Unveiling breaches in SAP systems through password decryption techniques
In the realm of cybersecurity, understanding password hashes is crucial for both attackers and infosec teams. This article will provide a guide on how to work with password hashes in SAP systems using two popular tools: Hashcat and JohnTheRipper.
Firstly, it's essential to know that SAP systems can generate various hash versions, some of which may be considered weak and easily crackable. The CODVN field in the USR02 table represents the algorithm active for a specific registration, with possible values being B, D, F, and H. For Hashcat, the file format required for CODVN B/D/F is "$", while for CODVN H, only the hash is needed. On the other hand, JohnTheRipper requires no space-padding for CODVN H up to 40 characters, while for CODVN B/D/F, the format is also "$".
Weak hashes or partial hashes can provide inaccurate or outdated results, but they can still offer hints about the password range. Tools like Hashcat and JohnTheRipper can utilise these incomplete values to get some results. For instance, Hashcat can be run with various attack modes, including wordlist mode, brute-force for each character, and combining wordlists with rules.
If direct access to the database is not available, password hashes can be obtained through transactions SE16 and DBACOCKPIT, or the RFC function RFC_READ_TABLE. It's important to note that RFC_READ_TABLE provides partial hashes, and some tools, like Hashcat, can use these incomplete values to get some results. Moreover, RFC_READ_TABLE is remote-capable, meaning it can be executed remotely.
To attempt to restore passwords using wordlists with Hashcat, the commands are as follows: for CODVN B, ; for CODVN F, ; for CODVN B with partial hash from RFC_READ_TABLE, ; for CODVN F with partial hash from RFC_READ_TABLE, ; and for CODVN H, .
On the other hand, the commands for using JohnTheRipper to recover passwords are for CODVN B, for CODVN F, and for CODVN H.
For each table, CODVN "B"/"D" is stored in the "BCODE" column, CODVN "F" in the "PASSCODE" column, and CODVN "H" in the "PWDSALTEDHASH" column. SAP systems store passwords primarily in the USR02 database table, with historical user values kept in USH02, USH02_ARC_TMP, and USH02HISTORY tables.
It's worth noting that SAP transaction codes SU01, SUIM, and SE16N can be used to examine the USR02 database table with active passwords. Onapsis strongly recommends disabling backward compatibility and removing weak hashes in all the mentioned tables to enhance security.
Lastly, JohnTheRipper, a tool for password recovery, offers multiple versions, with the Jumbo version being the best option for SAP system-generated hashes due to the inclusion of scripts like sap2john.pl for converting hashes into the required input format.
In conclusion, understanding password hashes and the tools to work with them is crucial in the cybersecurity landscape. By utilising Hashcat and JohnTheRipper, infosec teams can identify password reuse or known passwords and take appropriate actions to secure their systems.
Read also:
- Trump announces agreement with Chinese authorities on TikTok deal
- List of 2025's Billionaire Video Game Moguls Ranked by Fortune
- Dynamic exchange of power and data is shaping the network of tomorrow
- Italy passes legislation regulating AI, focusing on privacy protection, supervision, and safeguards for minors
