This blog will explain how to setup SAP batch job interception.
Questions that will be answered in this blog are:
How to activate SAP batch job interception?
How does an intercepted job look like?
Activating SAP batch job interception
Before you can begin the setup of the batch job interception you must run program INITXBP2 in SE38:
Next you have to start transaction CRIT and create the profiles.
First create the default SAP profile by clicking on the SAP logo. Activate it. Next step is to create the profile in which you want to do the interception. In the screen above click on the create profile button. Now enter a criteria. For simplicity we have called it interception. In our case we intercept all except a list of authorized users. In the user list we include the basis users and the background users (in this example WF-BATCH). Save the data.
Next step is to activate this profile:
Working of interception
When a batch job is planned the interception checks if the job should be intercepted or not. As a test logon as end user and launch a job. In our case the user ENDUSER tries to launch a job from SLG2 transaction to delete application logs. This jobs is intercepted and shows like this in SM37:
The job does not start immediately, but shows in intercepted state. If user with release rights now goes to SM37 for this job, he can release the intercepted job.
This blog focuses on SAP mail sending tips and tricks.
Questions that will be answered are:
How can I add a disclosure to the mails I send form non-productive systems?
How do I restrict access to transaction SOST?
Which batch job to plan for sending mails?
How can I send encrypted or signed mails?
Is there a display only version of SCOT available?
How to send hyperlink in mail using ABAP?
Adding disclosure from to mails from development and test systems
If you want to send mails from development and test systems, but don’t want any risk that it looks like a productive mail, you can add a disclosure to the mail.
In SOST mail settings go to the disclosure function:
Or you can go directly there using the SODIS transaction.
In SODIS you key in the disclosure text:
If you want you can test for any mail address if the disclosure will be shown or not by using the Routing Test function:
When sending mails from the SAP system the receiver now gets the disclosure. The real mail is pushed as text in the attachment of the mail (see OSS note 2842085 – Email body becoming to attachment in receiver side). You need to open the attachment to see the body of the text. Hyperlinks in the body will still work.
Restricting access to SOST transaction: give SOSG access
As admin you might want to restrict access to SOST transaction. This transaction is also often used by functional consultants to see if their mail is sent or not. When having access to SOST all functions like deletion and stopping of mails is also granted. What you can do is fully restrict access to SOST and grant the functional consultants access to transaction SOSG to display the mail status. It looks same as SOST, but has additional authorization checks. See also OSS note 2351372 – User access to transactions SOST, SOSV, SOSG and SOSB.
SAP mail sending can also use mail receipts. This might be wanted, but most of the times it is not wanted. More about read receipts is explained in OSS note 2161462 – How does Read Receipt work in SAPConnect?
This blog will give technical tips & tricks on embedded search. Embedded search can run on both HANA directly or on separate TREX server. It is assumed you know how to set up search in ESH_COCKPIT and know how the end user transaction ESH_SEARCH work.
Questions that will be answered in this blog are:
How do I set HANA default connection as embedded search location?
What to do after a system copy with embedded search?
How to reset the complete embedded search to initial state?
How to reset the embedded search buffer?
How to recreate the embedded search joins?
How to influence the package size of the search extraction?
How to check backend part of search?
How to deal with full text search issues?
How to deal with authority index issues?
How to deal with high load issues on TREX?
Activating search in S4HANA
If you are running S4HANA, you can use an STC01 task list to fully setup the search function. Read this blog on technical activation and this blog for FIORI search for full instructions. The remainder of the blog below can be used in case of issues.
Setting the search connection to use HANA default database connection
If you are running HANA database for ECC you can use the HANA default primary database connection for search setup. This is easier in maintenance: no extra TREX needed, no extra secondary DB connection. Search will consume extra memory and CPU off course on the HANA database.
To set this up run program ESH_ADM_SET_TREX_DESTINATION and select the Use HANA Primary DB connection option.
When things gone really beyond repair, you can log on to client 000 and start transaction STC01 and run task list SAP_ESH_RESET.
Important: write down (or make screen shots) on the connectors and settings that were active before running this task list. It will really wipe out all connectors and settings.
With program ESH_SET_INDEXING_PACKAGESIZE you can set the package size for indexing per object. You can lower the size for large objects to avoid memory issues while indexing. Issues can be dumps on SYSTEM_NO_ROLL / LOAD_NO_ROLL / TSV_TNEW_PAGE_ALLOC_FAILED / SYSTEM_NO_SHM_MEMORY.
To check if a search issue is related to application coding or is related to search setup, you can run program ESH_TEST_SEARCH (with same transaction code ESH_TEST_SEARCH). This program gives you options to test the search independent of any programming of search front end.
If you are having issues with full text search, please check OSS note 2280372 – How to check Full Text search issues. This note is focusing on full text search issues in relation to solution manager CHARM, but the methods described can be used as well for analyzing other full text search issues.
While indexing you might get authorization indexing issues. First step is to repeat with sufficient rights attached to your user ID. Then run program ESH_ADM_RECALC_AUTHS to force the recalculation of the authorizations.
