hacktricks/network-services-pentesting/3299-pentesting-saprouter.md

{% hint style="success" %}
Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Podržite HackTricks</summary>

* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>
{% endhint %}
```text
PORT     STATE SERVICE    VERSION
3299/tcp open  saprouter?
```
This is a summary of the post from [https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/](https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/)

## Razumevanje penetracije SAProuter-a sa Metasploit-om

SAProuter deluje kao obrnuti proxy za SAP sisteme, prvenstveno za kontrolu pristupa između interneta i unutrašnjih SAP mreža. Obično je izložen internetu omogućavanjem TCP porta 3299 kroz organizacione vatrozidove. Ova postavka čini SAProuter privlačnom metom za pentesting jer može poslužiti kao prolaz ka mrežama visoke vrednosti.

**Skener i prikupljanje informacija**

U početku se vrši skeniranje kako bi se utvrdilo da li SAP router radi na datoj IP adresi koristeći **sap_service_discovery** modul. Ovaj korak je ključan za utvrđivanje prisustva SAP router-a i njegovog otvorenog porta.
```text
msf> use auxiliary/scanner/sap/sap_service_discovery
msf auxiliary(sap_service_discovery) > set RHOSTS 1.2.3.101
msf auxiliary(sap_service_discovery) > run
```
Nakon otkrića, vrši se dalja istraga konfiguracije SAP rutera pomoću **sap_router_info_request** modula kako bi se potencijalno otkrili detalji interne mreže.
```text
msf auxiliary(sap_router_info_request) > use auxiliary/scanner/sap/sap_router_info_request
msf auxiliary(sap_router_info_request) > set RHOSTS 1.2.3.101
msf auxiliary(sap_router_info_request) > run
```
**Enumerating Internal Services**

Sa dobijenim uvidima u unutrašnju mrežu, **sap_router_portscanner** modul se koristi za ispitivanje unutrašnjih hostova i usluga putem SAProuter-a, omogućavajući dublje razumevanje unutrašnjih mreža i konfiguracija usluga.
```text
msf auxiliary(sap_router_portscanner) > set INSTANCES 00-50
msf auxiliary(sap_router_portscanner) > set PORTS 32NN
```
Ova fleksibilnost modula u ciljanju specifičnih SAP instanci i portova čini ga efikasnim alatom za detaljno istraživanje interne mreže.

**Napredno enumerisanje i mapiranje ACL-a**

Dalje skeniranje može otkriti kako su liste za kontrolu pristupa (ACL) konfigurisane na SAProuter-u, detaljno prikazujući koje su veze dozvoljene ili blokirane. Ove informacije su ključne za razumevanje bezbednosnih politika i potencijalnih ranjivosti.
```text
msf auxiliary(sap_router_portscanner) > set MODE TCP
msf auxiliary(sap_router_portscanner) > set PORTS 80,32NN
```
**Blind Enumeration of Internal Hosts**

U scenarijima gde su direktne informacije iz SAProuter-a ograničene, tehnike poput slepe enumeracije mogu se primeniti. Ovaj pristup pokušava da pogodi i verifikuje postojanje internih imena hostova, otkrivajući potencijalne mete bez direktnih IP adresa.

**Leveraging Information for Penetration Testing**

Nakon što su mapirali mrežu i identifikovali dostupne usluge, pen-testeri mogu iskoristiti proxy mogućnosti Metasploit-a da se prebacuju kroz SAProuter za dalju eksploraciju i eksploataciju internih SAP usluga.
```text
msf auxiliary(sap_hostctrl_getcomputersystem) > set Proxies sapni:1.2.3.101:3299
msf auxiliary(sap_hostctrl_getcomputersystem) > set RHOSTS 192.168.1.18
msf auxiliary(sap_hostctrl_getcomputersystem) > run
```
**Zaključak**

Ovaj pristup naglašava važnost sigurnih konfiguracija SAProuter-a i ističe potencijal za pristup unutrašnjim mrežama kroz ciljani pentesting. Pravilno osiguranje SAP rutera i razumevanje njihove uloge u arhitekturi mrežne sigurnosti je ključno za zaštitu od neovlašćenog pristupa.

Za detaljnije informacije o Metasploit modulima i njihovoj upotrebi, posetite [Rapid7-ovu bazu podataka](http://www.rapid7.com/db).

