Daniel Berlin on Security Insight on SAP security, development stuff… and all the rest

5May 13

Sniffing SAP GUI passwords // Part 2

Hi, folks!
In my article about Sniffing SAP GUI passwords in Nov. 2012, I took a look at several state-of-the-art sniffing tools for capturing SAP GUI passwords.
One of those tools was a Wireshark plugin by Martin Gallo of CoreLabs — unfortunately it refused to compile over and over again, which is why I never tested it… but meanwhile Martin released an improved version.

Fortunately, I took the time to try it, because it turned out to be a real gem — a bit hard to obtain, but pretty useful once you got it. 😉

The nice part: Usage

In contrast to the other Wireshark plugin by Positive Research, this one does not only decompress but also dissect (almost all parts of) the traffic and shows the respective fields and values.
Another invaluable advantage is of course its availability as source code!

Sniffing the SAP DIAG protocol: Wireshark with CoreLabs plugin

The nasty part: Compilation

The following script does the trick, although you'll probably want to adjust it to your environment and needs…
(It assumes to be run from the directory, where the plugin tarball is located.)

#!/bin/bash -ex
 
rm -rf wireshark
svn co http://anonsvn.wireshark.org/wireshark/trunk wireshark
 
mkdir wireshark/plugins/sap
tar -C wireshark/plugins/sap -xzf sap-wireshark-plugin-0.1.3.tar.gz
 
cd wireshark
./autogen.sh
 
patch -p0 < plugins/sap/wireshark.patch
 
test -x /usr/bin/python2 && export PYTHON=/usr/bin/python2
./configure --prefix="$PWD" --disable-warnings-as-errors
 
make
make install
 
bin/wireshark

See you soon!