Cracking SAP password – Conclusion


To protect a SAP system from these type of attacks we can work at various levels. On the ABAP Application, we can restrict the access to the tables that hold the hashes to only the administrator using access permissions. Direct access to the database should be too protected by strong passwords (included the one for the ora<sid> user). If the SAP instance is an old one then every default user password should be changed as soon as possible, otherwise if it is not mandatory to create downward-compatible password hash values, you should prevent this by setting the profile parameter login/password_downwards_compatibility to 0 to prevent the use of the BCODE. Furthermore there are many parameters we can set to force a user to choose a strong password, such as:


There are similar parameters for the JAVA Application in the User Management section (Identity Management -> Configuration -> Security Policy). Finally, users can be forced to choose strong passwords by setting policies in the USR40 table; here we can choose which combination of characters are banned when choosing a password.

SAP Note 1484692 – Protect read access to password hash value tables
SAP Note 1237762 – ABAP systems: Protection against password hash attacks

Cracking SAP password saga

1. Introduction
2. ABAP Algorithms – BCODE and PASSCODE
3. How to retrieve hashes from a SAP ABAP System
4. The Wordlist
5. Cracking BCODE
6. Cracking PASSCODE
7. How to retrieve hashes from SAP Portal JAVA Application
8. Conclusions

Co-Author: Panfilo Salutari

L'hai trovato interessante?