Skip to main content
SAP Pentest Playbook
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. SAP ABAP Platform
  4. /
  5. Reconnaissance
  6. /
  7. Network Service Discovery & Fingerprinting
  8. /
  9. SAP Dispatcher (Disp+Work)
Edit page

SAP Dispatcher (Disp+Work)

Description

An SAP System consists of one dispatcher per instance, that just handles the communication to the frontends (eg. SAP GUI) and many work processes, that get the “work” dispatched from the dispatcher connected to the database, and process all the ABAP coding. The protocol used by SAP GUI to connect to the SAP Dispatcher is called SAP DIAG. Unpatched, or misconfigured installations can yield to full system compromise. Up to unauthenticated remote code execution vulnerabilities. Besides vulnerabilities within the process binary, exposing the port can lead to brute force or man-in-the-middle attacks. By default, access to the dispatcher via the SAP DIAG does not require any encrypted communication. Communication encryption has to be set up by the use of SNC (Secure Network Communication). By default, SAP DIAG is compressed and not encrypted which allows to easily sniff end decompress traffic on the wire.

Common used Network Ports:

  • 32XX
Note
SAP Enqueue Server is also using a port in the range of 3200-3298!

Options

  • Hunter.how Query: protocol=="sapdisp" or protocol=="sapgui" or protocol=="sapdisp/sapgui"
  • Nmap
    • nmap -sV -R -p3200-3298 -Pn <Target Address(es)/Domain Name>
    • nmap -sSVC -n -Pn -p3200-3298 --datadir . <Target Address(es)/Domain Name> (NMAP ERPscan probes)
  • nuclei templates
  • Metasploit Module:
    • exploit/windows/misc/sap_netweaver_dispatcher

References