workshop reverse engineering the sap r 3 client protocol
play

Workshop: Reverse Engineering the SAP R/3 Client Protocol Nils - PowerPoint PPT Presentation

Nov 18, 2022 •414 likes •620 views

21C3, Berlin Berlin 27 December 2004 27 December 2004 Workshop: Reverse Engineering the SAP R/3 Client Protocol Nils Magnus Jochen Kellner 21C3 Chaos Communication Congress Berlin, Germany December 27 29, 2004 Nils Magnus, Jochen

  1. 21C3, Berlin Berlin 27 December 2004 27 December 2004 Workshop: Reverse Engineering the SAP R/3 Client Protocol Nils Magnus Jochen Kellner 21C3 Chaos Communication Congress Berlin, Germany December 27 � 29, 2004 Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  2. 21C3, Berlin 27 December 2004 Agenda � Overview of the SAP R/3 architecture (from a networker’s point of view) � Problem of undocumented client protocol � Current findings � Workshop: reverse protocol details Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  3. 21C3, Berlin 27 December 2004 Agenda � Why SAP R/3 should bother all of us � Overview of the SAP architecture (from a networker’s point of view) � Problem of undocumented client protocol � Current findings � Workshop: reverse protocol details Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  4. 21C3, Berlin 27 December 2004 The SAP R/3 universe � First of all: SAP is huge and confusing � Sometimes difficult to understand SAP people or documentation � SAP makes a great deal of naming everything differently (DIAG, RFC, � SAP- routers� , ...) � The main achievment seems to be scalability Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  5. 21C3, Berlin 27 December 2004 Simple SAP R/3 setup � Old fashioned three tier database application Application Client Database Server SAPgui, About half a dozen listeners Database, often Oracle Java Application and scheduler; application logic or MaxDB – Runs on a number of platforms – Supports mainframes, Linux and even Windows – Encapsulates most of the platform Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  6. 21C3, Berlin 27 December 2004 Complex SAP R/3 setup � Old fashioned three tier database application SAP Application router Up to several Server Database 1000 clients Application Webclients Server Database Batchjobs Application Replication, Server batch jobs About half a dozen listeners Misnomer, and scheduler; application logic is a proxy Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  7. 21C3, Berlin Access to 27 December 2004 host systems Attacks on SAP unencrypted Access to protocols Unhardened host system systems SAP Application router Up to several Server Database 1000 clients Malware, Application keyloggers Webclients Server Database Batchjobs Application Buffer overflows Server (see FX’s on 20C3) Clear text Clear text passwords Default Bad SAP passwords in batchjobs configuration access control Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  8. 21C3, Berlin 27 December 2004 Attacks on SAP installations � Most SAP experts focus solely on application layer issues – User priviledges, access control � System administrators don’t touch SAP � Bad protection on OS level � Important: That’s not necessarily SAP’s fault � But: What do they do to help it? Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  9. 21C3, Berlin 27 December 2004 Security provided by SAP � A lot of documentation – Often incomprehensible for networkers � A number of documented APIs – Plug-in encryption – Access control � A set of recommendations – Often not obeyed to by op staff Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  10. 21C3, Berlin 27 December 2004 How to implement security � Allocate lots of time � Understand the system and the language � Harden every server � Place firewalls � Encrypt data transmission Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  11. 21C3, Berlin 27 December 2004 SAP client protocol � Most attacks are commodity attacks that apply to every system � Vulnerabilites to application server have been addressed by FX � Client protocol between sapGUIs and application servers is often unprotected � Once claimed � encrypted� , now officially � disguised� Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  12. 21C3, Berlin 27 December 2004 Client protocol details � Protocol internally called � DIAG� – (not to be confused with the RFC protocol of the same name!) � Full specifications available only with NDA � Stream based network connections – TCP, but potentially over several other protocols, too � Some details are available within the SAP help Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  13. 21C3, Berlin 27 December 2004 More details � TCP/3200 + x where x is the � instance identifier� � C/S-based protocol, exchanging blobs – 10 Request to AS – 20 Response with form data and result data – 30 New data and new requests – 40 GOTO 20 Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  14. 21C3, Berlin 27 December 2004 Scanner result # nmap (V. 3.00) scan initiated as: nmap -sT -v -p3200-3900 -o nmap-tcp:03.txt 10.36.14.144 Interesting ports on (10.36.14.144): (The 694 ports scanned but not shown below are in state: closed) Port State Service 3200/tcp open unknown 3300/tcp open unknown 3600/tcp open unknown 3773/tcp open unknown 3777/tcp open unknown 3786/tcp open unknown 3900/tcp open udt_os # Nmap run completed -- 1 IP address (1 host up) scanned in 22 seconds Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  15. 21C3, Berlin 27 December 2004 Trace (client side) Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  16. 21C3, Berlin 27 December 2004 Block transmission � First 4 octetts are block length � A number of similiar starting octetts � Scrambled data payload � Starts with 0x1f 0x9d � From /etc/magic: # standard unix compress 0 string \037\235 compress’d data >2 byte&0x80 >0 block compressed >2 byte&0x1f x %d bits Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  17. 21C3, Berlin 27 December 2004 Compressed data payload � Looks like the LZC algorithm � Also used in old-fashioned compress (1) � Strings � LZ.*� can be found in sapGUI binary � Just extracting the payload and using uncompres does not work � Bit-length field is wrong Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  18. 21C3, Berlin 27 December 2004 LinuxTag � Leading Free Software and Linux event � Talks and exhibition � Karlsruhe, Germany: June 22 � 25, 2005 � Call for Papers still open until January 15: http://www.linuxtag.org/ Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

