Intercepting SAP SNC-protected traffic

March 22, 2017 (at 10:30 a.m.) in SAP Track

SNC (Secure Network Connections) is SAP's standard security mechanism for protecting communications from clients to servers and between SAP servers. This security layer works with SAP protocols like RFC or DIAG, and strengthen the security of them by using additional security functions. While not enabled by default, its use rate has increased since SAP started shipping it in all kernel versions. Now it can be observed implemented on large and small organizations for preventing active attackers or eavesdroppers.

This talk will introduce the details about this security layer, dissecting the packets and messages and show how SNC is related to each one of the protocols that are protected using it. We'll also review the main security characteristics and explore the attack surface exposed.

Getting crypto to work in the right way always presents some challenges, and doing it in complex environments like SAP systems might be even harder. We'll demonstrate what could go wrong by using an interception attack implementation on some particular configuration scenarios, and end up with some recommendations on how to improve SNC configuration.

Martin Gallo

Martin Gallo is Penetration Testing SME at Core Security, where he applies his experience on penetration testing, code reviews and vulnerabilities hunting to the continuous improvement of the company's services and products. His research interests include enterprise software security, vulnerability research, threat modeling and reverse engineering. Martin has given talks at Troopers, Brucon and Defcon conferences.