(A paper about SAP plain-text passwords in network packets).
From this paper I got information that, by default, all network packets between SAP server and SAPGUI are not encrypted, rather compressed. SAPGUI also contain an option (TDW_NOCOMPRESS) to turn compression off, then we can use wireshark to see user's plain-text password.
But what really amazed me is that a function which is in charge of data compression, contain call to rand() C stdlib function (in BitBufInit() function, which is, in turn, called from CsRComprLZH()). That is the reason, why SAP's server compressed answers are always different. This is true for at least version 701 patch 32.
They probably emulate encryption?
Almost all good computer programs contain at least one random-number generator. (fortune file in plan 9 OS)
Part two: http://blog.yurichev.com/node/47
→ [list of blog posts] Please drop me email about bug(s) and/or suggestion(s): my emails.