saptechnicalguru – Page 35 – Saptechnicalguru.com

Enabling ATC for remote checks

By using a Netweaver 7.52 server (or newer) you can use that server a central ATC server for running the ATC. For explanation on ATC itself, please check this blog.

Questions that will be answered in this blog are:

What are reasons for running remote ATC checks?
How to set up remote ATC checks?
Which limitations does remote ATC checks have?

Reasons for running remote ATC checks

There are several reasons why you might want to do this:

Run ATC against an old 7.00/7.01/7.02 system, where ATC is not delivered by SAP
Run ATC for S4HANA Readiness checks (see blog)
Run the latest ATC checks and you want to use the new baseline function (see blog)
Run the ATC tool centrally when you have more development systems, but still want to maintain the ruleset only once

Consider very carefully if the benefits you are looking for are worth the setup work below.

The master OSS note for the remote checks is 2375864 – ATC: Remote Checks – Developer Scenario.

Central system

First of all you need a 7.52 or higher system. This might already be big stumbling block if you don’t have this. In past blogs and notes you might find it works for 7.51 as well, but this will have severe limitations. For example the S4HANA Readiness only works properly on 7.52.

Read note 2364916 – Recommended SAP Notes for using ATC to perform remote analysis. Goto the section of the central check system for your version and see which OSS notes you need to apply so solve the known bugs.

Checked system

The master note 2375864 – ATC: Remote Checks – Developer Scenario contains the OSS notes to be applied for the older versions. For the newer versions OSS note 2190065 – ATC/CI: Remote Code Analysis – Object Provider Stub is needed.

This looks like a simple action, but it is not. It will pull in dependent OSS notes. One of these notes is the key OSS note 2270689 – Remote Analysis (for source system). This note contains references to the notes to apply.

Notes referred to in note 2270689 can be HUGE OSS notes. It can take 15 to 20 minutes to download and will result into a time-out dump is you have standard 10 minutes set. Ask basis team to set rdisp/max_wprun_time and rdisp/scheduler/prio_high/max_runtime to 30 minutes for you to able to download this note.

Per checked system you will need an RFC connection from the central system to the checked system.

To initialize the remote check per checked system you must run program RS_ABAP_INIT_ANALYSIS:

Also run this program in the central system!

Configuring the central system

Start transaction ATC and goto the setup menu to set the system role:

Select here the second option to make it a central system:

Then goto the menu for setting up the object providers:

First create a group:

The fill the RFC Object providers:

The vital element here is the RFC connection that you have created from the central system to the local system.

Make sure in the central system by testing in SM59: the connection is properly working. Also make sure that the user in the checked system has sufficient RFC rights to execute the remote ATC checks.

Setup the SCI variant for remote execution

In the central system set up the SCI variant for remote execution.

Be aware here one of the major limitations: you can only select the check which SAP has enabled for RFC based check:

Remote ATC run execution

In the central system now define the ATC to run:

Important here:

The check variant has to be defined in the central system
The variant runs against the selected object provider you have just defined

After the first run you must likely will get check tool failures:

Read the failures carefully and solve them one by one.

End result

The end result is the same as with the local system. By clicking on the code you will jump from central to checked system.

Bug fixes

Bug fix notes:

3022283 – Clear Caches of Static Check Infrastructure (contains instructions on clean up reports RS_ABAP_DELETE_ANALYSIS and RS_ABAP_CLEAN_ANALYSIS)

Keep end users out of the system during maintenance

This blog will explain an elegant new way to keep end users out of the system during maintenance.

Questions that will be answered are:

How does the login/server_logon_restriction parameter work?
How do I assign the right to logon during maintenance?

Traditional ways of keeping users out of the system during maintenance

Traditional ways of keeping users out of the system is by locking the users either via SU10 or custom built program.

Major setbacks of both methods:

Locking and unlocking takes time
In the user history you see constant lock and unlocks that you need to explain to auditors

New login/server_logon_restriction parameter

In more recent SAP systems (7.5 and up) there is a new parameter called login/server_logon_restriction (formal OSS note is 1891583 – Restricting logon to the application server).

RZ11 parameter login server_logon_restriction

If you set this to 1 then only people with the right privilege can log on to the system. The parameter is immediately effective. All non-privileged users will get this error when they try to log on to the system:

After the system maintenance you can set the parameter back to normal and everybody can log on again. User history is not touched.

Be aware this is a dynamically switchable parameter. If you set the value to 1 and need to restart the system during your maintenance the value after restart is back to 0, which means everybody can log on again.

