Blackhat Arsenal 2012 Releases: SAP Proxy The Arsenal 2012 Release

The analysis and reverse engineering of SAP GUI network traffic has been the subject of numerous research projects in the past, and several methods have been available in the past for decoding SAP DIAG traffic. Until the release of SensePost’s freely available proof of concept SAP DIAG tools (SAPProx and SApCap) in 2011, most methods were complicated and convoluted, or not in the public domain.

Ian from Sensepost Team demonstrating the capabilities of SAP Proxy Tool

SAP is widely used and normally stores information of great sensitivity to companies. However, by default the communication protocol can be described as telnet-meets-gzip and Secure Network Communication (SNC) is not enabled in most organisations where SAP GUI is used. Furthermore, the protocol can be abused with relatively devastating effect against both server and client side components.

SensePost’s tools for decoding and analysing SAP DIAG protocol has now been refined to a production ready, and offensive platform with scripting and fuzzing support. In addition, the toolset has been extended to include support for intercepting and decoding RFC-based communication.