Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

AI-powered Password Testing for ABAP stack

Greetings,

I am glad to inform you about a significant development in the RedRays Security Platform for the ABAP stack. We have created a new module that effectively deals with the pressing concern of password security in today’s digital world.

The Challenge

In today’s increasingly digital world, the importance of password security in business operations cannot be underrated. Many companies rely on the Advanced Business Application Programming (ABAP) stack for their operations, trusting its inherent password policy and profile parameters to ensure the creation of strong and secure passwords. However, a lurking misconfiguration in this system potentially exposes them to significant security risks.

Despite the seemingly stringent password requirements, users can easily bypass them by crafting passwords such as “RedRays123#” or “RedRays$123”. At first glance, these passwords appear to meet the policy’s criteria, but they are deceptively simple and can be easily guessed by potential attackers. This recurring issue emerged during our customer assessments, where users often followed predictable patterns, incorporating the company name and a few easily guessed characters, compromising the intended security measures.

Research and Solution

Our research revealed that default passwords in SAP systems are already uncommon. However, users tend to resort to commonly used passwords like Aa123456* or QwertY$123. To address this issue, we recognized the urgent need for an advanced password-testing module for the RedRays Security Platform in the ABAP stack. This module adds an extra layer of security by scrutinizing passwords based on their length, symbol count, overall complexity, and unpredictability.

Here’s what we’ve done:

We analyzed over 20 million passwords related to corporate users by downloading email/username and password combinations from leaked databases available on the internet.
We categorized the passwords into several libraries:

* SAP Common Passwords
Top 100 passwords
Top 1,000 passwords
Top 10,000 passwords
Top 100,000 passwords

Functionality

The RedRays Security Platform integrates with the SAP ABAP stack through various connectors. Once the Platform admin establishes a connection to SAP ABAP (e.g., via HTTP RFC), the Advanced Password Security Module Page displays the connection and presents hashed numbers available in the USR02 table (we are supporting hashes type G/F/I/B/H)

To initiate the brute force process, need to click the start brute force button and proceed to the brute force settings window

In the image above, you can select one of the five existing libraries or choose the Custom module, which caters to companies universally. Why? Please refer to the screenshot below

By opting for the Custom passwords brute force option, you can input the initial passwords for your company and utilize one of the brute force mutation modules tailored to custom passwords

Several mutation modules are available:

  • Single Password: This mutation option uses the initial password to brute force the hashes.
  • Years: This mutation option adds years at the start or end of the initial password for brute forcing (e.g., RedRays2020, RedRays2021, RedRays2022, 2020RedRays…).
  • Years and Special Symbol: The mutation results include passwords like RedRays$2020, RedRays#2021, RedRays*2019, 2010$RedRays, and more.
  • 1 Digit: The mutation results in passwords like RedRays0, RedRays1, …, 1RedRays
  • 1 Digit and Symbol: The mutation results in passwords like RedRays$0, RedRays$1, 7&RedRays…
  • 2 Digits: The mutation results in passwords like RedRays00, RedRays01, …, RedRays99
  • 2 Digits and Symbol: The mutation results in passwords like RedRays$00, RedRays$01, 98&RedRays…

However, the AI passwords brute force module is our most advanced option. By leveraging AI deployed in the scanner, trained on the leaked passwords database, the AI passwords brute force module revolutionizes the brute force process.

Conclusion

Our investigations have shown that employing AI for password guessing increases the success rate by over 20%. In the next blog I will show how the AI is working.

Once you’ve chosen the brute force settings, simply click the Start option, and the brute force process will commence in the background. As a result, you will receive the usernames of users who have weak passwords. Armed with this information, you can take proactive steps to request password changes and secure your SAP ABAP stack.

We are thrilled to introduce this new module to the RedRays Security Platform, as it significantly enhances password security for businesses relying on the ABAP stack. With our advanced password-testing capabilities and integration with the SAP ABAP stack, you can proactively address potential weak passwords on your system.

Stay tuned for more updates and enhancements as we continue to prioritize the development of innovative security solutions for your organization.

More to explorer

SAP Cloud Connector Certificate Validation Issue

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,