Skip to main content
SAP Pentest Playbook
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. SAP ABAP Platform
  4. /
  5. Reconnaissance
  6. /
  7. Network Service Discovery & Fingerprinting
  8. /
  9. SAP RFC Gateway
Edit page

SAP RFC Gateway

Description

SAP RFC Gateway is a gateway service which standalone, or as part of an SAP ABAP system provides service for the proprietary RFC protocol. Unpatched, or misconfigured installations can yield to full system compromise. Up to unauthenticated remote code execution vulnerabilities. By default, the RFC protocol is not encrypted. Communication encryption has to be set up by the use of SNC (Secure Network Communication).

Common used Network Ports:

  • 33XX (unencrypted communication)
  • 48XX (encrypted communication (SNC enabled))

Options

  • Hunter.how Query: protocol=="sapgateway"
  • Nmap:
    • nmap -sV -R -p3300-3399,4800-4899 -Pn <Target Address(es)/Domain Name>
    • nmap -sSVC -n -Pn -p3300-3399,4800-4899 --datadir . <Target Address(es)/Domain Name> (NMAP ERPscan probes)
  • nuclei templates

References