Skip to main content
SAP Pentest Playbook
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. SAP ABAP Platform
  4. /
  5. Reconnaissance
  6. /
  7. Network Service Discovery & Fingerprinting
  8. /
  9. SAP Internet Graphic Server (IGS)
Edit page

SAP Internet Graphic Server (IGS)

Description

The SAP start service is a key element of SAP systems as of SAP Systems. The process is called sapstartsrv.exe on Windows, and sapstartsrv on UNIX/Linux platforms. There is a separate sapstartsrv process for each instance, which is responsible for starting, stopping, and monitoring the instance. Other Products & Solutions like the SAP Host Agent or the SAP HANA Database Server has their own SAP Start Service. By default, critical functions are protected before they can be used (like Restart an Instance) but not all services are protected by default. This allows to retrieve critical information and details about the Instances. The SAP Start Service is used by SAP MC and SAP MMC.

SAP Start Service offers various web methods as SOAP web services to control the SAP instances. By default, some of the web methods are accessible without authentication. This allows anyone with access to the SAP Start Service ports to call these web methods. This can have a critical impact for the security of the systems. SAP note 1439348 describes, how web methods can be protected and the access can be adjusted to provide more security.

Common used Network Ports:

  • 5XX13/tcp (HTTP)
  • 5XX14/tcp (HTTPs)

Options

  • Hunter.how Query:
    • web.title="SAP Management Console" and (protocol=="http" or protocol=="https")
  • Nmap:
    • nmap -sSVC -n -Pn -p50013-59914 <Target Address(es)/Domain Name>
    • nmap -sSVC -n -Pn -p50013-59914 --datadir . <Target Address(es)/Domain Name> (NMAP ERPscan probes)
  • nuclei templates
  • Metasploit Module:
    • auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints
    • auxiliary/scanner/sap/sap_mgmt_con_brute_login
    • auxiliary/scanner/sap/sap_mgmt_con_extractusers
    • auxiliary/scanner/sap/sap_mgmt_con_abaplog
    • auxiliary/scanner/sap/sap_mgmt_con_getlogfiles
    • auxiliary/scanner/sap/sap_mgmt_con_getprocessparameteress
    • auxiliary/scanner/sap/sap_mgmt_con_getprocesslist
    • auxiliary/scanner/sap/sap_mgmt_con_instanceproperties
    • auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles
    • auxiliary/scanner/sap/sap_mgmt_con_listlogfiles
    • auxiliary/admin/sap/sap_mgmt_con_osexec
    • exploit/multi/sap/sap_mgmt_con_osexec_payload
    • auxiliary/scanner/sap/sap_mgmt_con_version
    • auxiliary/scanner/sap/sap_mgmt_con_getenv
    • auxiliary/scanner/sap/sap_mgmt_con_startprofile
  • SAP Start Service enumeration tool

References