Cracking SAP password – The wordlist

The Wordlist (or, what you cannot afford to miss in a good wordlist)

A good wordlist can dramatically shorten the amount of time needed to crack the hashes and, as it is clear, the amount of time spent in the cracking phase during a penetration test is a rather crucial variable. By cracking a good number of passwords in a short time we can avoid many (really, a lot) computational cycles for every word that is compared to the hash, not counting every operation that is generated from the rules applied to the word.

The first thing you cannot miss in a good wordlist is a good amount of default passwords used by older SAP versions: it can happen that someone forgets to change the Administrator users passwords, often on the default clients (000, 001 and 066). You would be surprised to see how many times this happens.

Password list used by default on "older" sap versions.
password user
06071992 sap* on clients 000, 001 and 066
PASS sap* new clients
19920706 ddic on clients 000 and 001
Welcome01 ddic
ADMIN sapcpic on clients 000 and 001
SUPPORT earlywatch on client 066
PASSWORD tmsadm on client 000
ADMIN tmsadm
welcome admin

On newer versions of the SAP systems, it is prompted, during the installation phase, to insert a master password that will be used by every default users created by the SAP system, if not explicitly told otherwise. Discovering this master password would be a great victory (it could have been used for the operating system users sid<adm> and ora<sid> too! It could also be a good idea to insert some companies name on the wordlist, SAP included, as this is not directly related to words used by normal users. So add here not only the customer company name (that is, the one who actually bought the SAP license) but also the name of external companies and external consultants’ companies that manages help desk and management (for example ACCENTURE, ATOS ORIGIN, BGP MANAGEMENT CONSULTING, REPLY, ELSAG, HP, IBM, KPMG, OPERA21, REALTECH, TECHEDGE, CAPGEMINI, ENGINEERING, INDRA, PWD, etc). Also, include the Application SID combined with “SAP” and the names of the other consulting companies.

Even if john --single mode tries as password the username of a user, it is always worth having, into the wordlist, the “standard” names of SAP users of a SAP system so we can find them without pushing them through the rules, these are: ALEREMOTE, SAP*, DDIC, SAPCPIC, EARLYWATCH, TMSADM, ADSUSER, ADS_AGENT, J2EE_ADMIN, ADMINISTRATOR, SAPJSF, SAPSUPPORT, SUPPORT, SAPOSS, OSSSAP, WF-BATCH, etc.

There are many wordlists on the internet (RockYou ones, target-language dictionaries, Inside Pro Full 1 to Inside Pro Full 31 etc.), however it is trivial to create other wordlists. There are also commercial wordlists available but guess what? Most of the time a good, small ad-hoc wordlist beats the bloated commercial ones. The most successful is the names one (you cannot miss a good one in the target language!). A wordlist with surnames can be used in the advanced cracking phase and (especially if the SAP system is accessed from various cities) a list of cities and towns is a must have. You better not overlook wordlists containing sport teams and famous soccer players.

A wordlist that can be used very quickly is the one with dates in a numeric format like DDMMYYYY or YYYYMMDD:

# echo -e {01..31}{01..12}{1940..2020}"\n" | sed -e 's/^ //g' | john --pot=sap_qla_bcode.pot --session=sap_qla_bcode --format=sapb sap_qla_bcode.hash --stdin
# echo -e {1940..2020}{01..12}{01..31}"\n" | sed -e 's/^ //g' | john --pot=sap_qla_bcode.pot --session=sap_qla_bcode --format=sapb sap_qla_bcode.hash --stdin

Cracking SAP password saga

1. Introduction
2. ABAP Algorithms – BCODE and PASSCODE
3. How to retrieve hashes from a SAP ABAP System
4. The Wordlist
5. Cracking BCODE
6. Cracking PASSCODE
7. How to retrieve hashes from SAP Portal JAVA Application
8. Conclusions

Co-Author: Panfilo Salutari