Skip to main content
SAP Pentest Playbook
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. SAP ABAP Platform
  4. /
  5. Reconnaissance
  6. /
  7. Network Service Discovery & Fingerprinting
  8. /
  9. SAP Message Server
Edit page

SAP Message Server

Description

SAP Message Server Internal Port provides cluster management services between the application servers of an SAP system cluster. When exposed to malicious actors it can be misused to bypass protection configurations of the SAP RFC Gateway to allow full system compromise even when the gateway is properly configured.

The SAP Message Server runs a separat process as part of the SCS (SAP Central Services)/ASCS (ABAP SCS) and is used to distrubute traffic according to the load of the SAP application Server. There is only one Message Server per SAP System. In addtion to the loadbalancing, the Message Server is also used for internal communication (i.e. between instances) and the distribution of logon/logongroups for SAP GUI, SAP RFC and HTTP traffic.

Due to security rewuirements, the internal and external communication is split between two separat ports (internal and external port).

  • The internal port is used for the inter-SAP-System communication and allows to read and write data.
  • The external port is used for the distribution of logins and allows read-only access only!

If an attacker is able to access the internal Message Server port due to missing security controls (i.e. missing ACL, missing Host/Network Firewall), the following attack scenarios can be possible (any many more):

  • The attack allows to register a new Application Server to Mitm user sessions and capture credentials
  • The attack allows to register a new Appliaction Server which then bypassed i.e. RFC Gateway ACL (10KBlaze/Betrusted attack)
  • The attack allows to change update message server parameters like enable the administrative port (ms/admin_port) which then allows to have full permission to adjust the SAP System configuration through the administrative port.

An public demonstration of the abilities to attack an SAP System trough the SAP Message Server can be found at the OPCDE talk from 2019 by by Mathieu Geli, Dmitry Chastuhin

Common used Network Ports:

  • 36XX (External communication)
  • 39XX (Internal communication)
  • 81XX (HTTP)
  • 444XX (HTTPs)

Options

  • Shodan:
    • "SAP Message Server, release" (HTTP/s service)
  • Hunter.how Query:
    • header="SAP Message Server, release"&&protocol=="http" (HTTP/s service)
    • protocol=="sapms" (Internal & External service)
  • Nmap:
    • nmap -sV -R -p3900-3999,3600-3699,8100-8199,44400-44499 -Pn <Target Address(es)/Domain Name>
    • nmap -sSVC -n -Pn -p3900-3999,3600-3699,8100-8199,44400-44499 --datadir . <Target Address(es)/Domain Name> (NMAP ERPscan probes)
  • nuclei templates
  • Metasploit Module:
    • auxiliary/admin/sap/sap_igs_xmlchart_xxe

References