Hey security folks,
in June I wrote an article about decompressing ABAP source code, in which I talked about multiple efforts to decode the SAP DIAG protocol. Now I’d like to share my experience with the outcome of those projects. Have fun!
SAP DIAG protocol
The SAP GUI uses a proprietary protocol called DIAG for communication with the application server — which unsurprisingly does not support encryption, only (optional) encryption.
To secure network communication, SNC (Secure Network Communications) comes into play: it adds encryption, single-sign-on capability and support for alternate authentication mechanisms.
Anyway, the following assumes a default SAP setup, i.e. username/password authentication without any encryption mechanism in place.
Test setup
In the below tests, I’ll log in to client 000 with user DDIC, password ABCD1234 in English.
The clients have the IP addresses 10.0.0.1 and 10.0.0.100, while the server has 10.1.0.20.
The test procedure is the same for all tools below:
- Start the sniffer,
- log in to an SAP system,
- stop the capture and
- search the captured data for the (plain text) login data.
1st Tool: Cain & Abel v4.9.43
Cain & Abel is a versatile “security tool”, which has been actively developed for > 10 years. Wikipedia has a nice overview of its features. The wealth of features might make its usage a bit unclear — so this is what needs to be done:
- Start the sniffer,
- switch to the “Sniffer” tab,
- select the “Passwords” section,
- choose the “SAP Diag” entry and
- wait for captures to appear.

The captured and decoded communication is fully stored in a plain text file, so you need to find the needle in the haystack:

Cain is a very powerful tool and a perfect choice for security studies!
It has so many impressive features that most AV companies classified it as malware; you’ll probably have to deactivate your AV guard before running it. 😯
The only thing that’s missing is a parser for the dump, which directly extracts the credentials!
2nd Tool: SapCap v0.1

This one is implemented in Java and you need to struggle through the dependencies before it starts to cooperate…
You’ll need: a Java JRE, SapCap itself, Jpcap, WinPcap and the MS Visual C++ runtime (unless already installed).
I managed to get it going on Windows XP (x32), but had to give up on my Windows 7 (x64) / JRE 7 workstation… but YMMV.
SapCap works, but is a bit rough around the edges; besides the packet analysis didn’t work for me.
Not my favorite!
3rd Tool: Wireshark
Wireshark is a powerful and polished network packet analyzer and probably the best open-source tool for this topic.
Unfortunately, it doesn’t support decoding the SAP DIAG protocol out of the box – but so-called dissection plugins fill this gap:
- CoreLabs SAP dissection plug-in 0.3.x and the
- SAP DIAG plugin v0.1b by Positive Research Center
The CoreLabs plugin has to be compiled along with Wireshark, but I didn’t get it to work before I got bored (approx. 10 serious tries). Seems to be a proof-of-concept, nothing more!
➡ Update: Check this article for a review of the CoreLabs plugin!

The Positive Research Center plugin is only available as a Win32 DLL file – no source code, no documentation… take it or leave it… 🙁
Apart from that, this plugin works really fine and since I’m a big fan of Wireshark, it’s my first choice on Windows!
Further reading
- Paper: “Sniffing SAP GUI passwords“
- Dennis Yurichev:
- Blog post on SAP network packet decompression
- Article on the environment variable TDW_NOCOMPRESS
See you next time!
Cain & Abel is not working – Windows treats it as virus, so how can we download and install it?
Hi.
Check #4 on this site: http://www.oxid.it/info.html
But… should one really believe what’s written in the Internet?
Regards, Daniel
Of course I see it, but after download, I try to run it – at that time window hide it and also I try to unhide it, but still it doesn’t work.
Hi Tilahun.
I’d disable the A/V scanner first – as it blocks the access to anything it considers dangerous…
Regards, Daniel