SAP batch job interception

This blog will explain how to setup SAP batch job interception.

Questions that will be answered in this blog are:

  • How to activate SAP batch job interception?
  • How does an intercepted job look like?

Activating SAP batch job interception

Before you can begin the setup of the batch job interception you must run program INITXBP2 in SE38:

Program INITXBP2

Next you have to start transaction CRIT and create the profiles.

Transaction CRIT to manage job interception criteria

First create the default SAP profile by clicking on the SAP logo. Activate it. Next step is to create the profile in which you want to do the interception. In the screen above click on the create profile button. Now enter a criteria. For simplicity we have called it interception. In our case we intercept all except a list of authorized users. In the user list we include the basis users and the background users (in this example WF-BATCH). Save the data.

Next step is to activate this profile:

Activate interception proflie

Working of interception

When a batch job is planned the interception checks if the job should be intercepted or not. As a test logon as end user and launch a job. In our case the user ENDUSER tries to launch a job from SLG2 transaction to delete application logs. This jobs is intercepted ans shows like this in SM37:

Intercepted job

The job does not start immediately, but shows in intercepted state. If user with release rights now goes to SM37 for this job, he can release the intercepted job.


 

SAP mail sending tips & tricks

This blog focuses on SAP mail sending tips and tricks.

Questions that will be answered are:

  • How can I add a disclosure to the mails I send form non-productive systems?
  • How do I restrict access to transaction SOST?
  • Which batch job to plan for sending mails?
  • How can I send encrypted or signed mails?

Adding disclosure from to mails from development and test systems

If you want to send mails from development and test systems, but don’t want any risk that it looks like a productive mail, you can add a disclosure to the mail.

In SOST mail settings goto the disclosure function:

SOST to SODIS link

Or you can go directly there using the SODIS transaction.

In SODIS you key in the disclosure text:

SODIS disclosure

If you want you can test for any mail address if the disclosure will be shown or not by using the Routing Test function:

SODIS routing test

When sending mails from the SAP system the receiver now gets the disclosure. The real mail is pushed as text in the attachment of the mail. You need to open the attachment to see the body of the text. Hyperlinks in the body will still work.

Restricting access to SOST transaction: give SOSG access

As admin you might want to restrict access to SOST transaction. This transcation is also often used by fucntional consultants to see if their mail is sent or not. When having access to SOST all functions like deletion and stopping of mails is also granted. What you can do is fully restrict access to SOST and grant the functional consultants access to transaction SOSG to display the mail status. It looks same as SOST, but has additional authorization checks. See also OSS note 2351372 – User access to transactions SOST, SOSV, SOSG and SOSB.

Batch job for mail sending

For sending mail, you need to schedule batch job RSCONN01  with variant SAP&CONNECTINT.

Mail read receipts

SAP mail sending can also use mail receipts. This might be wanted, but most of the times it is not wanted. More about read receipts is explained in OSS note 2161462 – How does Read Receipt work in SAPConnect?

To suppress it follow the instructions in OSS note 1607686 – Suppressing read notification requests.

Mail encryption and signature

Start program RSCONN05 to set the mail signature and encryption settings. More background in OSS note 149926 – Secure e-mail: Encryption, digital signature.

SAP TREX and HANA embedded search technical tips and tricks

This blog will give technical tips & tricks on embedded search. Embedded search can run on both HANA directly or on separate TREX server. It is assumed you know how to set up search in ESH_COCKPIT and know how the end user transaction ESH_SEARCH work.

Questions that will be answered in this blog are:

  • How do I set HANA default connection as embedded search location?
  • What to do after a system copy with embedded search?
  • How to reset the complete embedded search to initial state?
  • How to reset the embedded search buffer?
  • How to recreate the embedded search joins?
  • How to influence the package size of the search extraction?
  • How to check backend part of search?
  • How to deal with full text search issues?
  • How to deal with authorithy index issues?

Setting the search connection to use HANA default database connection

If you are running HANA database for ECC you can use the HANA default primary database connection for search setup. This is easier in maintenance: no extra TREX neeeded, no extra secondary DB connection. Search will consume extra memory and CPU off course on the HANA database.

To set this up run program ESH_ADM_SET_TREX_DESTINATION and select the Use HANA Primary DB connection option.

Task list to run after system copy

After you copy a system the search will not immediately work. In client 000 start transaction STC01 and run task list SAP_ESH_ADJUST_AFTER_COPY.