In newer versions this tool is available. Otherwise apply OSS note 2690982 – TrexViaDbsl Analysis Tool in ABAP. Then in SA38 you can launch program RHANA_TREXVIADBSL_ANALYZER for the analysis tool:
This blog will explain the use of security policies in user maintenance.
Questions that will be answered are:
Why to use security policies?
How to setup security policies?
How to assign a security policy to a user?
Why to use security policies?
Security policies can be used to set more strict password rules on critical user ID’s like the system administrators, user administrators and background users. This is one of the measures to avoid password attacks as explained in the password hash hacking blogs.
How to setup security policies?
Security policies can be setup in customizing under the following node (or by using transaction SECPOL):
On the next screen create the needed security polices as definition (identifier and description):
Select one of the policies, to set the detailed attributes per policy:
In this example the policy for ADMIN is set more strict than the system settings. Setting it less strict than the password rules set in the system profile is not allowed.
Assign security policy to user
In SU01 on the tab Logon Data you can now assigned the appropriate Security Policy for the user:
There is a second use case for security policies: in the new netweaver releases you can set parameter to lock out users for maintenance rather than locking them in SU01 or SU10. For more information read this blog.
This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.
In this third blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures. Now we focus on the SAP PWDSALTEDHASH hash.
For the first blog on attacking the SAP BCODE hash click here.
For the second blog on attacking the SAP PASSCODE has click here.
For follow up blog on improving attack speed by applying rule-based attack, click here. And the blog on optimizing the attack. And the blog on extended word lists.
Questions that will be answered in this blog are:
How to get the PWDSALTEDHASH codes?
How does the dictionary attack work?
How does the dictionary combination attack work?
How does the dictionary with mask attack work?
What more can I do to prevent a password attack?
Getting the PWDSALTEDHASH codes
The testusers 1 to 5 have been given a new password and the security admin has done its job. This is what you see in USR02:
Double clicking on a line and scrolling down will give you the PWDSALTEDHASH field content:
Getting many is too much work. For this you can use code of the program ZFETCH_PWDSALTEDHASH below:
*&--------------------------------------------------------------------**& Report ZFETCH_PWDSALTEDHASH*&--------------------------------------------------------------------*REPORT ZFETCH_PWDSALTEDHASH.DATA: LV_USR02 TYPE USR02.DATA: LV_STRING TYPE STRING.SELECT * FROM USR02 INTO LV_USR02 WHERE PWDSALTEDHASH NE SPACE.CONCATENATE LV_USR02-BNAME '
The output for our testusers is now:
You need to save the part from {x-issha etc in a new file. The user ID in front is not needed. It is just needed in case you decrypt a password from a hash to go find the user ID.
The dictionary attack
We still assume that there is a very strict policy on strong password:
Minimum length 10
Minimum 1 upper, lower, digit and special
Since the admin has cleaned up the BCODE we have no idea on the first 8 characters now.
The trick we will use is the dictionary attack. We assume some of the users will use a password with the following rule:
Take a word
Capitalize first letter, rest is small
Add a digit
Add a special character
As input file for this attack we take all word from the Webster Dictionary: webster dictionary file.
We now go back to our Hashcat directory on C:\HC and give following command:
Command explanation: attack mode 6 for dictionary attack and 10300 for SAP PWDALSTEDHASH format.
And now hashcat is showing is parallelization power:
To test all the combinations on the 5 users only 30 minutes are needed, with almost 200.000 tries per second.
2 passwords were found: TESTUSER1 with password Theobald1! and TESTUSER5 with password Tetrazotization5{.
Especially the last one is striking: this is normally not considered a simple password: Tetrazotization5{. But because it appears in a dictionary it is relative simple to retrieve.
Combination attack with dictionary
To really show the speed, we will now perform the combination attack explained in the previous blog again. We will use the dictionary in combination with the popular extension file. Command to give:
It runs for 4 hours with about 200.000 guesses per second:
And it finally finds the last password: TESTUSER4 with Organoid1@#
Dictionaries
The example above is just one dictionary. Also think about dictionaries with names of persons, football clubs, cities and countries, etc. Largest dictionary so far is called the Wikipedia dictionary. It is about 250 MB large and contains all the unique words used on Wikipedia.
Preventive measures
Preventive measure 1: user education
Educate your users not to take a dictionary word directly and only add a digit letter.
Especially power users, like basis and user administrators, should really receive this education. Don’t assume they know. 90% of them does not, or even hands out passwords like Welcome2018!
Preventive measure 2: extra strong passwords for background and power users
You can set extra strong password requirements for background users and power users (basis and user administrators). This can be done by setting up specific security policies. This is explained in this blog.
Preventive measure 3: stronger hashes
By creating stronger hashes, the attackers need more time. It will not stop them, but slow them down. Read more on setting stronger hashes in this dedicated blog.
Next blog
The next blog will focus on rule based attack mode, which is one of the most effective methods.
