Home

Awesome

SAP Dissector Plugin for Wireshark

:warning: This project is currently archived

:information_source: The code was contributed by SecureAuth to the main Wireshark project. Further development of the SAP protocols dissectors can be followed in Wireshark' Gitlab repository.


Build and test Ubuntu plug-in Build and test MacOS plug-in Build and test Windows plug-in

SECUREAUTH LABS. Copyright (C) 2022 SecureAuth Corporation. All rights reserved.

Version 0.10.1.dev0 (XXX 2022)

Overview

SAP Netweaver and SAP HANA are technology platforms for building and integrating SAP business applications. Communication between components uses different network protocols. While some of them are standard and well-known protocols, others are proprietaries and public information is not available.

This Wireshark plugin provides dissection of SAP's NI, Message Server, Router, Diag, Enqueue, IGS, SNC and HDB protocols. The dissectors are based on information acquired at researching the different protocols and services. Additional experimental support is included for SAP's RFC protocol. Detailed information about the research can be found in pysap's documentation.

Features

This plugin counts on several dissectors:

Installation & Build

This Wireshark plugin is not distributed as part of the Wireshark source. It can be built as a standalone plugin, or as part of Wireshark, and is compatible with version 3.6.

A comprehensive guide of how to compile and install the dissector in Ubuntu and macOS has been published as a blog post in SAP's community. A more brief guide is provided below.

Installing on Linux

As a standalone plugin

To build and install the plugin on Debian/Ubuntu linux distributions:

sudo add-apt-repository ppa:wireshark-dev/stable -y
sudo apt-get update
sudo apt-get install wireshark wireshark-dev
git clone https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/
cd SAP-Dissection-plug-in-for-Wireshark/
mkdir build
cd build
cmake ..
make
make install

As part of Wireshark

The following steps are required to build and install the plugin as part of Wireshark:

  1. Download and decompress the Wireshark version 3.6 source or checkout the code from the source repository.

    git clone https://gitlab.com/wireshark/wireshark
    cd wireshark
    git checkout release-3.6
    
  2. Copy the SAP Wireshark Plugin to a new plugins/epan/sap directory.

    git clone https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/ plugins/epan/sap
    
  3. Configure the plugin to be included in the build process. This step can be performed using the patch file provided. At the root directory run:

    git apply plugins/epan/sap/wireshark-release-3.6.patch
    
  4. Perform a new build including the plugin. At the root directory run:

    mkdir -p build
    cd build
    cmake ..
    make
    sudo make install
    

Using Vagrant

Vagrant is a Virtual Machine management software that allows creating reproducible virtual machines. In order to make it easier to compile and test the plugin, a pre-configured Vagrantfile is provided for using it with Vagrant 1.8. The Vagrantfile provided with the plugin is configured to use VirtualBox and perform a build of the plugin inside a Ubuntu 18.04 distribution.

Two machines are provided to build the plugin:

The following steps can be used to setup a Vagrant machine and build the plugin:

  1. Install VirtualBox and Vagrant 1.8 or greater.

    sudo apt-get install virtualbox vagrant
    
  2. Inside the plugin's directory, launch the desired Vagrant machine, in this case standalone:

    vagrant up standalone
    
  3. Login into the Vagrant machine and run Wireshark:

    vagrant ssh standalone
    wireshark
    

Installing on Windows

Windows build can be only performed as part of the whole Wireshark. The following steps are required to compile the plugin on Windows:

  1. Follow the step-to-step guide for building Wireshark on Windows.

  2. Copy the SAP Wireshark Plugin to a new plugins/epan/sap directory.

  3. Configure the plugin to be included in the build process. This step can be performed using the patch file provided. At the root directory run:

    git apply plugins/epan/sap/wireshark-release-3.6.patch
    
  4. Perform a new build including the plugin.

Installing on OSX

The build process for OSX is similar to the one for Linux systems. It was reported that compiling Wireshark on OSX requires fixing link for the gettext library if it was installed using homebrew.

Penetration testing distribution and frameworks

The plugin is available for installation on several penetration testing distributions and frameworks.

Installing on Pentoo

Installation on the Pentoo livecd distribution:

emerge net-misc/wireshark-sap-plugin

Installing with The PenTesters Framework (PTF)

Installation on Debian, Ubuntu and ArchLinux can be performed using The PenTesters Framework (PTF). From inside the ptf command-line, run:

use modules/intelligence-gathering/sap-wireshark-plugin
install

Using Docker

jbelamor built a docker container for compiling and setting up the plugin. Check it out at docker_wireshark_sap_plugin.

Additional notes

It's worth mentioning that compression libraries for SAP Diag/RFC protocol are originally written in C++, thus the entire plugin needs to be compiled for C++. See Wireshark's portability notes for more information.

Usage

Traffic dissection

After the plugin is installed, it will automatically dissect SAP protocols' traffic if using default ports. If required, ports can be modified on SAP NI protocol as well as sub-dissectors' preferences.

SAP NI preferences

SAP Diag preferences

SAP Diag Gui Logon Password filter

DYNT_ATOM items contains data entered into screen fields. The following filter could be used for identifying packets containing fields marked as "invisible" (fields that are masked in the SAP GUI screen) in search for sensitive data. Early packets in a Diag session probably contains values for user id and password fields.

sapdiag.item.value.dyntatom.item.attr.INVISIBLE == 1

The same results can be achieved also using expert info (security group):

sapdiag.item.value.dyntatom.item.password

SAP Diag login password

License

This Wireshark plugin is distributed under the GPLv2 license. Check the COPYING file for more details.

Authors

The library was designed and developed by Martin Gallo from SecureAuth's Innovation Labs team, with the help of many contributors.

Contributors

Contributions made by:

Disclaimer

The spirit of this Open Source initiative is to help security researchers, and the community, speed up research and educational activities related to the implementation of networking protocols and stacks.

The information in this repository is for research and educational purposes and not meant to be used in production environments and/or as part of commercial products.

If you desire to use this code or some part of it for your own uses, we recommend applying proper security development life cycle and secure coding practices, as well as generate and track the respective indicators of compromise according to your needs.

Contact Us

Whether you want to report a bug, send a patch, or give some suggestions on this package, drop us a few lines at oss@secureauth.com.

For security-related questions check our security policy.