How to assign the privilege to log on to basis administrators?

First you need to create or extend the user security policy for basis admins using transaction SECPOL. Add the policy attribute SERVER_LOGON_PRIVILEGE and set it to value 1.

Now you can add this security policy to all basis team members in SU01:

All persons with security policy ADMIN are now still allowed to log on during the maintenance when parameter login/server_logon_restriction is set to 1 in RZ11.

Other use of security policies

Security policies can also be used to enhance security of specific user groups (like basis team). See this blog for more on this feature.

Text on logon screen before and after logon

This blog will explain how to get text on the SAP logon screen before users logon and on the screen after users logon.

If you want to load a picture after the logon screen, please read this blog.

Questions that will be answered are:

How to add a text to the logon screen?
How to include icons?
How to put a text after the logon screen in stead of a picture?
How to put a clickable URL in the text after the logon screen?

Setting text before logon

The text to be shown before logon is maintained via transaction SE61. Select General text and for the name select ZLOGIN_SCREEN_INFO.

Now press change:

Enter the text you want to show to the users.

If you want to show SAP icons in the text start transaction SE38 and run program RSTXICON. Run it as ABAP list. Look for the icon you want and lookup the code. Please it between 2 @ symbols.

End result looks like this:

Official OSS note is 205487 – Custom text on SAP GUI logon screen.

Adding a text after the logon screen

After the logon screen you can either add a picture or a web url. But no text or text with hyperlink. To achieve this we will do a small development trick. We put the text on a web dynpro page and add the web dynpro page as URL for the start screen.

First develop the web dynpro in SE80:

We will call the web dynpro ZSTARTPAGE. In our example there is a text (caption) and a LinkToUrl. The LinkToUrl has a text and a hyperlink and will show as a clickable element to the user. Save and generate the web dynpro. Test the web dynpro and note down the URL of the web dynpro.

Start transaction SM30_SSM_CUST to maintain the customizing for logon screen and other items. In the parameter SESS_URL fill out the web dynpro URL. If the parameter SESS_URL does not yet exist, just create it.

Also make sure the logon picture is not hidden (see OSS note 1387086 – HTML viewer in SAP Easy Access screen):

The end result will look like this:

Depending on the security settings of the system you might need to tweak the SICF node of the web dynpro to suppress a password popup.

You can also integrate SO10 SAP script text. For more information on how to achieve this, read this blog.

SAP batch job interception

This blog will explain how to setup SAP batch job interception.

Questions that will be answered in this blog are:

How to activate SAP batch job interception?
How does an intercepted job look like?

Activating SAP batch job interception

Before you can begin the setup of the batch job interception you must run program INITXBP2 in SE38:

Next you have to start transaction CRIT and create the profiles.

First create the default SAP profile by clicking on the SAP logo. Activate it. Next step is to create the profile in which you want to do the interception. In the screen above click on the create profile button. Now enter a criteria. For simplicity we have called it interception. In our case we intercept all except a list of authorized users. In the user list we include the basis users and the background users (in this example WF-BATCH). Save the data.

Next step is to activate this profile:

Working of interception

When a batch job is planned the interception checks if the job should be intercepted or not. As a test logon as end user and launch a job. In our case the user ENDUSER tries to launch a job from SLG2 transaction to delete application logs. This jobs is intercepted and shows like this in SM37:

The job does not start immediately, but shows in intercepted state. If user with release rights now goes to SM37 for this job, he can release the intercepted job.

SAP mail sending tips & tricks

This blog focuses on SAP mail sending tips and tricks.

Questions that will be answered are:

How can I add a disclosure to the mails I send form non-productive systems?
How do I restrict access to transaction SOST?
Which batch job to plan for sending mails?
How can I send encrypted or signed mails?
Is there a display only version of SCOT available?
How to send hyperlink in mail using ABAP?

Adding disclosure from to mails from development and test systems

If you want to send mails from development and test systems, but don’t want any risk that it looks like a productive mail, you can add a disclosure to the mail.

In SOST mail settings go to the disclosure function:

Or you can go directly there using the SODIS transaction.

In SODIS you key in the disclosure text:

If you want you can test for any mail address if the disclosure will be shown or not by using the Routing Test function:

When sending mails from the SAP system the receiver now gets the disclosure. The real mail is pushed as text in the attachment of the mail (see OSS note 2842085 – Email body becoming to attachment in receiver side). You need to open the attachment to see the body of the text. Hyperlinks in the body will still work.

