Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark
This Wireshark plugin provides dissection of SAP's NI, Message Server, Router, Diag, Enqueue, IGS, SNC and HDB protocols.
https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark
Last synced: 25 days ago
JSON representation
This Wireshark plugin provides dissection of SAP's NI, Message Server, Router, Diag, Enqueue, IGS, SNC and HDB protocols.
- Host: GitHub
- URL: https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark
- Owner: SecureAuthCorp
- License: gpl-2.0
- Created: 2014-03-26T15:38:58.000Z (over 10 years ago)
- Default Branch: master
- Last Pushed: 2022-11-11T03:26:50.000Z (about 2 years ago)
- Last Synced: 2024-08-03T17:11:04.498Z (4 months ago)
- Language: C
- Homepage: https://www.secureauth.com/labs/open-source-tools/sap-dissection-plug-in-for-wireshark/
- Size: 1.53 MB
- Stars: 107
- Watchers: 24
- Forks: 38
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: ChangeLog.md
- License: COPYING
- Security: SECURITY.md
Awesome Lists containing this project
- awesome-network-stuff - **55**星
README
SAP Dissector Plugin for Wireshark
==================================
:warning: This project is currently archived
:information_source: The code was contributed by SecureAuth to the [main Wireshark project](https://www.wireshark.org/). Further
development of the SAP protocols dissectors can be followed in [Wireshark' Gitlab repository](https://gitlab.com/wireshark/wireshark/).
---
[](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/actions?query=workflow%3A%22Build+and+test+Ubuntu+plug-in%22)
[](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/actions?query=workflow%3A%22Build+and+test+MacOS+plug-in%22)
[](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/actions?query=workflow%3A%22Build+and+test+Windows+plug-in%22)
SECUREAUTH LABS. Copyright (C) 2022 SecureAuth Corporation. All rights reserved.
Version 0.10.1.dev0 (XXX 2022)
Overview
--------
[SAP Netweaver](https://www.sap.com/platform/netweaver/index.epx) and
[SAP HANA](https://www.sap.com/products/hana.html) are technology platforms for
building and integrating SAP business applications. Communication between components
uses different network protocols. While some of them are standard and well-known
protocols, others are proprietaries and public information is not available.
This [Wireshark](https://www.wireshark.org/) plugin provides dissection
of SAP's NI, Message Server, Router, Diag, Enqueue, IGS, SNC and HDB protocols.
The dissectors are based on information acquired at researching the different
protocols and services. Additional experimental support is included for SAP's
RFC protocol. Detailed information about the research can be found in
[pysap's documentation](https://pysap.readthedocs.io/en/latest/user/index.html#references).
Features
--------
This plugin counts on several dissectors:
- SAP NI Protocol dissector
This is the dissector for SAP's Network Interface (NI) protocol. The
dissector handles reassembling of fragmented TCP packets and identifies
keep-alive messages (`PING`/`PONG`). It also calls the respective
sub-dissector according to the port being used.
- SAP Router Protocol dissector
This dissector includes support for the SAP Router protocol, handling route,
control messages and error information packets. The dissector also calls
the SNC sub-dissector when SNC frames are found.
- SAP Diag Protocol dissector
The main dissector of the plugin. It dissects the main headers used by the
Diag protocol: DP, Diag and Compression headers. The dissector also handles
decompression of the payload data and includes dissection of relevant Diag
payload items, including Support Bits and common `APPL`/`APPL4` items.
Wireshark's expert information capabilities are used to remark malformed or
wrong packets. The dissector also calls the RFC sub-dissector when an
embedded RFC call is found, and the SNC sub-dissector when SNC frames are
found.
- SAP Message Server Protocol dissector
This module dissects the packets used by SAP's Message Server Protocol in
its binary non-HTTP format, for both internal and external ports.
- SAP Enqueue Protocol dissector
This module dissects packets used by SAP's Standalone Enqueue and
Replication Servers.
