Hello and welcome (back)!
In my article about Sniffing SAP GUI passwords in Nov. 2012, I took a look at several state-of-the-art sniffing tools for capturing SAP GUI passwords.
One of those tools was a Wireshark plugin by Martin Gallo of CoreLabs — unfortunately, it refused to compile over and over again, which is why I never tested it… but meanwhile, Martin released an improved version.
Fortunately, I took the time to try it, because it turned out to be a real gem — a bit hard to obtain, but pretty useful once you got it. 😉
The nice part: Usage
In contrast to the other Wireshark plugin by Positive Research, this one does not only decompress but also dissect almost all parts of the traffic and shows the respective fields and values (below you can see a DDIC login with the password in plain text).
Another invaluable advantage is of course its availability as source code!

The nasty part: Compilation
The following script does the trick, although you’ll probably want to adjust it to the build environment, the Wireshark version and your needs…
(It assumes to be run from the directory, where the plugin tarball is located.)
#!/bin/bash -ex rm -rf wireshark svn co http://anonsvn.wireshark.org/wireshark/trunk wireshark mkdir wireshark/plugins/sap tar -C wireshark/plugins/sap -xzf sap-wireshark-plugin-0.1.3.tar.gz cd wireshark ./autogen.sh cat plugins/sap/wireshark.patch | patch -p0 test -x /usr/bin/python2 && export PYTHON=/usr/bin/python2 ./configure --prefix="$PWD" --disable-warnings-as-errors make make install bin/wireshark |
See you soon!
Yeah, Reverse Engineering for Beginners.
Dennis Yurichev – is GOD of it :), love his approach.
Here is the father of all: http://conus.info/RE-articles/sapgui.html
Enjoy Buddies…