What is pysap?

SAP Netweaver [1] is a technology platform for building and integrating SAP business applications. Communication between components uses different network protocols. While some of them are standard and well-known protocols, others are proprietaries and public information is not available.

This Python library provides modules for crafting and sending packets using SAP's NI, Message Server, Router, RFC, SNC, Enqueue and Diag protocols. The modules are based on Scapy [2] and are based on information acquired at researching the different protocols and services. Detailed information about the research can be found at [3], [4], [5], [6] and [7].

[1] http://www.sap.com/platform/netweaver/index.epx
[2] http://www.secdev.org/projects/scapy/
[3] http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=pysap
[4] http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities
[5] http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities
[6] http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Uncovering_SAP_vulnerabilities
[7] http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=saps_network_protocols_revisited

Features decription

This tool counts with the following components:

- SAPNI module
Scapy class for the SAP NI (Network Interface protocol). It also includes a Stream Socket implementation for the SAP NI protocol, as well as a base proxy and server implementations.

- SAPDiag module
Contain Scapy classes for craft and dissect DiagDP headers, Diag packets and items. The main class is SAPDiag that is in charge of handling compression/decompression of payload items and serve as a container for them.

- SAPDiagItems module
Some classes for craft and dissect common Diag items.

- SAPDiagClient module
Basic class for establishing a connection with an application server.

- SAPEnqueue module
Scapy classes for the Enqueue protocol.

- SAPRouter module
Scapy classes for the different SAP Router packets (route, control, error and admin messages).

- SAPMS module
Scapy classes for the Message Server protocol.

- SAPSNC module
Basic class to serve as container of SNC Frames found in SAPRouter and SAP Diag packets.

- Examples
Example and proof of concept scripts to illustrate the use of the different modules and protocols: login brute force, gather information on the application server, intercept communications, a rogue Diag server implementation, test of Denial of Server issues [4], a Message Server monitor implementation, listener/messager for Message Server, SAP Router internal networks scanner and port forwarder, etc.

Use cases

Source Code


The tool relays on the Scapy library for crafting packets.


This tool is distributed under the GPLv2 license. Check the COPYING file for more details.


This tool was designed and developed by Martin Gallo from the Security Consulting Services team.

Contact Us

Whether you want to report a bug or give some suggestions on this package, drop us a few lines at oss[at]coresecurity[dot]com or contact the author email mgallo[at]coresecurity[dot]com.


Martín Gallo
Release date
License type


pysap-0.1.1.tar.gz - pysap package - MD5: b7460a5d01bd869a45684baa69af260b
pysap-0.1.2.tar.gz - pysap package - MD5: 3a946188f9f1f6653a11c87b184592b1
pysap-0.1.3.tar.gz - pysap package - MD5: 96206b4b577eb524db2afa63a9d33fb1
pysap-0.1.4.tar.gz - pysap package - MD5: 4a61a27a22548a7f04df597e9c885a28