Skip to main content
SAP Pentest Playbook
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. SAP ABAP Platform
  4. /
  5. Reconnaissance
  6. /
  7. Network Service Discovery & Fingerprinting
  8. /
  9. SAP Internet Communication Manager (ICM)
Edit page

SAP Internet Communication Manager (ICM)

Description

The SAP Internet Communication Manager (aka SAP ICM) ensures that communication between the SAP System (NetWeaver Application Server) and the outside world via HTTP, HTTPS, and SMTP protocols works properly. To accomplish this task, the SAP ICM provides a web server that serves as the foundation for web-based SAP technologies like Fiori, WebDynpro, or Business Server Pages (BSP). The SAP ICM comes with many security-relevant configurations for SSL encryption, cookie handling, authentication requests (HTTP) and even provides a dedicated security log.

SAP ICM increases the attack surface for common Web Application vulnerabilites like the OWASP Top 10 including like Cross-Site-Scripting (XSS), SQL Injection or Broken Authentication. There are some well known attacks like the Request Smuggling attack (aka ICMAD) or a Broken Authentication identified within the RFC protocol but also affected Websocket RFC connections.

SAP ICM provides a huge amount of different web services and applications.This also includes customer developed services or web applications. Therefore it is not easy to specify a simple template to scan for all the different flavours and applications. Within the Nuclei section we have provided some templates for the most common services.

Common used Network Ports:

  • 8000
  • 8001
  • 8443
  • 44300
Note
Any common HTTP Port can be configured to be used by SAP ICM

Options

  • Shodan:
    • "sap-server: true"
    • "sap-server: true" "SAP NetWeaver Application Server / ABAP"
  • Hunter.how Query:
    • header="sap-server: true" or header="SAP NetWeaver Application Server / ABAP" or header="sap-perf-fesrec"
  • Nmap:
    • nmap -sSVC -n -Pn -p<Port/Port Range> --datadir . <Target Address(es)/Domain Name> (NMAP ERPscan probes)
  • nuclei templates
  • Metasploit Modules:
    • auxiliary/scanner/sap/sap_soap_rfc_ping
    • auxiliary/scanner/sap/sap_soap_rfc_read_table
    • auxiliary/scanner/sap/sap_soap_rfc_system_info
    • auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface
    • auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec
    • auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec
    • auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec
    • auxiliary/dos/sap/sap_soap_rfc_eps_delete_file
    • auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing
    • auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence
    • auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir
    • exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec
    • auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec
    • exploit/multi/sap/sap_soap_rfc_sxpg_command_exec
    • auxiliary/scanner/sap/sap_soap_rfc_brute_login
    • auxiliary/scanner/sap/sap_web_gui_brute_login
    • auxiliary/scanner/sap/sap_icm_urlscan
    • auxiliary/scanner/sap/sap_icf_public_info
  • SAP WebGUI/Fiori Launchpad Bruteforce
  • Wordlists:
    • Metasploit Framework: data/wordlists/sap_icm_paths.txt

References