Restricting access to SOST transaction: give SOSG access

As admin you might want to restrict access to SOST transaction. This transaction is also often used by functional consultants to see if their mail is sent or not. When having access to SOST all functions like deletion and stopping of mails is also granted. What you can do is fully restrict access to SOST and grant the functional consultants access to transaction SOSG to display the mail status. It looks same as SOST, but has additional authorization checks. See also OSS note 2351372 – User access to transactions SOST, SOSV, SOSG and SOSB.

To allow sending of mail in SOSG, follow instructions from OSS note 2573586 – “Send” function greyed out in transaction SOSG.

Batch job for mail sending

For sending mail, you need to schedule batch job RSCONN01 with variant SAP&CONNECTINT. See OSS note 1912890 – Stuck email messages on SOST – RSCONN01 client dependent.

Mail read receipts

SAP mail sending can also use mail receipts. This might be wanted, but most of the times it is not wanted. More about read receipts is explained in OSS note 2161462 – How does Read Receipt work in SAPConnect?

To suppress it follow the instructions in OSS note 1607686 – Suppressing read notification requests.

Mail send restrictions based on user group

If you want to restrict mail sending based on user group, follow the instructions from OSS note 2623113 – How to limit e-mails by Sender Group in SCOT.

Mail encryption and signature

Start program RSCONN05 to set the mail signature and encryption settings. More background in OSS note 149926 – Secure e-mail: Encryption, digital signature.

Guided answers

See OSS note 3225275 – BC-SRV-COM Guided Answer for guided answers on mail setup.

Sending hyperlink in mail

If you have a requirement to send working hyperlinks in mails coming from SAP, read this blog on how to do this using custom ABAP code.

Increasing value of SMTP password length

See note 2363295 – Password for SMTP authentication is too short for increasing SMTP password length.

SAP TREX and HANA embedded search technical tips and tricks

This blog will give technical tips & tricks on embedded search. Embedded search can run on both HANA directly or on separate TREX server. It is assumed you know how to set up search in ESH_COCKPIT and know how the end user transaction ESH_SEARCH work.

Questions that will be answered in this blog are:

How do I set HANA default connection as embedded search location?
What to do after a system copy with embedded search?
How to reset the complete embedded search to initial state?
How to reset the embedded search buffer?
How to recreate the embedded search joins?
How to influence the package size of the search extraction?
How to check backend part of search?
How to deal with full text search issues?
How to deal with authority index issues?
How to deal with high load issues on TREX?

Activating search in S4HANA

If you are running S4HANA, you can use an STC01 task list to fully setup the search function. Read this blog on technical activation and this blog for FIORI search for full instructions. The remainder of the blog below can be used in case of issues.

Setting the search connection to use HANA default database connection

If you are running HANA database for ECC you can use the HANA default primary database connection for search setup. This is easier in maintenance: no extra TREX needed, no extra secondary DB connection. Search will consume extra memory and CPU off course on the HANA database.

To set this up run program ESH_ADM_SET_TREX_DESTINATION and select the Use HANA Primary DB connection option.

Notes:

Task list to run after system copy

After you copy a system the search will not immediately work. In client 000 start transaction STC01 and run task list SAP_ESH_ADJUST_AFTER_COPY. See also OSS note 2479611 – Error message: “Current system is a copy of another system”. See also note 2583055 – ESH_ADM_MSG281 error when run the task list SAP_ESH_ADJUST_AFTER_COPY on client 000 after the system copy. And read note 3243784 – Invalid value 10.000 when assigning values of parameter P_PACKS in report ESH_IX_CRT_INDEX_OBJECT_TYPE.

Resetting all settings to initial

When things gone really beyond repair, you can log on to client 000 and start transaction STC01 and run task list SAP_ESH_RESET.

Important: write down (or make screen shots) on the connectors and settings that were active before running this task list. It will really wipe out all connectors and settings.

More information can be found in OSS note 2626143 – How to execute SAP_ESH_RESET.

Resetting the buffer

Run program ESH_REFRESH_RUNTIME_BUFFER in the working client to reset the trex buffer.

Bug fix note: 2947055 – CDS activation: Runtime error in report ESH_REFRESH_RUNTIME_BUFFER. And 3253863 – CDS: Timeout error during execution of report ESH_REFRESH_RUNTIME_BUFFER.

