What are the main methods to check SAP port status?

The main methods include using sapcontrol command, operating system commands, SAP GUI (SMICM), and custom Python scripts.

What is the sapcontrol command to list access points?

The command is '/usr/sap/ /D00/exe/sapcontrol -nr -function GetAccessPointList'

Which operating system commands can be used to check SAP ports?

Common commands include netstat -tuln | grep sap, ss -tuln | grep sap, lsof -i -P -n | grep sap, and nmap -p-

How can I check SAP ports using SAP GUI?

Navigate to SMICM and then go to Goto -> Services in the SAP GUI.

Listing of SAP Open Ports: A Comprehensive Guide

LISTING OF SAP OPEN PORTS

In an SAP system, the ICM, Message Server, and SAP processes (diag, background) operate and listen on specific ports. As you know, ports act as entry points for servers and operating systems, and the state of traffic and data packets sent and received through these ports is crucial. SAP systems use specific ports, and it is important to list the active/inactive status of these ports and determine which ports are open in the system. Below, I have outlined the methods to check the status of ports specific to SAP:

1) Using the sapcontrol Command

Run the following command:

/usr/sap/<SID>/D00/exe/sapcontrol -nr <instance num> -function GetAccessPointList

You will receive an output similar to this:

GetAccessPointList
OK
address, port, protocol, processname, active
127.0.0.1, 50113, HTTP, sapstartsrv, Yes
192.168.1.130, 50113, HTTP, sapstartsrv, Yes
127.0.0.1, 50114, HTTPS, sapstartsrv, Yes
192.168.1.130, 50114, HTTPS, sapstartsrv, Yes
127.0.0.1, 3201, ENQ, enserver, Yes
192.168.1.130, 3201, ENQ, enserver, Yes
127.0.0.1, 3901, MS, msg_server, Yes
192.168.1.130, 3901, MS, msg_server, Yes
127.0.0.1, 3601, MS, msg_server, Yes
192.168.1.130, 3601, MS, msg_server, Yes
127.0.0.1, 8101, HTTP, msg_server, Yes
192.168.1.130, 8101, HTTP, msg_server, Yes

2) Operating System Commands

The following commands can be used to check port status at the OS level:

netstat -tuln | grep sap
ss -tuln | grep sap
lsof -i -P -n | grep sap
netstat -ano | findstr LISTENING
nmap -p- <SAP_Server_IP>
telnet <SAP_Server_IP> <Port>

Note: These command packages must be installed on the operating system.

3) Using the SAP GUI (SMICM)

Navigate to: SMICM -> Goto -> Services

4) Using Python

Here's an example Python script to check SAP port status. The code is provided as an additional resource.

import socket
import re
from concurrent.futures import ThreadPoolExecutor
from tabulate import tabulate

# IP address of the remote computer to be scanned
TARGET_IP = "192.168.1.130"

# SAP Port Definitions
ports = {
    "ABAP AS": {
        "Dispatcher": "32NN",
        "Gateway":    "33NN",
        "Gateway2":   "48NN",
        "ICM HTTP":   ["80NN", "80"],
        "ICM HTTP":   ["84NN", "8443"],
        "ICM HTTPS": ["443NN", "443"],
        "ICM SMTP":     "25",
        "ICM Admin": "650NN",
        "Message Server": ["36NN", "39NN"],
        "Message Server HTTP": "81NN",
        "Message Server HTTPS": "444NN",
        "Central System Log *UDP*": ["12NN", "13NN", "14NN", "15NN"],
    },
    "Admin Services": {
        "SAPHostControl": "1128",
        "SAPHostControl SSL": "1129",
        "Start Service": "5NN13",
        "Start Service SSL": "5NN14",
        "SDM": ["5NN17", "5NN18", "5NN19"],
        "SAP Router": "3299",
        "NIping": "3298",
        "SAPlpd": "515",
        "DTR": "5NN15",
        "IGS HTTP": "4NN80"
    },
    "HANA": {
        "SQL indexserver": "3NN15",
        "XS HTTP": "80NN",
        "XS HTTPS": "43NN",
    },
}

