SAP
aka saprouter, netweaver
Enterprise ERP with a sprawling attack surface — SAProuter (3299), the dispatcher (32NN), the message server, and the ICM web stack (8000). Default clients/users and exposed RFC functions are the way in.
Ports
| Port | Proto | Notes |
|---|---|---|
3299 | tcp | SAProuter |
3200 | tcp | Dispatcher (DIAG), 32NN |
3600 | tcp | Message server, 36NN |
8000 | tcp | ICM / WebGUI (50000 for AS Java) |
Fingerprint
- nmap sap-* scripts; pysap / bizploit identify components
- SAProuter banner on 3299
Default / weak creds
SAP* / 06071992 or PASS; DDIC / 19920706; EARLYWATCH; default clients 000/001/066
Exploitation primitives
- Enumerate components and reachable hosts through SAProuter (pysap)
- Default user/client logins (SAP*, DDIC) to the GUI/WebGUI
- Exposed RFC functions and the message server enable command execution / config dumps
Overview
SAP is enterprise ERP with many networked components. Recon is half the battle — map what’s exposed (SAProuter, dispatcher, message server, ICM), then try default credentials and abusable RFC functions.
Enumeration
nmap SAP scripts:
nmap -p3299,3200,3600,8000 --script "sap-*" <TARGET>Route through / fingerprint SAProuter with pysap:
python3 saprouter_portfwd.py -t <TARGET> -r 3299Default logins
Try the shipped accounts against the WebGUI / SAP GUI:
SAP*:06071992 DDIC:19920706 (clients 000 / 001 / 066)Abuse RFC
List and call exposed RFC functions (some run OS commands / read tables):
python3 pysap_rfc_enum.py -d <TARGET> -p 3300Hardening
Lock down SAProuter ACLs, change all default user passwords, disable risky RFC functions, and segment SAP from the user network.