SAP Dispatcher Security

SAP Cyber Threat Report 2016 revealed that a lot of SAP services are exposed to the internet. Most of them shouldn’t be available online. In this blog post, we want to focus on a specific one, SAP Dispatcher. It is the back-end service that handles SAP GUI connections.

According to the official SAP documentations, this architecture looks like that:

SAP GUI Connections

If we connect like a regular user via SAP GUI to our test server, we will be greeted with a screen like this:


We can see that the server gives us some interesting information even without logging in and without knowing usernames.

What is displayed:

  • SID of the server
  • Hostname of the server
  • Language configured for this Dialog instance
  • Default client for login
  • Some description where the administrator writes additional information about the role of this server, what are the available clients, etc.

What information you can’t get via SAP GUI, but you can obtain by sniffing raw packets:

  • Kernel (SAP) version
  • Language used (can be guessed with the help of menu appearance)

It means if we can speak the DIAG protocol, we will have all the information given without logging in. Hopefully, there is an open source implementation of dissectors for the DIAG protocol in our beloved language Python, using the not less appreciated scapy framework.

The Dialog instance listens to the TCP port 32NN (with NN the instance number). You are likely to find activated the first instance NN=00. So, if we have a look at servers that listen to tcp/3200 (and speak to the SAP DIAG protocol), we will receive a graphical description of the login windows.

What follows is some statistics grabbed from an internet-wide census:



Kernel version


Geo distribution

If we look at the geo location of those dispatcher instances:

Map Countries

Production systems

An interesting login screen with sensitive information leak:

SAP GUI Password

If you think that dialog systems available on the internet are testing/demo only, you should reconsider it:

SAP ECC Production Server

In general, the percentage of SID beginning with the letter P (Identificator that a system is probably Production) is 11% of the overall.

What can we recommend as a defense?

  • Asset Discovery. Be aware of your network exposure (scan your own network from the inside AND from the outside);
  • Network Segmentation. Use network filtering to control who can access at least the Dialog server (and the Message server) ports;
  • Change SAP GUI information presented at logon screen. It can be done by running the transaction SE61: select document class ‘General text’, enter Document name ZLOGIN_SCREEN_INFO, and click “change”.

    Do you want more?

    Subscribe me to your mailing list