Recreation of join indexes

Run program ESH_RECREATE_ALL_JOIN_INDICES in the working client to recreate the join indexes. See also OSS note 2112153 – How to recreate ESH join indexes which are corrupted in TREX.

Influencing package sizing per object

With program ESH_SET_INDEXING_PACKAGESIZE you can set the package size for indexing per object. You can lower the size for large objects to avoid memory issues while indexing. Issues can be dumps on SYSTEM_NO_ROLL / LOAD_NO_ROLL / TSV_TNEW_PAGE_ALLOC_FAILED / SYSTEM_NO_SHM_MEMORY.

See these OSS notes:

Check backend part of search

To check if a search issue is related to application coding or is related to search setup, you can run program ESH_TEST_SEARCH (with same transaction code ESH_TEST_SEARCH). This program gives you options to test the search independent of any programming of search front end.

Bug fix OSS note: 2972790 – ESH_TEST_SEARCH – value help for attribute search: Values are not transferred case-sensitively.

Full text search issues

If you are having issues with full text search, please check OSS note 2280372 – How to check Full Text search issues. This note is focusing on full text search issues in relation to solution manager CHARM, but the methods described can be used as well for analyzing other full text search issues.

Setting the extraction user ID

Use program ESH_EX_SET_EXTRACTION_USER or transaction ESH_EXTR_USER to set the user to be used for extraction. This includes the real time indexing. For more information see OSS note 2340298 – User Types and required authorizations for ESH extraction user. For issues see OSS note 2750997 – Error “Logon of user XYZ in client xyz failed when starting a step” in ESH indexing job logs. And 2938916 – ESH extraction user – option “Generate User” – adjustment of password policy.

Bug fix OSS note: 2938916 – ESH extraction user – option “Generate User” – adjustment of password polic y.

Authorization indexing issues

While indexing you might get authorization indexing issues. First step is to repeat with sufficient rights attached to your user ID. Then run program ESH_ADM_RECALC_AUTHS to force the recalculation of the authorizations.

If it does not help, you can read the very extensive OSS note 2472239 – Error message “Authorization indexing unsuccessful” when creating search connectors. And OSS note 2729739 – Error indexing search connectors: “Authorization indexing unsuccessful for object type USER_AUTHORITY”.

New option to partially skip the checks for indexing: 3088737 – Customizing option for completely deactivating authorization indexing for individual ESH authorization indexes.

Index preload

For some TREX issues index preload can be a solution. More information on index preload can be found in OSS note 2115082 – ESH Index Preload.

Python check script

For detailed check on TREX embedded search there is a special Python check script, which is not installed by default. The script can be downloaded as attachment from OSS note 2227741 – TREX 710: check of the TREX settings for the Enterprise/embedded Search scenario. Read OSS note 2344042 – How to execute python script check_esh.py on how to install and run the script.

TREX memory issues

If you are seeing high memory consumption in TREX, please check OSS note 2540240 – High Memory and Indexing problems in TREX.

TREX high load issues

If you are experiencing high load issues, consider increasing the amount of threads. Reference OSS note: 1065406 – BWA: Raise number of TREXRfcServer threads.

TrexViaDbsl Analysis Tool in ABAP

In newer versions this tool is available. Otherwise apply OSS note 2690982 – TrexViaDbsl Analysis Tool in ABAP. Then in SA38 you can launch program RHANA_TREXVIADBSL_ANALYZER for the analysis tool:

A more detailed explanation is given in OSS note 2800048 – FAQ: SAP HANA TREXviaDBSL.

TREX jobs

See OSS note 3169829 – When and how the job ESH<Client>IX_<System SID><Client>_* is created for the jobs TREX is creating on the ECC backend system:

ESH_IX_PROCESS_CHANGE_POINTERS/ESH_FU_DEMON,
ESH_IX_CRT_INDEX_OBJECT_TYPE
ESH_SE_CONNECTOR_MOD_BGD

TREX administration

For TREX administration read this dedicated blog.

Re-indexing and model update after upgrade

After an upgrade or support package, a model update is required. See OSS note 2468752 – Re-indexing after an application Upgrade.

Search speed for ECC

If you run ECC and use HANA as database, you can make use of SFW5 switch BSESH_HANA_SEARCH to speed up the search using HANA based features.

Special use cases

SAP solution manager documentation

If you have search issues with SAP solution manager documentation, there is a special OSS note 2608454 – FAQ: How to handle issues with the (embedded) search functionality in the context of Solution Documentation . This OSS note also contains coding for special test program that will check all relevant settings for the solution documentation search function to work properly.

