Table of content

MSF Plugin


  • auxiliary/scanner/sap/sap_icm_urlscan

Scan unauthenticated SAP URI. It can find some administration without access control.

It could be then interesting to run a webscreenshotter on these URL to easily detect sensitive accessible pages.

  • auxiliary/scanner/sap/sap_icf_public_info

Retrieve SAP publicly available information such as SAP service exposed, database server, mandant, etc...

Brute force

SAP implement anti-bruteforce mecanism, be careful or you will lock all your accounts

  • auxiliary/scanner/sap/sap_web_gui_brute_login

Perform a PING RFC request with Authorization header (base64(username:password))

Standard exploits

It can be usefull to launch these exploit. However, these exploits can triggered SOC alerts

  • exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec
  • exploit/multi/sap/sap_soap_rfc_sxpg_command_exec
  • auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec
  • auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec
  • exploit/windows/http/sap_host_control_cmd_exec
  • exploit/multi/sap/sap_mgmt_con_osexec_payload
  • exploit/windows/http/sap_configservlet_exec_noauth
  • exploit/windows/misc/sap_netweaver_dispatcher

SAP service


  • Port : 5X013

The X value is the number of the SAP instance

The WSDL file can be downloaded at :


It is possible to download Java SAP administration console with an HTTP request

wget ip:5X13/sapmc.jar -o sapmc.jar
wget ip:5X13/sapmcsoap.jar -o sapmcsoap.jar
wget ip:5X13/sapmcswing.jar -o sapmcswing.jar
wget ip:5X13/frog.jar -o frog.jar

Then, the application can be launched using :

java -classpath "./sapmc.jar;./sapmcsoap.jar;./sapmcswing.jar;./frog.jar" com/sap/managementconsole/swing/main/ManagementConsole

Web interface

To loggin through the web interface go on the URI /WEBGUI

Several administration pages are exposed as webservice (WebDynPro)

Thick client

SAP communication are usually performed on port 3201. The data flux is compressed, but Wireshark plugins can decompress the data on the fly.

Just download the dll in the release section and copy it here


Once, network packets decompressed, it could be possible to see connection informations as it is shown in the following figure :

Wireshark capture

The figure shows the connection of the user EARLYWATCH on the mandant 066 using the password SUPPORT

The following figure shows the Wireshark result if packets are ciphered:

Wireshark ciphered capture


RFC are SOAP request allowing to mimic some actions performed by SAP transaction such as displaying table, retrieving information...

Display table

The following request can be used to display an SAP table through RFC

<?xml version="1.0" encoding="utf-8" ?>
<env:Envelope xmlns:xsd="" xmlns:env="" xmlns:xsi="">
        <n1:RFC_READ_TABLE xmlns:n1="urn:sap-com:document:sap:rfc:functions" env:encodingStyle="">
            <DELIMITER xsi:type="xsd:string">
            <NO_DATA xsi:nil="true"></NO_DATA>
            <QUERY_TABLE xsi:type="xsd:string">TABLE NAME</QUERY_TABLE>
            <DATA xsi:nil="true"></DATA>
            <FIELDS xsi:nil="true">
            <OPTIONS xsi:nil="true"></OPTIONS>

To minimize the number of result displayed, it is possible to add the <ROWCOUNT>10</ROWCOUNT> tag before the closing RFC_READ_TABLE tag.

SAP table

User information


This table contains the username, password and role of the users.

  • BNAME : Field storing the username
  • BCODE : Field storing the password hash key
  • PASSCODE : Field storing the password hash (SHA1 - 160bits)
  • PWDSALTEDHASH : Field storing the password hash (Various hash algorithm)
  • UFLAG : Field storing the user lock status
    0 : Account unlocked
    32 : Locked by CUA central administration
    64 : Locked by administrator
    128 : Locked after failed logon

When retrieved through RFC, BCODE and PASSCODE will be trucated and it hardly possible to retrieve the password. However, the PWDSALTEDHASH can be completely retrieved through RFC and thus be cracked using hashcat.

# Create a wordlist with base words stored in file.txt and apply hashcat rules on it
git clone
hashcat -r Hob0Rules/d3adhob0.rule --stdout file.txt > wordlist.txt

# Launch hascat with wordlist
hashcat -m 10300 hash.txt wordlist.txt -o cracked.out --force


This table allows to map profile with users.

  • BNAME : Field storing the username
  • PROFILE : Field storing the profile name


This table is used to store Profile name for role data.

  • PROFILE : Field storing the profile name
  • AGR_NAME : Field storing the role name


This table allow to password restriction. Every value entered in the table will be forbidden as password. Foor example, if the value AB*is entered, every password beginning with AB will be denied.

Functionnal table

These table containes sensitive buisness information such as worker salary.


This table contains the detail of basic pay (worker salary for example)

  • PERNR : Field storing the personnal number
  • BET01 : Field storing the wage type amount for payments
  • ENDDA : Field storing the end date
  • BEGDA : Field storing the start date

System table


This table contains the RFC connections declared

  • RFCDEST : Field storing the logical destination of the RFC connexion


On the thick client, transactions can be run as it is shown in the following figure :

Run transaction


User information system


Check standard user password


Database performance monitor

Allows execution of row SQL query and can be used to rebound from one mandant to another


General table display

Can be used to partially retrieve de user database


Display table content

Can be used to partially retrieve de user database


Execute logical command


RFC destination (Display/Maintain)

Allows to display RFC connections and the links between different systems

Configuration review

Password policy

The pasword policy can be explored through the RZ11 transaction and by looking at the following parameters


User able to run a given transaction

It is possible to retrieve users that has the privileged need to run a given transaction through the SUIM transaction and by following this scheme:

SUIM > User > User with complexe criteria > By transaction autorisation

It is interesting to look at the SM49, SE16 and the ST04 transaction.


results matching ""

    No results matching ""

    results matching ""

      No results matching ""