Understanding Hash Cracking
Hashing is a one-way encryption technique employed to ensure data integrity, authenticate information, and secure passwords alongside other sensitive data. Hash functions convert input data into a fixed-size string of characters that are both uniform and deterministic, making them an excellent choice for maintaining data security.
A pivotal aspect of hashing in password storage is its one-way nature. This means that while the same input will always produce the same hash output, it is computationally infeasible to reverse-engineer the original input from the hash. This property allows for the validation of user credentials without ever needing to store or reveal the actual passwords.
However, there are scenarios where security professionals must engage in password cracking. This process involves recovering the plaintext password to identify users with weak passwords, escalate privileges by hijacking user accounts, and other similar use cases essential for maintaining robust security.
In this blog, we will delve into how SAP stores passwords and explore the tools available for performing hash cracking tests.
SAP Password Architecture (Storage and Security)
SAP systems generate and store various types and versions of hashes based on their configuration settings. Additionally, legacy and less secure hash values may be retained to ensure backward compatibility. This is crucial because, depending on configuration parameters, SAP databases can store weak hashes that make it easier for threat actors to compromise user credentials.
Key Database Tables for SAP Passwords
In SAP NetWeaver ABAP, passwords are primarily stored in the USR02 table. Historical password values are maintained in the USH02, USH02_ARC_TMP, and USRPWDHISTORY tables.
While USR02 contains active password hashes, analyzing all stored hashes can reveal hints or partial passwords. These insights can be leveraged to mutate input test data or enhance existing dictionaries, facilitating more effective password cracking attempts.
Deciphering SAP’s Hash Functions and Formats
SAP systems utilize multiple mechanisms to generate hashes, allowing for the storage of several hash values based on profile parameter configurations.
The CODVN (Code Version of Password Hash Algorithm) field in the USR02 table indicates the active hashing algorithm for a specific entry. The possible values and their corresponding hashing methods are as follows:
| CODVN Value | Description |
|---|---|
| B | MD5-based function, limited to 8 uppercase ASCII characters |
| D | MD5-based function, limited to 8 uppercase UTF-8 characters |
| F | SHA1-based function with fixed SALT, 40 UTF-8 characters |
| H | SHA1-based function with random SALT, 40 UTF-8 characters |
Each hash type is stored in its designated column within the aforementioned tables:
- CODVN B/D: Stored in the BCODE column
- CODVN F: Stored in the PASSCODE column
- CODVN H: Stored in the PWDSALTEDHASH column
Additionally, two other CODVN values, G and I, are possible. These values indicate that multiple hashes will be generated and stored:
- G: Produces both F and B hashes
- I: Produces H, F, and B hashes
The generation, storage, and validation of password hashes during user login are managed by the profile parameter login/password_downwards_compatibility. For more details on this parameter, refer to SAP’s official documentation.
Approaches to Password Cracking in SAP Environments
To crack passwords, the first step is obtaining the password hashes. Direct access to the database simplifies this task, but SAP systems offer alternative methods for retrieving hashes.
Retrieving Password Hashes in SAP
If direct database access is unavailable, password hashes can be extracted using specific transactions or Remote Function Calls (RFC).
Useful Transaction Codes for Exporting Database Records:
- SE16
- DBACOCKPIT
These transactions allow users to explore database tables and extract complete hash values.
If these transactions are inaccessible, the RFC function RFC_READ_TABLE can be used to retrieve partial hashes. While this method does not provide complete hash values, certain tools can utilize these incomplete hashes to achieve meaningful results. It’s important to note that RFC_READ_TABLE is remote-enabled, allowing it to be executed remotely.
Top Tools for Cracking SAP Password Hashes
Password cracking involves recovering plaintext passwords, and due to the inherent properties of hash functions, the primary method to achieve this is through brute force. Brute forcing entails testing every possible combination of characters and lengths, which is often inefficient. More effective approaches include using pre-created wordlists or rainbow tables—precomputed lists of hash values and their corresponding plaintexts. However, rainbow tables are ineffective against hashes that incorporate random salts.
