Article

Cracking SAP password – How to retrieve hashes from SAP portal java application

16-01-2015

How to retrieve hashes from SAP Portal (Application JAVA)

When the JAVA SAP component is not connected on the ABAP component (the UME), unluckily, most of the techniques we already discussed cannot be used. Anyway the steps taken to work with the wordlists and the john rules are still valid. That is, if you exclude the ones related in the conversion from BCODE to PASSCODE. In addition, since we cannot use transactions, there’s only one way left to retrieve the hashes from SAP portals: log in as ora<sid> and execute the following query:

sapsrm:oraqlj 43> sqlplus / as sysdba

SQL*Plus: Release 11.2.0.3.0 Production on Sun May 11 08:48:53 2014

Copyright (c) 1982, 2011, Oracle. All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select PID, VAL from SAPSR3DB.UME_STRINGS where ATTR='j_password';

PID
--------------------------------------------------------------------------------
VAL
--------------------------------------------------------------------------------
UACC.PRIVATE_DATASOURCE.un:Administrator
{SSHA}OGrnoXWgzXDXWQfhjiZO/rXpBXmpNMRGHzY=

As it is clearly shown on the “VAL” field of the query, the algorithm being used to store the password on the database used by the JAVA component of the SAP system is a Salted SHA-1 type. The table that stores such data of the users is UME_STRINGS while SAPSR3DB being the schema of the SAP instance. The user is identified by its PID. The UACC.PRIVATE_DATASOURCE field point out whether the user is a local one or if it is imported from an external source, LDAP for example.

The initial phase of the process is the usual:

# cat sap_qlj_portal.hash
Administrator:{SSHA}OGrnoXWgzXDXWQfhjiZO/rXpBXmpNMRGHzY=
# john --pot=sap_qlj_portal.pot --session=sap_qlj_portal --single --format=salted-sha1 sap_qlj_portal.hash

Then proceed with the evolution using the methods we described earlier in the section about cracking the BCODE, that is: wordlists, Markov, PACK and so on…

Cracking SAP password saga

1. Introduction
2. ABAP Algorithms – BCODE and PASSCODE
3. How to retrieve hashes from a SAP ABAP System
4. The Wordlist
5. Cracking BCODE
6. Cracking PASSCODE
7. How to retrieve hashes from SAP Portal JAVA Application
8. Conclusions

Co-Author: Panfilo Salutari

L'hai trovato interessante?