mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-19 01:24:50 +00:00
115 lines
6 KiB
Markdown
115 lines
6 KiB
Markdown
|
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
```text
|
||
|
PORT STATE SERVICE VERSION
|
||
|
3299/tcp open saprouter?
|
||
|
```
|
||
|
|
||
|
This is a summary of the post from [https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/](https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/)
|
||
|
|
||
|
|
||
|
## Understanding SAProuter Penetration with Metasploit
|
||
|
|
||
|
SAProuter acts as a reverse proxy for SAP systems, primarily to control access between the internet and internal SAP networks. It's commonly exposed to the internet by allowing TCP port 3299 through organizational firewalls. This setup makes SAProuter an attractive target for penetration testing because it might serve as a gateway to high-value internal networks.
|
||
|
|
||
|
**Scanning and Information Gathering**
|
||
|
|
||
|
Initially, a scan is performed to identify if a SAP router is running on a given IP using the **sap_service_discovery** module. This step is crucial for establishing the presence of a SAP router and its open port.
|
||
|
|
||
|
```text
|
||
|
msf> use auxiliary/scanner/sap/sap_service_discovery
|
||
|
msf auxiliary(sap_service_discovery) > set RHOSTS 1.2.3.101
|
||
|
msf auxiliary(sap_service_discovery) > run
|
||
|
```
|
||
|
|
||
|
Following the discovery, further investigation into the SAP router's configuration is carried out with the **sap_router_info_request** module to potentially reveal internal network details.
|
||
|
|
||
|
```text
|
||
|
msf auxiliary(sap_router_info_request) > use auxiliary/scanner/sap/sap_router_info_request
|
||
|
msf auxiliary(sap_router_info_request) > set RHOSTS 1.2.3.101
|
||
|
msf auxiliary(sap_router_info_request) > run
|
||
|
```
|
||
|
|
||
|
**Enumerating Internal Services**
|
||
|
|
||
|
With obtained internal network insights, the **sap_router_portscanner** module is used to probe internal hosts and services through the SAProuter, allowing a deeper understanding of internal networks and service configurations.
|
||
|
|
||
|
```text
|
||
|
msf auxiliary(sap_router_portscanner) > set INSTANCES 00-50
|
||
|
msf auxiliary(sap_router_portscanner) > set PORTS 32NN
|
||
|
```
|
||
|
|
||
|
This module's flexibility in targeting specific SAP instances and ports makes it an effective tool for detailed internal network exploration.
|
||
|
|
||
|
**Advanced Enumeration and ACL Mapping**
|
||
|
|
||
|
Further scanning can reveal how Access Control Lists (ACLs) are configured on the SAProuter, detailing which connections are allowed or blocked. This information is pivotal in understanding security policies and potential vulnerabilities.
|
||
|
|
||
|
```text
|
||
|
msf auxiliary(sap_router_portscanner) > set MODE TCP
|
||
|
msf auxiliary(sap_router_portscanner) > set PORTS 80,32NN
|
||
|
```
|
||
|
|
||
|
**Blind Enumeration of Internal Hosts**
|
||
|
|
||
|
In scenarios where direct information from the SAProuter is limited, techniques like blind enumeration can be applied. This approach attempts to guess and verify the existence of internal hostnames, revealing potential targets without direct IP addresses.
|
||
|
|
||
|
**Leveraging Information for Penetration Testing**
|
||
|
|
||
|
Having mapped the network and identified accessible services, penetration testers can utilize Metasploit's proxy capabilities to pivot through the SAProuter for further exploration and exploitation of internal SAP services.
|
||
|
|
||
|
```text
|
||
|
msf auxiliary(sap_hostctrl_getcomputersystem) > set Proxies sapni:1.2.3.101:3299
|
||
|
msf auxiliary(sap_hostctrl_getcomputersystem) > set RHOSTS 192.168.1.18
|
||
|
msf auxiliary(sap_hostctrl_getcomputersystem) > run
|
||
|
```
|
||
|
|
||
|
**Conclusion**
|
||
|
|
||
|
This approach underscores the importance of secure SAProuter configurations and highlights the potential for accessing internal networks through targeted penetration testing. Properly securing SAP routers and understanding their role in network security architecture is crucial for protecting against unauthorized access.
|
||
|
|
||
|
For more detailed information on Metasploit modules and their usage, visit [Rapid7's database](http://www.rapid7.com/db).
|
||
|
|
||
|
|
||
|
## **References**
|
||
|
|
||
|
* [https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/](https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/)
|
||
|
|
||
|
## Shodan
|
||
|
|
||
|
* `port:3299 !HTTP Network packet too big`
|
||
|
|
||
|
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
|