- SAP SNC (Secure Network Connection) Protocol dissector
This dissector parses SNC frames and their fields. When the frames contain
wrapped data that wasn't encrypted, it allows calling dissectors to get
access to the unwrapped data for further dissecting it, as the case of Diag
dissector when SNC is used in authentication only or integrity protection
quality of protection levels.
- SAP IGS (Internet Graphic Server) Protocol dissector
This dissector parses packets used by SAP's IGS services.
- SAP HDB (HANA SQL Command Network) Protocol dissector
This dissector parses HANA SQL Command Network Protocol packets. It supports
HDB over TLS with the form of a "Decode as" dissector. The main Part Kind
formats used during the authentication and initialization of the connections
are supported, but others are still missing. Decompression of compressed
packets is not yet supported.
- SAP RFC (Remote Function Call) Protocol dissector (experimental)
This dissector performs some basic dissection on the main components of the
RFC protocol. It dissects general items and does some basic reassembling
and decompression of table contents.
Installation & Build
--------------------
This Wireshark plugin is not distributed as part of the Wireshark source. It
can be built as a standalone plugin, or as part of Wireshark, and is compatible
with version 3.6.
A comprehensive guide of how to compile and install the dissector in Ubuntu and
macOS has been published as a [blog post in SAP's community](https://blogs.sap.com/2022/06/12/wireshark-with-sap-dissectors-for-ubuntu-and-macos/).
A more brief guide is provided below.
### Installing on Linux ###
#### As a standalone plugin ####
To build and install the plugin on Debian/Ubuntu linux distributions:
sudo add-apt-repository ppa:wireshark-dev/stable -y
sudo apt-get update
sudo apt-get install wireshark wireshark-dev
git clone https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/
cd SAP-Dissection-plug-in-for-Wireshark/
mkdir build
cd build
cmake ..
make
make install
#### As part of Wireshark ####
The following steps are required to build and install the plugin as part of Wireshark:
1) Download and decompress the [Wireshark version 3.6 source](https://www.wireshark.org/download.html)
or checkout the code from the [source repository](https://gitlab.com/wireshark/wireshark).
```
git clone https://gitlab.com/wireshark/wireshark
cd wireshark
git checkout release-3.6
```
2) Copy the SAP Wireshark Plugin to a new `plugins/epan/sap` directory.
```
git clone https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/ plugins/epan/sap
```
3) Configure the plugin to be included in the build process. This step can be
performed using the patch file provided. At the root directory run:
```
git apply plugins/epan/sap/wireshark-release-3.6.patch
```
4) Perform a new build including the plugin. At the root directory run:
```
mkdir -p build
cd build
cmake ..
make
sudo make install
```
#### Using Vagrant ####
[Vagrant](https://www.vagrantup.com/) is a Virtual Machine management software
that allows creating reproducible virtual machines. In order to make it easier
to compile and test the plugin, a pre-configured Vagrantfile is provided for
using it with Vagrant 1.8. The Vagrantfile provided with the plugin is configured
to use [VirtualBox](https://www.virtualbox.org/) and perform a build of the
plugin inside a Ubuntu 18.04 distribution.
Two machines are provided to build the plugin:
* `source`: for building the plugin as part of Wireshark.
* `standalone`: for building the plugin as a standalone plugin.
The following steps can be used to setup a Vagrant machine and build the plugin:
1) Install VirtualBox and Vagrant 1.8 or greater.
```
sudo apt-get install virtualbox vagrant
```
2) Inside the plugin's directory, launch the desired Vagrant machine, in this
case `standalone`:
```
vagrant up standalone
```
3) Login into the Vagrant machine and run Wireshark:
```
vagrant ssh standalone
wireshark
```
### Installing on Windows ###
Windows build can be only performed as part of the whole Wireshark. The
following steps are required to compile the plugin on Windows:
1) Follow the [step-to-step guide](https://www.wireshark.org/docs/wsdg_html_chunked/ChSetupWin32.html)
for building Wireshark on Windows.
2) Copy the SAP Wireshark Plugin to a new `plugins/epan/sap` directory.