## **Reference**

* [https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/](https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/)

## Shodan

* `port:3299 !HTTP Network packet too big`


{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`{% hint style="success" %}`
			`Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`<summary>Podržite HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`* Proverite [planove pretplate](https://github.com/sponsors/carlospolop)!`
			`* Pridružite se 💬 [Discord grupi](https://discord.gg/hRep4RUj7f) ili [telegram grupi](https://t.me/peass) ili pratite nas na Twitteru 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Podelite hakerske trikove slanjem PR-ova na [HackTricks](https://github.com/carlospolop/hacktricks) i [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`{% endhint %}`
GitBook: [master] one page modified 2020-09-24 19:49:25 +00:00			```text
			`PORT STATE SERVICE VERSION`
			`3299/tcp open saprouter?`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`This is a summary of the post from [https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/](https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`## Razumevanje penetracije SAProuter-a sa Metasploit-om`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`SAProuter deluje kao obrnuti proxy za SAP sisteme, prvenstveno za kontrolu pristupa između interneta i unutrašnjih SAP mreža. Obično je izložen internetu omogućavanjem TCP porta 3299 kroz organizacione vatrozidove. Ova postavka čini SAProuter privlačnom metom za pentesting jer može poslužiti kao prolaz ka mrežama visoke vrednosti.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Skener i prikupljanje informacija`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`U početku se vrši skeniranje kako bi se utvrdilo da li SAP router radi na datoj IP adresi koristeći sap_service_discovery modul. Ovaj korak je ključan za utvrđivanje prisustva SAP router-a i njegovog otvorenog porta.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```text
			`msf> use auxiliary/scanner/sap/sap_service_discovery`
			`msf auxiliary(sap_service_discovery) > set RHOSTS 1.2.3.101`
			`msf auxiliary(sap_service_discovery) > run`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Nakon otkrića, vrši se dalja istraga konfiguracije SAP rutera pomoću sap_router_info_request modula kako bi se potencijalno otkrili detalji interne mreže.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```text
Translated to Serbian 2024-02-10 13:11:20 +00:00			`msf auxiliary(sap_router_info_request) > use auxiliary/scanner/sap/sap_router_info_request`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`msf auxiliary(sap_router_info_request) > set RHOSTS 1.2.3.101`
			`msf auxiliary(sap_router_info_request) > run`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Enumerating Internal Services`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Sa dobijenim uvidima u unutrašnju mrežu, sap_router_portscanner modul se koristi za ispitivanje unutrašnjih hostova i usluga putem SAProuter-a, omogućavajući dublje razumevanje unutrašnjih mreža i konfiguracija usluga.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```text
			`msf auxiliary(sap_router_portscanner) > set INSTANCES 00-50`
			`msf auxiliary(sap_router_portscanner) > set PORTS 32NN`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Ova fleksibilnost modula u ciljanju specifičnih SAP instanci i portova čini ga efikasnim alatom za detaljno istraživanje interne mreže.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Napredno enumerisanje i mapiranje ACL-a`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Dalje skeniranje može otkriti kako su liste za kontrolu pristupa (ACL) konfigurisane na SAProuter-u, detaljno prikazujući koje su veze dozvoljene ili blokirane. Ove informacije su ključne za razumevanje bezbednosnih politika i potencijalnih ranjivosti.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```text
Translated to Serbian 2024-02-10 13:11:20 +00:00			`msf auxiliary(sap_router_portscanner) > set MODE TCP`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`msf auxiliary(sap_router_portscanner) > set PORTS 80,32NN`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Blind Enumeration of Internal Hosts`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`U scenarijima gde su direktne informacije iz SAProuter-a ograničene, tehnike poput slepe enumeracije mogu se primeniti. Ovaj pristup pokušava da pogodi i verifikuje postojanje internih imena hostova, otkrivajući potencijalne mete bez direktnih IP adresa.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Leveraging Information for Penetration Testing`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Nakon što su mapirali mrežu i identifikovali dostupne usluge, pen-testeri mogu iskoristiti proxy mogućnosti Metasploit-a da se prebacuju kroz SAProuter za dalju eksploraciju i eksploataciju internih SAP usluga.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```text
			`msf auxiliary(sap_hostctrl_getcomputersystem) > set Proxies sapni:1.2.3.101:3299`
			`msf auxiliary(sap_hostctrl_getcomputersystem) > set RHOSTS 192.168.1.18`
			`msf auxiliary(sap_hostctrl_getcomputersystem) > run`
			```
Translated to Serbian 2024-02-10 13:11:20 +00:00			`Zaključak`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Ovaj pristup naglašava važnost sigurnih konfiguracija SAProuter-a i ističe potencijal za pristup unutrašnjim mrežama kroz ciljani pentesting. Pravilno osiguranje SAP rutera i razumevanje njihove uloge u arhitekturi mrežne sigurnosti je ključno za zaštitu od neovlašćenog pristupa.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`Za detaljnije informacije o Metasploit modulima i njihovoj upotrebi, posetite [Rapid7-ovu bazu podataka](http://www.rapid7.com/db).`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`## Reference`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 21:36:35 +00:00			`* [https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/](https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
a 2024-02-08 21:36:35 +00:00			`## Shodan`
GitBook: [master] 378 pages modified 2020-10-05 21:51:08 +00:00
			* `port:3299 !HTTP Network packet too big`

Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:21:53 +00:00			`{% endhint %}`