You are probably already familiar with Nmap and port scanning in general. I won't waste too much of your time walking through the ins and outs of Nmap, but we will take a look at some of the specific ports of interest for SAP applications.
First off, we need to run Nmap. I personally like to check all ports, as you never know what you will find.
$ nmap -vvv -A -oA <output filename> -p 1-65535 <target ip address>
Obviously, your results will vary from assessment to assessment. A full list of the ports used by SAP applications can be found at http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/4e515a43-0e01-0010-2da1-9bcc452c280b?QuickLink=index&overridelayout=true.
There are a few special ports that you should look out for.
32XX/tcp - These ports are designated for the SAP GUI. While not immediately useful, we will need this once we start looking at the GUI.
80XX/tcp - These ports are set aside for the web pages for the SAP Message Server. These pages are in cleartext, and some of them accept authentication credentials.
81XX/tcp - Same as the 80XX ports, except these use SSL/TLS.
5XX00/tcp – These ports are utilized by the SAP J2EE Engine. The last 2 digits of the port usually reference the instance number (00-99). Nmap will usually list the version as "gSOAP httpd 2.7". Go ahead and try visiting the target system on that port in your browser. You will likely be prompted to run a java interface for the SAP NetWeaver Management Console. See anything interesting?
5XX08/tcp - These ports are utilized by the SAP J2EE Engine telnet. They allow you to administer the J2EE console remotely.
Depending on the maturity of your client's security program, you may see many other ports open, some related to SAP and some not. The ports I mentioned above limit the scope to SAP. If you happen to notice port 23/tcp or 3389/tcp, and it is in scope for your assessment, fire at will!
Next time, we will discuss Bizploit, a penetration testing framework designed specifically to target SAP systems!