3) Configure the plugin to be included in the build process. This step can be
performed using the patch file provided. At the root directory run:
```
git apply plugins/epan/sap/wireshark-release-3.6.patch
```
4) Perform a new build including the plugin.
### Installing on OSX ###
The build process for OSX is similar to the one for Linux systems. It was
reported that compiling Wireshark on OSX requires fixing link for the `gettext`
library if it was installed using `homebrew`.
### Penetration testing distribution and frameworks ###
The plugin is available for installation on several penetration testing
distributions and frameworks.
#### Installing on Pentoo ####
Installation on the [Pentoo](http://www.pentoo.ch/) livecd distribution:
emerge net-misc/wireshark-sap-plugin
#### Installing with The PenTesters Framework (PTF) ####
Installation on Debian, Ubuntu and ArchLinux can be performed using
[The PenTesters Framework (PTF)](https://github.com/trustedsec/ptf). From inside
the `ptf` command-line, run:
use modules/intelligence-gathering/sap-wireshark-plugin
install
### Using Docker ###
[jbelamor](https://github.com/jbelamor/) built a docker container for compiling and setting up the plugin. Check it out at
[docker_wireshark_sap_plugin](https://github.com/jbelamor/docker_wireshark_sap_plugin).
### Additional notes ###
It's worth mentioning that compression libraries for SAP Diag/RFC protocol are
originally written in C++, thus the entire plugin needs to be compiled for C++.
See [Wireshark's portability notes](https://gitlab.com/wireshark/wireshark/-/blob/release-3.6/doc/README.developer)
for more information.
Usage
-----
### Traffic dissection ###
After the plugin is installed, it will automatically dissect SAP protocols'
traffic if using default ports. If required, ports can be modified on SAP NI
protocol as well as sub-dissectors' preferences.
### SAP Diag Gui Logon Password filter ###
`DYNT_ATOM` items contains data entered into screen fields. The following
filter could be used for identifying packets containing fields marked as
"invisible" (fields that are masked in the SAP GUI screen) in search for
sensitive data. Early packets in a Diag session probably contains values for
user id and password fields.
sapdiag.item.value.dyntatom.item.attr.INVISIBLE == 1
The same results can be achieved also using expert info (security group):
sapdiag.item.value.dyntatom.item.password
License
-------
This Wireshark plugin is distributed under the GPLv2 license. Check the `COPYING`
file for more details.
Authors
-------
The library was designed and developed by Martin Gallo from [SecureAuth's Innovation
Labs](https://www.secureauth.com/labs/) team, with the help of many contributors.
### Contributors ###
Contributions made by:
* Joris van de Vis ([@jvis](https://twitter.com/jvis))
* Anton Bolshakov ([@blshkv](https://github.com/blshkv))
* Valeriy Gusev
* Daniel Berlin ([@daberlin](https://github.com/daberlin))
* Victor Portal Gonzalez
* Dave Hartley ([@nmonkee](https://twitter.com/nmonkee))
* Jean-Paul Roliers
* Dongha Shin
* Luca Di Stefano
* Alexis La Goutte ([@alagoutte](https://github.com/alagoutte))
* Yvan Genuer ([@iggy38](https://github.com/iggy38))
* Mathieu Geli ([@gelim](https://github.com/gelim))
* Dylan Drummond ([@dmurmelsson](https://github.com/murmelsson))
Disclaimer
----------
The spirit of this Open Source initiative is to help security researchers,
and the community, speed up research and educational activities related to
the implementation of networking protocols and stacks.
The information in this repository is for research and educational purposes
and not meant to be used in production environments and/or as part
of commercial products.
If you desire to use this code or some part of it for your own uses, we
recommend applying proper security development life cycle and secure coding
practices, as well as generate and track the respective indicators of
compromise according to your needs.
Contact Us
----------
Whether you want to report a bug, send a patch, or give some suggestions
on this package, drop us a few lines at [email protected].
For security-related questions check our [security policy](SECURITY.md).