SAP Platform Overview

Reference architecture and attack surface map for SAP environments. Use this as your starting point before any SAP pentest — know the stack, know the ports, know where things live.

Architecture at a Glance

SAP environments run on SAP NetWeaver, which comes in two flavors with entirely different attack surfaces:

StackLanguageMain Attack Vector
ABAPSAP proprietary (ABAP)RFC, transaction codes, custom code injection
JavaJava EEWeb endpoints, deserialization, LM Config Wizard
Dual-stackBothWidest attack surface — both vectors apply

Key Components

[Internet / Intranet]
       |
[SAP Web Dispatcher / Reverse Proxy]  <- load balancer
       |
[ICM - Internet Communication Manager]  <- HTTP(S) handler
       |
[SAP NetWeaver AS]  <- application server
  |- ABAP stack (work processes, RFC gateway)
  +- Java stack (J2EE engine, AS Java)
       |
[SAP Gateway / RFC]  <- remote function calls
       |
[Database: HANA / Oracle / MSSQL / DB2]

Additional components you'll encounter:

  • SAP Message Server — load balancing and inter-server coordination, leaks system topology
  • SAPRouter — network-level proxy/firewall, often misconfigured
  • SAP Fiori / Gateway — modern web UI over REST/OData, separate auth logic
  • SAP Solution Manager (SolMan) — landscape management, monitors all connected systems

Default Ports

Scan these. Instance numbers (XX) default to 00 on most installs.

PortServiceNotes
3200 + XXSAP Dispatcher (DIAG)GUI client connections (saplogon)
3300 + XXSAP Gateway (RFC)Remote Function Call — high value target
3600 + XXSAP Message ServerLeaks server list via /msgserver/text/logon
3900 + XXSAP Message Server HTTPS
8000 + XXSAP ICM HTTPWeb interface — check for exposed endpoints
44300 + XXSAP ICM HTTPS
50000SAP NetWeaver Java HTTPJava stack web access
50013SAP NetWeaver Java HTTPS
50014SAP Admin ConsoleAdmin-only — high priority if reachable
3299SAPRouterProxy/tunneling, port-forward to internal SAP
1128 / 1129SAP Host AgentInstance control
30015SAP HANA SQLDirect DB connections
8090SAP HANA StudioWeb management

Quick Nmap Scan

# Broad SAP service discovery
nmap -sV -p 3200-3299,3300-3399,3600-3699,8000-8099,44300-44399,50000-50014 <target>

# Targeted top-ports
nmap -sV -p 3200,3300,3600,8000,44300,50000,50013,3299,1128 <target>

# SAP NSE scripts
nmap --script sap-* <target>
nmap -p 3300 --script sap-gateway <target>

Enumeration — What to Check First

1. Message Server Information Disclosure

# Pull server list — no auth required on default configs
curl http://<target>:3600/msgserver/text/logon

# Returns: system ID, hostname, instance number, server addresses

2. ICM Web Endpoints

# ABAP stack — key paths to probe
curl http://<target>:8000/sap/bc/ping
curl http://<target>:8000/sap/bc/soap/rfc/
curl http://<target>:8000/sap/public/info
curl http://<target>:8000/sap/bc/webdynpro/sap/

# Java stack — key paths to probe
curl http://<target>:50000/irj/portal
curl http://<target>:50000/webdynpro/dispatcher/
curl http://<target>:50000/developmentserver/    # LM Config Wizard (CVE-2020-6287 check)
curl http://<target>:50000/ctc/                  # Config Wizard check

3. Metasploit Scanner Modules

# Discover SAP services
msf > use auxiliary/scanner/sap/sap_service_discovery
msf > set RHOSTS <target_range>
msf > run

# Check ICM endpoints
msf > use auxiliary/scanner/sap/sap_icm_urlscan
msf > set RHOSTS <target>
msf > run

# Enumerate SAP router
msf > use auxiliary/scanner/sap/sap_router_info_request
msf > set RHOSTS <target>
msf > set RPORT 3299
msf > run

Technology Stack Reference

Authentication Methods

MethodWhere UsedNotes
ABAP logonSAP GUI, transactionsUsername/password, SSO possible
SAML 2.0Fiori, Java portalFederated identity
OAuth 2.0Fiori/Gateway APIsToken-based
SNC (Secure Network Comm.)RFC, DIAGKerberos/X.509 — misconfig possible
X.509 client certICM HTTPS
Anonymous/no authLegacy RFC endpoints, SOAPCommon misconfig — always check

Execution Environments

ContextLanguagePentest Relevance
ABAP stackABAPCustom code vulns, OS commands via CALL 'SYSTEM' on Windows
Java stackJava EEDeserialization, JNDI injection, classpath manipulation
Fiori/GatewayJavaScript (UI5) + ODataXSS in custom apps, auth bypass via OData filter
DatabaseSQLSQL injection in custom ABAP, direct HANA SQL access

Attack Surface Summary

SurfaceKey TechniquesPrimary Issues
LM Config WizardUnauthenticated admin user creationCVE-2020-6287 (RECON)
ICM / Web DispatcherHTTP request smuggling, session theftCVE-2022-22536 (ICMAD)
Solution Manager EEMUnauthenticated OS command executionCVE-2020-6207
RFC GatewayUnauthorized RFC calls, data extractionRFC_READ_TABLE, RFCEXEC
SAPRouterTunnel to internal SAP systemsPort 3299 misconfig
Fiori / ODataAuth bypass, data exfiltrationWebGUI frontend bypass
Custom ABAP codeSQL injection, privilege escalationS_DEVELOP, SE38/SA38
SAP HANADirect DB access, missing authDefault creds, HANA CVEs

Deployment Types

On-Premises

  • Manual patching — often months/years behind SAP Security Notes
  • Direct network access if segmentation is weak
  • Legacy configurations: default credentials, SNC without encryption

Cloud / SAP BTP

  • Auto-patched — fewer unpatched CVEs, but misconfigurations still occur
  • Attack surface shifts to API keys, OAuth token theft, SSRF via integrations

Hybrid

  • On-prem ABAP stack + cloud Fiori frontend
  • Internal RFC gateway may be reachable through cloud-to-ground integration
  • Test both cloud-facing and internal-facing endpoints

Version Identification

# Pull version from ICM response headers
curl -I http://<target>:8000/sap/bc/ping
# Look for: server: SAP NetWeaver Application Server / ...

# From RFC (authenticated)
msf > use auxiliary/scanner/sap/sap_rfc_system_info
msf > set RHOSTS <target>
msf > set RPORT 3300
msf > set CLIENT 000
msf > set USERNAME <user>
msf > set PASSWORD <pass>
msf > run

Versions to prioritize:

  • SAP NetWeaver Java 7.30–7.50 — CVE-2020-6287 (RECON) range
  • SAP NetWeaver AS ABAP/Java + Web Dispatcher — CVE-2022-22536 (ICMAD) range
  • SAP Solution Manager 7.2 — CVE-2020-6207
  • Any system without current SAP Security Notes applied — check redrays.io scanner