  19. 21C3, Berlin 27 December 2004 Contact Nils Magnus Program Chair, LinuxTag e. V. University of Kaiserslautern 67653 Kaiserslautern T +49-631-310-9371 magnus@linuxtag.org Nils Magnus, Jochen Kellner: Reverse Engineering the SAP R/3 Client Protocol

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dont Hold My Data Hostage A Case For Client Protocol Redesign What is a Client Protocol

Dont Hold My Data Hostage A Case For Client Protocol Redesign What is a Client Protocol

Mark Raasveldt, Hannes Mhleisen Dont Hold My Data Hostage A Case For Client Protocol Redesign What is a Client Protocol anyway? Every database that supports remote clients has a client protocol Using this protocol, clients can query

152 views • 14 slides
17 th Workshop on Software Engineering Education and Reverse Engineering Primosten, Croatia

17 th Workshop on Software Engineering Education and Reverse Engineering Primosten, Croatia

17 th Workshop on Software Engineering Education and Reverse Engineering Primosten, Croatia September 2018 "A proposed model for peer assessment in t he digit al age: Leveraging social media plat forms" | 17t h Workshop on

248 views • 13 slides
Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering autom ated reverse engineering Erik Poll Erik Poll Radboud University Nijmegen Testing Ingredients T ti I di t Two things are needed to test

865 views • 53 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
What Have We Learned from Reverse-Engineering the Internets Inter-domain Routing Protocol?

What Have We Learned from Reverse-Engineering the Internets Inter-domain Routing Protocol?

What Have We Learned from Reverse-Engineering the Internets Inter-domain Routing Protocol? Timothy G. Griffin Computer Laboratory University of Cambridge, UK timothy.griffin@cl.cam.ac.uk Advanced Networks Colloquium ECE University of

890 views • 30 slides
Reverse-engineering CAN bus messages using OBD-II and correlation coefficients Bram

Reverse-engineering CAN bus messages using OBD-II and correlation coefficients Bram

Reverse-engineering CAN bus messages using OBD-II and correlation coefficients Bram Blaauwendraad & Vincent Kieberl Supervisors: Ruben Koeze & Sander Ubink, KPMG What is OBD-II? On-Board Diagnostics II High level protocol that

419 views • 23 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me PhD student at Hasselt University since 2014 Since 2016 on FWO SBO research grant Researching wireless security Protocol security,

803 views • 57 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
CS314 Software Engineering Responsive Clients Dave Matthews Solution Technology Client

CS314 Software Engineering Responsive Clients Dave Matthews Solution Technology Client

