Sniffing SAP GUI passwords // Part 2

Hello and welcome (back)!

In my article about Sniffing SAP GUI passwords in Nov. 2012, I took a look at several state-of-the-art sniffing tools for capturing SAP GUI passwords.
One of those tools was a Wireshark plugin by Martin Gallo of CoreLabs — unfortunately, it refused to compile over and over again, which is why I never tested it… but meanwhile, Martin released an improved version.

Fortunately, I took the time to try it, because it turned out to be a real gem — a bit hard to obtain, but pretty useful once you got it. 😉

The nice part: Usage

In contrast to the other Wireshark plugin by Positive Research, this one does not only decompress but also dissect almost all parts of the traffic and shows the respective fields and values (below you can see a DDIC login with the password in plain text).
Another invaluable advantage is of course its availability as source code!

Sniffing the SAP DIAG protocol: Wireshark with CoreLabs plugin

The nasty part: Compilation

The following script does the trick, although you’ll probably want to adjust it to the build environment, the Wireshark version and your needs…
(It assumes to be run from the directory, where the plugin tarball is located.)

#!/bin/bash -ex
rm -rf wireshark
svn co wireshark
mkdir wireshark/plugins/sap
tar -C wireshark/plugins/sap -xzf sap-wireshark-plugin-0.1.3.tar.gz
cd wireshark
cat plugins/sap/wireshark.patch | patch -p0
test -x /usr/bin/python2 && export PYTHON=/usr/bin/python2
./configure --prefix="$PWD" --disable-warnings-as-errors
make install

See you soon!


  1. Yeah, Reverse Engineering for Beginners.
    Dennis Yurichev – is GOD of it :), love his approach.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.