Resetting all settings to initial

When things gone really beyond repair, you can log on to client 000 and start transaction STC01 and run task list SAP_ESH_RESET.

Important: write down (or make screen shots) on the connectors and settings that were active before running this task list. It will really wipe out all connectors and settings.

Resetting the buffer

Run program ESH_REFRESH_RUNTIME_BUFFER in the working client to reset the trex buffer.

Recreation of join indexes

Run program ESH_RECREATE_ALL_JOIN_INDICES in the working client to recreate the join indexes.

Influencing package sizing per object

With program ESH_SET_INDEXING_PACKAGESIZE you can set the package size for indexing per object. You can lower the size for large objects to avoid memory issues while indexing.

Check backend part of search

To check if a search issue is related to application coding or is related to search setup, you can run program ESH_TEST_SEARCH (with same transacation code ESH_TEST_SEARCH). This program gives you options to test the search independent of any programming of search front end.

Full text search issues

If you are having issues with full text search, please check OSS note 2280372 – How to check Full Text search issues. This note is focussing on full text search issues in relation to solution manager CHARM, but the methods described can be used as well for analyzing other full text search issues.

Setting the extraction user ID

Use program ESH_EX_SET_EXTRACTION_USER or transaction ESH_EXTR_USER to set the user to be used for exraction. This includes the real time indexing.

Authorization indexing issues

While indexing you might get authorization indexing issues. First step is to repeat with sufficient rights attached to your user ID. Then run program ESH_ADM_RECALC_AUTHS to force the recalculation of the authorizations.

If it does not help, you can read the very extensive OSS note 2472239 – Error message “Authorization indexing unsuccessful” when creating search connectors.

Index preload

For some TREX  issues index preload can be a solution. More information on index preload can be found in OSS note 2115082 – ESH Index Preload.

Python check script

For detailed check on TREX embedded search there is a special Python check script, which is not installed by default. The script can be downloaded as attachment from OSS note 2227741 – TREX 710: check of the TREX settings for the Enterprise/embedded Search scenario. Read OSS note 2344042 – How to execute python script check_esh.py on how to install and run the script.

TREX memory issues

If you are seeing high memory consumption in TREX, please check OSS note 2540240 – High Memory and Indexing problems in TREX.

Special use cases

SAP solution manager documentation

If you have search issues with SAP solution manager documentation, there is a special OSS note 2608454 – FAQ: How to handle issues with the (embedded) search functionality in the context of Solution Documentation . This OSS note also contains coding for special test program that will check all relevant settings for the solution documentation search function to work properly.

Use of security policies in user maintenance

This blog will explain the use of security policies in user maintenance.

Questions that will be answered are:

  • Why to use security policies?
  • How to setup security policies?
  • How to assign a security policy to a user?

Why to use security policies?

Security policies can be used to set more strict password rules on critical user ID’s like the system administrators, user administrators and background users. This is one of the measures to avoid password attacks as explaind in the password hash hacking blogs.

How to setup security policies?

Security policies can be setup in customizing under the following node (or by using transaction SECPOL):

SPRO entry for security policies

On the next screen create the needed security polices as definition (identifier and description):

Create security policy

Select one of the policies, to set the detailed attributes per policy:

ADMIN security policy attributes

In this example the policy for ADMIN is set more strict than the system settings. Setting it less strict than the password rules set in the system profile is not allowed.

Assign security policy to user

In SU01 on the tab Logon Data you can now assigned the appropriate Security Policy for the user:

Security policy assignment in user data

Different use case for security policies

There is a second use case for security policies: in the new netweaver releases you can set parameter to lock out users for maintenance rather than locking them in SU01 or SU10. For more information read this blog.

 

SAP password hash hacking Part III: SAP PWDSALTEDHASH hash hacking

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this third blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures. Now we focus on the SAP PWDSALTEDHASH hash.

For the first blog on attacking the SAP BCODE hash click here.

For the second blog on attacking the SAP PASSCODE has click here.

 

Questions that will be answered in this blog are:

  • How to get the PWDSALTEDHASH codes?
  • How does the dictionary attack work?
  • How does the dictionary combination attack work?
  • How does the dictionary with mask attack work?
  • What more can I do to prevent a password attack?