Use of security policies in user maintenance

This blog will explain the use of security policies in user maintenance.

Questions that will be answered are:

Why to use security policies?
How to setup security policies?
How to assign a security policy to a user?

Why to use security policies?

Security policies can be used to set more strict password rules on critical user ID’s like the system administrators, user administrators and background users. This is one of the measures to avoid password attacks as explained in the password hash hacking blogs.

How to setup security policies?

Security policies can be setup in customizing under the following node (or by using transaction SECPOL):

On the next screen create the needed security polices as definition (identifier and description):

Select one of the policies, to set the detailed attributes per policy:

In this example the policy for ADMIN is set more strict than the system settings. Setting it less strict than the password rules set in the system profile is not allowed.

Assign security policy to user

In SU01 on the tab Logon Data you can now assigned the appropriate Security Policy for the user:

Unfortunately the Security Policy cannot be made a mandatory field. See OSS note 2890297 – Assigning SECPOL policies as a mandatory field for user creation/modification.

Different use case for security policies

There is a second use case for security policies: in the new netweaver releases you can set parameter to lock out users for maintenance rather than locking them in SU01 or SU10. For more information read this blog.

Background OSS notes

Relevant OSS notes:

2018918 – User-specific settings for password rules, password changes, and logon restrictions
2890297 – Assigning SECPOL policies as a mandatory field for user creation/modification –> it is saying you cannot do it, but you can do this by building a transaction variant: see blog
3075533 – Login parameters (login/*) not effective with Security Policies

SAP password hash hacking Part III: SAP PWDSALTEDHASH hash hacking

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this third blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures. Now we focus on the SAP PWDSALTEDHASH hash.

For the first blog on attacking the SAP BCODE hash click here.

For the second blog on attacking the SAP PASSCODE has click here.

For follow up blog on improving attack speed by applying rule-based attack, click here. And the blog on optimizing the attack. And the blog on extended word lists.

Questions that will be answered in this blog are:

How to get the PWDSALTEDHASH codes?
How does the dictionary attack work?
How does the dictionary combination attack work?
How does the dictionary with mask attack work?
What more can I do to prevent a password attack?

Getting the PWDSALTEDHASH codes

The testusers 1 to 5 have been given a new password and the security admin has done its job. This is what you see in USR02:

Double clicking on a line and scrolling down will give you the PWDSALTEDHASH field content:

Getting many is too much work. For this you can use code of the program ZFETCH_PWDSALTEDHASH below:

*&--------------------------------------------------------------------*
*& Report ZFETCH_PWDSALTEDHASH
*&--------------------------------------------------------------------*
 REPORT ZFETCH_PWDSALTEDHASH.
 DATA: LV_USR02 TYPE USR02.
 DATA: LV_STRING TYPE STRING.
 SELECT * FROM USR02 INTO LV_USR02 WHERE PWDSALTEDHASH NE SPACE.
   CONCATENATE LV_USR02-BNAME '

The output for our testusers is now:

You need to save the part from {x-issha etc in a new file. The user ID in front is not needed. It is just needed in case you decrypt a password from a hash to go find the user ID.

The dictionary attack

We still assume that there is a very strict policy on strong password:

Minimum length 10
Minimum 1 upper, lower, digit and special

Since the admin has cleaned up the BCODE we have no idea on the first 8 characters now.

The trick we will use is the dictionary attack. We assume some of the users will use a password with the following rule:

Take a word
Capitalize first letter, rest is small
Add a digit
Add a special character

As input file for this attack we take all word from the Webster Dictionary: webster dictionary file.

We now go back to our Hashcat directory on C:\HC and give following command:

hashcat64 -a 6 -m 10300 -p : --session=all --force -o "C:\HC\users_found.txt" --outfile-format=3 --markov-disable --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" ?d?s

Command explanation: attack mode 6 for dictionary attack and 10300 for SAP PWDALSTEDHASH format.

And now hashcat is showing is parallelization power:

To test all the combinations on the 5 users only 30 minutes are needed, with almost 200.000 tries per second.

2 passwords were found: TESTUSER1 with password Theobald1! and TESTUSER5 with password Tetrazotization5{.

Especially the last one is striking: this is normally not considered a simple password: Tetrazotization5{. But because it appears in a dictionary it is relative simple to retrieve.

