Cracking SAP password – abap algorithms bcode passcode


ABAP algorithms – BCODE and PASSCODE

You may be wondering why start with SAP ABAP Application first. There are different reasons. Very often when you work with a SAP product that is capable of running both environments (ABAP and JAVA) you have the chance to enter the UME (User Management Engine) into the ABAP component database, what this means is that even JAVA Application users can be extracted together with the users ABAP because they reside in the same table. In addition, due to the weakness in one of the SAP cryptographic algorithms for passwords, we can greatly speed up our work to find a large amount of passwords that we can use as a starting base in order to create a good wordlist that we will use to crack even the stronger passwords.

There are mainly two algorithms that come into play to encrypt the passwords of ABAP Application Server users: CODVN B and CODVN G.

CODVN B is a cryptographic algorithm based on md5 (so it is quite fast to compute, even if it is applied twice with some operations thrown in), the maximum password length is eight characters and as you can argue that is one of the weakest point in the algorithm. The characters in the password are all uppercase and so we can avoid lowercase characters, another aspect we can turn to our advantage. The password can contain both numbers and 32 special characters that we will be using on John’s rules. The salt is computed based on the username (also using uppercase characters) and the database field that contains the hash is called BCODE.

CODVN G, instead, is overall stronger that CODVN B as it is based on sha1 (applied twice with some operations thrown in), the maximum password length is 48 characters with UTF-8 encoding. The password can contain numbers, 32 special characters and it can contain characters with grave accent. The salt is calculated only from the username (uppercase characters) and the field on the database where it stored is called PASSCODE.

Both algorithms salt the password hashes using only the username; System-ID and client values are not involved in the process thus a user/password tuple has the same hash on a different system with a different client. Just take a quick search with google using default SAP user hashes as search words and see for yourself?

Cracking SAP password saga

1. Introduction
2. ABAP Algorithms – BCODE and PASSCODE
3. How to retrieve hashes from a SAP ABAP System
4. The Wordlist
5. Cracking BCODE
6. Cracking PASSCODE
7. How to retrieve hashes from SAP Portal JAVA Application
8. Conclusions

Co-Author: Panfilo Salutari

L'hai trovato interessante?