# Port expansion function
def expand_ports(port_rule, maxi=100):
    port_re = r"(\w+)(NN)(\w+)?"
    port_list = re.split(port_re, port_rule)
    port_list = [e for e in port_list if e not in ["", None]]

    if len(port_list) > 1:
        temp_list = []
        for i in range(maxi):
            port = "".join(port_list)
            temp_list.append(port.replace("NN", f"{i:02}"))
        return temp_list
    else:
        return port_list

# function of port scanning
def scan_port(ip, port):
    try:
        with socket.create_connection((ip, int(port)), timeout=1):
            return True
    except (socket.timeout, socket.error):
        return False

# main function
def main():
    # create ports to scan
    port_details = []
    for category, protocols in ports.items():
        for protocol, port_rule in protocols.items():
            if isinstance(port_rule, list):
                for rule in port_rule:
                    expanded_ports = expand_ports(rule)
                    port_details += [(category, protocol, port) for port in expanded_ports]
            else:
                expanded_ports = expand_ports(port_rule)
                port_details += [(category, protocol, port) for port in expanded_ports]

    # Make ports unique
    port_details = sorted(set(port_details), key=lambda x: int(x[2]))

    # Start scan
    print(f"Taranacak IP: {TARGET_IP}\n")
    active_ports = []
    with ThreadPoolExecutor(max_workers=50) as executor:
        futures = {executor.submit(scan_port, TARGET_IP, detail[2]): detail for detail in port_details}
        for future in futures:
            category, protocol, port = futures[future]
            if future.result():  # Sadece aktif portları ekle
                active_ports.append([category, protocol, port])

    # write the actie port as table
    if active_ports:
        headers = ["Category", "Protocol", "Port"]
        print(tabulate(active_ports, headers=headers, tablefmt="grid"))
    else:
        print("Hiçbir aktif port bulunamadı.")

if __name__ == "__main__":
    main()

Contact us to learn more and schedule a free demo of our product that detects security vulnerabilities in SAP systems. Ensure your systems are not only functional but also secure.

Dec 27, 2024

SAP Security: A Guide to Secure and Compliant Systems

Unlock the secrets to SAP security with our ultimate guide, exploring best practices for protecting sensitive data, ensuring compliance, and enhancing business operations.

Dec 11, 2024

SAP Security

Analysis of Security Audit Log in SAP

Explore the importance of SAP Security Audit Logs in enhancing the security of your SAP environment.

Dec 5, 2024

SAP Security

SAP Audit Event Type Codes for Data Updates

Learn how SAP audit event type codes for updates enhance accountability, data integrity, confidentiality, availability, and compliance.

Nov 22, 2024

SAP Security

How to Capture Data Changes in SAP Security Logs

How to Capture Data Changes in SAP Security Logs is essential for tracking SAP system activity. Learn the best practices to monitor and analyze SAP security logs.

Aug 21, 2024

Authorization Objects

Authorization Objects in SAP Systems

Explore the importance of authorization objects in SAP systems and understand the critical tables that play a key role in SAP security.

Aug 6, 2024

SAP GUI

Getting Files from Local PC via SAP GUI with Illegal Methods

Learn how to retrieve local files from a user's desktop using SAP GUI in SAP systems and understand the potential security risks involved.

May 12, 2024

SAP GUI

SAP GUI Versions From a Security Perspective

Understand the importance of keeping SAP GUI versions updated for security and how to plan upgrades effectively.

Apr 5, 2024

System Parameters

The Concept of Parameters in SAP Systems

Understand the different types of profile files and system parameters in SAP systems, and learn how DefenceMore's One Click Audit can help ensure their security.

Feb 16, 2024

SAP CryptoLib

Critical SAP Vulnerability: CVE-2023-40309

Learn about the critical CVE-2023-40309 vulnerability in SAP systems, its impact, and the corrective steps to secure your environment.

Nov 21, 2023

Code Inspection

Are Your Systems Really Secure?

Discover the vulnerabilities in your SAP systems and learn about DefenceMore's One Click Audit for SAP Systems.