Getting the PWDSALTEDHASH codes

The testusers 1 to 5 have been given a new password and the security admin has done its job. This is what you see in USR02:

After clean up USR02

Double clicking on a line and scrolling down will give you the PWDSALTEDHASH field content:

pwdsaltedhash from USR02

Getting many is too much work. For this you can use code of the program ZFETCH_PWDSALTEDHASH below:

*&--------------------------------------------------------------------*
*& Report ZFETCH_PWDSALTEDHASH
*&--------------------------------------------------------------------*

 REPORT ZFETCH_PWDSALTEDHASH.
 
 DATALV_USR02 TYPE USR02.
 DATALV_STRING TYPE STRING.
 
 SELECT FROM USR02 INTO LV_USR02.
   CONCATENATE LV_USR02-BNAME '$' 
     LV_USR02-PWDSALTEDHASH INTO LV_STRING.
   WRITE:/ LV_STRING.
 ENDSELECT.

The output for our testusers is now:

Testuser PWDSALTEDHASH hashes

You need to save the part from {x-issha etc in a new file. The user ID in front is not needed. It is just needed in case you decrypt a password from a hash to go find the user ID.

The dictionary attack

We still assume that there is a very strict policy on strong password:

  • Minimum length 10
  • Minimum 1 upper, lower, digit and special

Since the admin has cleaned up the BCODE we have no idea on the first 8 characters now.

The trick we will use is the dictionary attack. We assume some of the users will use a password with the following rule:

  1. Take a word
  2. Capitalize first letter, rest is small
  3. Add a digit
  4. Add a special character

As input file for this attack we take all word from the Webster Dictionary: webster dictionary file.

We now go back to our Hahscat directory on C:\HC and give following command:

hashcat64 -a 6 -m 10300 -p : --session=all --force -o "C:\HC\users_found.txt" --outfile-format=3 --markov-disable --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" ?d?s

Command explanation: attack mode 6 for dictionary attack and 10300 for SAP PWDALSTEDHASH format.

And now hashcat is showing is parallelization power:

dictionary attack

To test all the combinations on the 5 users only 30 minutes are needed, with almost 200.000 tries per second.

2 passwords were found: TESTUSER1 with password Theobald1! and TESTUSER5 with password Tetrazotization5{.

Especially the last one is striking: this is normally not considered a simple password: Tetrazotization5{. But because it appears in a dictionary it is relative simple to retrieve.

Combination attack with dictionary

To really show the speed, we will now perform the combination attack explained in the previous blog again. We will use the dictonary in combination with the popular extension file. Command to give:

hashcat64 -a 1 -m 10300 -p : --session=all --force -o "C:\HC\testusers_found.txt" --outfile-format=3 --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" "C:\HC\Popular extensions.txt"

And now the performance and speed is even higher:

combination dictionary

2 out of 3 remaining passwords were found in 1 minute only!

TESTUSER2 with Themis2018! and TESTUSER3 with Vacation123!

Dictionary with mask attack

For the last to be found password, we will use the dictionary with mask attack.

Command to give:

hashcat64 -a 6 -m 10300 -p : --session=all --force -o "C:\HC\testusers_found.txt" --outfile-format=3 --markov-disable --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" ?a?a

We try with 2 random characters after the word. After some time nothing. Then we increase to 3 characters:

hashcat64 -a 6 -m 10300 -p : --session=all --force -o "C:\HC\testusers_found.txt" --outfile-format=3 --markov-disable --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" ?a?a?a

It runs for 4 hours with about 200.000 guesses per second:

dictionary mask attack

And it finally finds the last password: TESTUSER4 with Organoid1@#

Dictionaries

The example above is just one dictionary. Also think about dictionaries with names of persons, football clubs, cities and countries, etc. Largest dictionary so far is called the Wikipedia dictionary. It is about 250 MB large and contains all the unique words used on Wikipedia.

Preventive measures

Preventive measure 1: user education

Educate your users not to take a dictionary word directly and only add a digit letter.

Especially power users, like basis and user administrators, should really receive this education. Don’t assume they know. 90% of them does not, or even hands out passwords like Welcome2018!

Preventive measure 2: extra strong passwords for background and power users

You can set extra strong password requirements for background users and power users (basis and user administrators). This can be done by setting up specific security policies. This is explained in this blog.

Next blog

The next blog will focus on rule based attack mode, which is one of the most effective methods.