDN in the target list. To identify multiple services with a single list, the same IP Address/FQDN needs to be added for each IP/FQDN:Service pair.

Example of a list of targets`

example.com
ex4mpl3.com:8443
1.1.1.1
2.2.2.2:8101

The repository includes a tool which allows to extract all necessary port and IP/Hostname information from an nmap scan to generate a list of targets which can be used with Nuclei. More details can be found here

Home
- Motivation
- What's In It For Me?
- How to contribute
Getting Started
- Tools & Environment
- Quickstart
- Manual Setup
Independent SAP Services
- SAPRouter
- SAP Cloud Connector
- SAP Web Dispatcher
SAP NetWeaver Services
- SAP Dispatcher (Disp+Work)
- SAP RFC Gateway
- SAP Internet Graphics Service
- SAP Message Server
- SAP Internet Communication Manager
- SAP Start Service
SAP Databases
- SAP HANA
- SAP ASE (Sybase ASE)
Additional Tools & Helper
- nmap2nuclei-targets.py
- SAP RFM enumeration report

Provide feedback

Saved searches

Use saved searches to filter your results more quickly