Combination attack with dictionary

To really show the speed, we will now perform the combination attack explained in the previous blog again. We will use the dictionary in combination with the popular extension file. Command to give:

hashcat64 -a 1 -m 10300 -p : --session=all --force -o "C:\HC\testusers_found.txt" --outfile-format=3 --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" "C:\HC\Popular extensions.txt"

And now the performance and speed is even higher:

2 out of 3 remaining passwords were found in 1 minute only!

TESTUSER2 with Themis2018! and TESTUSER3 with Vacation123!

Dictionary with mask attack

For the last to be found password, we will use the dictionary with mask attack.

Command to give:

hashcat64 -a 6 -m 10300 -p : --session=all --force -o "C:\HC\testusers_found.txt" --outfile-format=3 --markov-disable --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" ?a?a

We try with 2 random characters after the word. After some time nothing. Then we increase to 3 characters:

hashcat64 -a 6 -m 10300 -p : --session=all --force -o "C:\HC\testusers_found.txt" --outfile-format=3 --markov-disable --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" ?a?a?a

It runs for 4 hours with about 200.000 guesses per second:

And it finally finds the last password: TESTUSER4 with Organoid1@#

Dictionaries

The example above is just one dictionary. Also think about dictionaries with names of persons, football clubs, cities and countries, etc. Largest dictionary so far is called the Wikipedia dictionary. It is about 250 MB large and contains all the unique words used on Wikipedia.

Preventive measures

Preventive measure 1: user education

Educate your users not to take a dictionary word directly and only add a digit letter.

Especially power users, like basis and user administrators, should really receive this education. Don’t assume they know. 90% of them does not, or even hands out passwords like Welcome2018!

Preventive measure 2: extra strong passwords for background and power users

You can set extra strong password requirements for background users and power users (basis and user administrators). This can be done by setting up specific security policies. This is explained in this blog.

Preventive measure 3: stronger hashes

By creating stronger hashes, the attackers need more time. It will not stop them, but slow them down. Read more on setting stronger hashes in this dedicated blog.

Next blog

The next blog will focus on rule based attack mode, which is one of the most effective methods.

SAP password hash hacking Part II: SAP PASSCODE hash hacking

In this second blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures. Now we focus on the SAP PASSCODE hash.

For the first blog on attacking the SAP BCODE hash click here.

Questions that will be answered in this blog are:

How to attack the PASSCODE from the BCODE?
How does the hybrid mask attack mode work?
How does the combination attack mode work?
What more can I do to prevent a password attack?For follow up blog on hacking SAP PWDSALTEDHASH, click here.
For follow up blog on improving attack speed by applying rule-based attack, click here. And the blog on optimizing the attack. And the blog on extended word lists.

How to attack the PASSCODE from the BCODE?

In the previous blog we have seen how easy it is to get the passwords from the BCODE. The BCODE is capturing the first 8 characters of the password in capital mode. The other characters of the password are not stored in the BCODE, but in the full PASSCODE. If the password is length 8 or below, you can already logon with the found BCODE password.

Now lets assume company password policy is:

Minimum password length is 10
Minimum 1 digit, 1 letter upper case, 1 letter lower case, 1 special

Pretty safe you might think.

We will use the previous 5 guessed test users. Their passwords from BCODE were: PASSWORD, LETMEIN, WELCOME, ILOVEYOU, STARWARS. We don’t know exactly which letters in the passwords are uppercase and which ones are lowercase. But we can make educated guess here, which we store in notepad file:

As you can see these are logical variations. Most people use password as they type: First letter in upper case, rest in lower case.

Getting the PASSCODE from USR02 table

We use one of the many methods to get the PASSCODE hash strings from the USR02 table:

And we put this into notepad file with user name and $ for separator:

Hybrid mask attack

What we will do is use a so called hybrid mask attack. This attack uses certain patterns.

The first pattern we will use is use the file with the BCODE guesses and at the end at a digit and special character.

To start the hacking process go to the CMD command prompt and proceed to the hashcat directory. Then key in this command:

hashcat64 -a 6 -m 7800 -p : --session=all -o "C:\HC\TestuserPassCodeHashes_found.txt" --outfile-format=3 --markov-disable --remove --gpu-temp-abort=80 "C:\HC\TestuserPassCodeHashes.txt" "C:\HC\BCODEinputfilewithguesses.txt" ?d?s

Explanation of the command: 7800 means the hashes are SAP PASSCODE. Output goes to _found file. Input is the TestuserPassCodeHashes file. The text fie with the guesses is then combined with ?d?s. This means take every entry from the file and add first a digit, then a special. This will then try for example Password1!, Password2!, ….Password1@, Password2@, etc.