9/12/18 CS314 Software Engineering Responsive Clients Dave Matthews Solution Technology Client Protocol Server ReactJS HTTP Java Spark Bootstrap JSON Gson ReactStrap TFFI JavaScript HTML CSS 1

162 views • 4 slides
Analytics Everywhere Updated for 2010 About Fortune 500 Consumer Goods It is a global

Analytics Everywhere Updated for 2010 About Fortune 500 Consumer Goods It is a global

Analytics Everywhere Updated for 2010 About Fortune 500 Consumer Goods It is a global marketer of consumer and commercial products that touch the lives of people where they work, live and play. Headquartered in a large Southeastern

279 views • 25 slides
Managing Non-Volatile Memory in Database Systems -- Originally presented at SIGMOD 2018

Managing Non-Volatile Memory in Database Systems -- Originally presented at SIGMOD 2018

Managing Non-Volatile Memory in Database Systems -- Originally presented at SIGMOD 2018 Alexander van Renen, Viktor Leis, Alfons Kemper, Thomas Neumann Takushi Hashida, Kazuichi Oe, Yoshiyasu Doi, Lilian Harada, Mitsuru Sato Terminology,

910 views • 24 slides
Se lf-Se rvic e Da ta Ma na g e me nt fo r Ana lytic s Use rs a c ro ss the E nte rprise

Se lf-Se rvic e Da ta Ma na g e me nt fo r Ana lytic s Use rs a c ro ss the E nte rprise

Se lf-Se rvic e Da ta Ma na g e me nt fo r Ana lytic s Use rs a c ro ss the E nte rprise Unle a shing the Po te ntia l o f Gre a t Co mpa nie s Busine ss Solutions Pro ve n, inte g ra te d so lutio ns to de live r ra pid re turn-o

565 views • 21 slides
Enter The Sandbox: Developing Innovation Sandboxes for the Energy Sector PRESENTATION TITLE:

Enter The Sandbox: Developing Innovation Sandboxes for the Energy Sector PRESENTATION TITLE:

Enter The Sandbox: Developing Innovation Sandboxes for the Energy Sector PRESENTATION TITLE: RALEWAY BOLD ALL CAPS WHITE 18 Date: Raleway regular white 14 September 16, 2020 POLLUTION PROBE + Pollution Probe is Canadas oldest homegrown

778 views • 38 slides
UTM FIS Workshop Series Day 7 Basic CO Reporting, Reconciling & Reviewing Month End

UTM FIS Workshop Series Day 7 Basic CO Reporting, Reconciling & Reviewing Month End

UTM FIS Workshop Series Day 7 Basic CO Reporting, Reconciling & Reviewing Month End Statements Day 7 Workshop May Afternoon Morning Reconciliation: Overview of Controlling (CO) o Policies/Objectives Purpose of

893 views • 66 slides
(SAP) Marion Denantes Senior consultant Simplified Approval Process (SAP) P2 SAP approved

(SAP) Marion Denantes Senior consultant Simplified Approval Process (SAP) P2 SAP approved

GCF insight #11 GCF Simplified Approval Process (SAP) Marion Denantes Senior consultant Simplified Approval Process (SAP) P2 SAP approved by the GCF in 2017 as a recognition of the need for - Fast preparation, review, approval and

695 views • 12 slides
Anticipate customers payment issues and prioritize collection efforts With our Cloud based AI

Anticipate customers payment issues and prioritize collection efforts With our Cloud based AI

Anticipate customers payment issues and prioritize collection efforts With our Cloud based AI Predictive Risk Management unique solution Edouard Beauvois Co-Founder & CEO How to significantly reduce overdue amounts and avoid bad

505 views • 4 slides
Data Processing on the fast la lane Gustavo Alonso Systems Group Department of Computer Science

Data Processing on the fast la lane Gustavo Alonso Systems Group Department of Computer Science

Data Processing on the fast la lane Gustavo Alonso Systems Group Department of Computer Science ETH Zurich, Switzerland The team behind the work: Rene Mller (now at IBM Almaden) Louis Woods (now at Apcera) Jens Teubner (now

703 views • 31 slides

More recommend