Skip to content

Finding exposed SAP-Webservices

SAP UPDATE: I found a much quicker way to take the screenshots:
Taking Screenshots from a list of URLs with EyeWitness

ATTENTION: Only scan systems, if you have a mandate to do so! If you don't have permission, it might be at best impolite, at worst illegal to scan any systems!

Now that we have the disclaimer out of the way, let's start...

If you want to find out what Webservices a SAP-System exposes either internally or over the internet, there are a couple of ways to find out. In this post, I will show you two of them.

The slow way is via the SAP transaction SICF:
Execute SIFC, in the selection screen press F8 andf then choose your system in the menu.
You can now click through all the different services.
If the name is greyed out, the service is inactive.
You can enter the path of the server in your browser to have a look at the service.
For example, if you take the path sap/public/icf_info, you can open it by adding the hostname or ip of the system http://mysapsystem.local/sap/publicf_info

If you want to look at all services this way, it would take a long time...

Now for a quicker solution - metasploit to the rescue!

What we need:
Metasploit - obviously
and the Firefox Add-On Grab-Them-All

Start metasploit as usual an open the module sap_icm_urlscan:

msf> use auxiliary/scanner/sap/sap_icm_urlscan
msf> set RHOSTS http://mysapsystem.local
(or whatever)
msf> run

Now you will get a long list with URLs that the module has tested.
At the end it will show you the path to a textfile containing the URLs.

There are many ways to generate Screenshots of the URLs we have found, but this is the one I prefer:
Open Firefox and install the Add-on Grab-Them-All

After a restart of Firefox, press ALT to open the menu and go to Extras -> Grab-Them-All
Press the Button "File with URLs to grab" and select the file that metasploit dumped in the filesystem.
Select as destination-folder for your screenshots and press Lets go!

A preview-window will open and show you the progress.

If a page requires credentials, you will get be prompted for it.

After the tool is finished, you will have some nice screenshots of all pages that were found.

There are other plugins, better ways and so on, but this is the way I used and it worked for me :-)
Kategorien: SAP


Keine Trackbacks


Ansicht der Kommentare: Linear | Verschachtelt

Noch keine Kommentare

Die Kommentarfunktion wurde vom Besitzer dieses Blogs in diesem Eintrag deaktiviert.