Result (after 1 min or so):

Password found: Password1! for testuser1. The output is in the output file. And the found hash is removed from the input file.

Hybrid mask patterns

Some patterns that can be used:

?l = letter, small caps

?d = digit

?s = special

?a = all possible input characters

If we continue with our example: we now will not scan for digit special combination but for any 2 or more characters. To do so: replace in the previous command the ?d?s with ?a?a.

After that we can run with ?a?a?a to find any combination with 3 characters at the end. Runtime: only 4 minutes:

Only when we add ?a?a?a?a for 4 characters runtime starts to increase to 6 hours:

After these runs we have found: Welcome123! for testuser3, IloveYou@9 for testuser4 and Starwars99*& for testuser5.

Combination attack mode

The above method is fast and almost always guaranteed to work. But is will only work for short extensions. There is even a faster way, but this method does not have full guarantee.

What we will do is construct a file with popular password extensions after the main word:

real file is much, much longer…

This file we will combine with the file of the already found words from the BCODE part. The combination of two files is called combination attack.

To start the hacking process go to the CMD command prompt and go to the hashcat directory. Then key in this command:

hashcat64 -a 1 -m 7800 -p : --session=all -o "C:\HC\TestuserPassCodeHashes_found.txt" --outfile-format=3 --remove --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\TestuserPassCodeHashes.txt" "C:\HC\BCODEinputfilewithguesses.txt" "C:\HC\Popular extensions.txt"

The attack mode 1 means combination attack to combine the two files.

After running this mode the Testuser2 password pops up: Letmein2018).

And yes: years in passwords are pretty popular.

End result

End result after all the different attacks:

And it really didn’t take long time. One overnight session is sufficient.

The real live sequence of cracking would be to start with the popular extensions to remove the quick wins. Then time can be spent on the hybrid mask attack: this attack goes faster when there is less input.

Preventive measures

Preventive measure 1: forbid simple password parts

By filling table USR40 you can forbid simple password parts to be used. Think about filling this table with words like:

Your company name
password
welcome
letmein
The current year
All the full names of the months (january, etc)
….

For more inspiration see list of most used passwords on Wikipedia.

Preventive measure 2: forbid display access to password tables

Forbid access to password tables. The hashes are stored in tables protected by the SPWD object. Don’t grant read access with S_TABU_DIS authorization object to this table group. Check via SUIM who currently has access and restrict it to only people you think really need it.

More information on the access protection can be found in OSS note 1484692.

Next blog

The next blog will explain on hacking PWDSALTEDHASH.

SAP password hacking Part I: SAP BCODE hash hacking

Questions that will be answered are:

Where are SAP password hashes stored?
Which software do I need to install for hacking the password hash?
How does the brute force method work?
How does the simple 10k most used password list attack work?

For follow up blog on hacking SAP PASSCODE, click here.

For follow up blog on hacking SAP PWDSALTEDHASH, click here.

For follow up blogs:

Improving attack speed by applying rule-based attack, click here.
blog on optimizing the attack.
blog on extended word lists

SAP password hashes

SAP has 3 main password hashes:

SAP BCODE (oldest one and very weak): not to be used any more
SAP PASSCODE (less old, stronger than BCODE, but still weak): not to be used any more
SAP PWDSALTEDHASH (newest, strongest)

New SAP installations only use the newest method by default. Older system still might have stored older versions.

From user password to hash

When a users password is set initially or is changed is it hashed and stored in 2 tables:

USR02, which contains the current password
USRPWDHISTORY, which contains the history of the passwords

Older systems or wrongly configured systems store all the 3 password types mentioned above.

To start the password attack you need to get the user ID’s and hashes from the USR02 table.

Methods for getting this data (and many more):

SE11/SE16N table display
Write simple ABAP program
Database access on low level (HANA, Oracle, etc)
…. more creative methods….

For this weeks example we will use a couple of test users. The first 5 users are given simple passwords. The 6th user is given a fully random password.

The attack: from hash back to password

When you have the hashes all of the rest is now outside of the SAP system.

First step is to download a password cracking tool. A very good one is Hashcat.

Warning: this software might be considered as real hacking tool comparable to possessing burglary tools. Either only use on private laptop or after agreement of your local company security team.