A hybrid approach, combining wordlists with mutation rules, can enhance the efficiency of password cracking efforts. The success of these methods heavily depends on the quality of the wordlist and the rule sets employed. Knowledge of common passwords or organizational-specific terminology can significantly improve cracking performance.
Weak or partial hashes may yield inaccurate or outdated results. For instance, if a user’s password is “Password1234” and CODVN B hashes are generated, the cracking process might quickly reveal “PASSWORD” instead of the full password. Nonetheless, this partial information provides a valuable starting point for developing more comprehensive dictionaries and rules to target stronger, active hashes.
Currently, two industry-standard tools facilitate password recovery tasks: JohnTheRipper and Hashcat. Below, we explore their usage in cracking SAP system hashes.
JohnTheRipper in Action
JohnTheRipper offers several versions, with the Jumbo version being the most suitable for cracking hashes generated by SAP systems. This version includes scripts like sap2john.pl, which assist in formatting input files. These scripts explain how to export hashes from spreadsheets and convert them into a format compatible with the John binary.
Required Input Formats:
- Older Versions of JohnTheRipper:
<username><space-padding-to-40>$<hash>Applicable for CODVN B/D/F, and only the hash for CODVN H.
- Newer Versions:
<username>$<hash>No space padding up to 40 characters is required.
Commands to Initiate the Cracking Process:
- For CODVN B:
john --format=sapb --wordlist=wordlist_file hashes_file - For CODVN F:
john --format=sapg --wordlist=wordlist_file hashes_file - For CODVN H:
john --format=saph --wordlist=wordlist_file hashes_file
Harnessing Hashcat for SAP Password Recovery
Hashcat not only facilitates the cracking of complete hashes but also supports partial hashes obtained via RFC_READ_TABLE.
Required File Formats:
- For CODVN B/D/F:
<username>$<hash> - For CODVN H:
<hash>
Hashcat can operate in various attack modes, with Wordlist mode being the simplest. This mode compares hashes from a wordlist with those extracted from the database. Other modes include brute force and rule-based attacks, which can combine wordlists with specific mutation rules.
Example Commands for Wordlist-Based Password Recovery:
- For CODVN B:
hashcat -a 0 -m 7700 hashes_file wordlist_file - For CODVN F:
hashcat -a 0 -m 7800 hashes_file wordlist_file - For CODVN B with Partial Hash from RFC_READ_TABLE:
hashcat -a 0 -m 7701 hashes_file wordlist_file - For CODVN F with Partial Hash from RFC_READ_TABLE:
hashcat -a 0 -m 7801 hashes_file wordlist_file - For CODVN H:
hashcat -a 0 -m 10300 hashes_file wordlist_file
Alternative methods, such as pure brute force or context-specific rule-based attacks, can be time-consuming and may require precisely defined rules to be effective.
Final Thoughts and Security Best Practices for SAP
SAP systems, depending on their configuration, can generate multiple versions of password hashes, some of which are now considered weak and susceptible to cracking.
Based on profile parameter configurations, these downgraded hashes may still be validated during user login attempts if downward compatibility is enabled.
If weak hashes are not being validated, the results from cracking attempts can provide insights into actual passwords, aiding in the enhancement of wordlists or rules for more effective cracking.
RedRays strongly recommends disabling downward compatibility and removing weak hashes from all related tables mentioned above.
Overall, while hashing is a valuable security measure, understanding its vulnerabilities from an attacker’s perspective allows information security teams to identify password reuse or the use of common passwords, enabling them to take appropriate protective actions.
RedRays: Your Trusted Partner in Cybersecurity
Secure your organization with RedRays, a leading provider of comprehensive security solutions tailored for businesses of all sizes and managed service providers. Our team of experts is dedicated to safeguarding your data and infrastructure against modern threats, ensuring your peace of mind.
Connect with RedRays to Enhance Your Security Posture
Get in touch with us to learn more about our security services and how we can help protect your information systems.