Hashcat is based on GPU power and not CPU power. This means the speed of cracking depends on the quality and speed of your graphical card(s). Modern graphics card can have up to 4000 cores. Hashcat is written intelligently to use these 4000 cores via parallel processing or multiple cards.

Download the software from the site and unzip it on your local PC.

Hashcat requires for cracking BCODES the following format per line:

<<USERID>>$<<BCODE HASH>>

For the example above this results into the following file:

The brute force method

Let’s start by making a file with only TESTUSER6. This is stored in the file TestuserBcodeHashes.txt.

To start the hacking process go to the CMD command prompt, and proceed to the hashcat directory. Then key in this command:

hashcat64 -a 3 -m 7700 -p : --session=all -o "C:\HC\TestuserBcodeHashes_found.txt" --outfile-format=3 --markov-disable --remove --gpu-temp-abort=80 "C:\HC\TestuserBcodeHashes.txt"

Long command, but some part are simpler: -a 3 means brute force, -m 7700 means hashes are SAP BCODE hashes, file output and output, and very important the command to abort if the GPU temperature exceeds 80 degrees Celsius.

For full help options: go to the Hashcat website or key in Hashcat64 –help.

Result of this command is following screen:

The brute force attack will use some common pattern, but as you can see per pattern it takes about 16 hours (faster GPU means less time).

Guessing speed is at 57.000 tries per second, which is about 5 billion tries per day. Having a password with 8 random characters (26 letters, 10 digits, 33 specials) would take 69*69*69*69*69*69*69*69 = 513.000 billion options, meaning it would take 100.000 days.

Pretty good you would say. But nobody uses the brute force method.

Attacking with 10.000 most commonly used password list

People tend to user more simpler and more repetitive passwords. See wikipedia for most common and 10.000 most common used passwords. For full list read this blog.

You can download the file 10.000 most common here: 10k most common

Again we start now Hashcat tool, but now with different command and we will use the file with all the 6 hashes:

 -a 6 -m 7700 -p : --session=all -o "C:\HC\TestuserBcodeHashes_found.txt" --outfile-format=3 --markov-disable --remove --gpu-temp-abort=80 "C:\HC\TestuserBcodeHashes.txt" "C:\HC\10k most common.txt"

Attack mode (wordlist) is chosen and we have given the 10k most common text file as wordlist input.

Result:

Recovered passwords: 5 out of 6 in about 0 seconds!

TESTUSER1$D1FD06BD3B0744D9:PASSWORD
TESTUSER2$93D7C1E614C14B85:LETMEIN
TESTUSER3$EE3DAC02B26F87D5:WELCOME
TESTUSER4$C8172A9B5BFC09F6:ILOVEYOU
TESTUSER5$9157294124B1EAA4:STARWARS

You now can logon with these passwords.

This means that we can decrypt the password way much faster than the theoretical example from previous chapter.

How to protect yourself from password hash attacks?

Prevention 1: set password complexity

Set the password complexity rules to at least 1:

login/min_password_digits
login/min_password_letters
login/min_password_lowercase
login/min_password_uppercase
login/min_password_specials

If you have only letters, then the guesses for most users will be 26*26*26*26*26*26*26*26 = 208 billion only. By filtering out the hardly used q and x, it could even be 110 billion only.

Prevention 2: disallow the old hashes

Set parameter login/password_compliance_to_current_policy to 1 to forbid the old passwords to be used (in old systems this might require some testing before it is done in productive system, and changes of old passwords that are there for very long time).

Prevention 3: clean up the old hashes

Use program CLEANUP_PASSWORD_HASH_VALUES to clean up the old hashes (see OSS note 2845609 – How to find user name with legacy hash values when executing report CLEANUP_PASSWORD_HASH_VALUES for detailed manual):

After checking, start the actual cleanup.

More information on program CLEANUP_PASSWORD_HASH_VALUE can be found in OSS note 2845609 – How to find user name with legacy hash values when executing report CLEANUP_PASSWORD_HASH_VALUES.

Prevention 4: instructions to basis and authorization team to use the password generator for initial passwords

When generating new password: do use the password generator button. This will generate very complex password. Do use it.

Also you should make it known to basis and authorization team not to use simple and repetitive passwords like Welcome-2018 or Passw0rd! Soon you will see a pattern and can already guess new users passwords that they will select. Tell them to use the password generator.

Prevention 5: increase hash strength

You can increase the hash strength. This will make the attack last longer, since it simply takes more computing time to try stronger hashes. Read more in this blog.

Next blog

The next blog will explain on the hacking the SAP PASSCODE.