Article

Cracking SAP password – abap algorithms bcode passcode

16-01-2015

ABAP algorithms – BCODE and PASSCODE

You may be wondering why start with SAP ABAP Application first. There are different reasons. Very often when you work with a SAP product that is capable of running both environments (ABAP and JAVA) you have the chance to enter the UME (User Management Engine) into the ABAP component database, what this means is that even JAVA Application users can be extracted together with the users ABAP because they reside in the same table. In addition, due to the weakness in one of the SAP cryptographic algorithms for passwords, we can greatly speed up our work to find a large amount of passwords that we can use as a starting base in order to create a good wordlist that we will use to crack even the stronger passwords.

There are mainly two algorithms that come into play to encrypt the passwords of ABAP Application Server users: CODVN B and CODVN G.

CODVN B is a cryptographic algorithm based on md5 (so it is quite fast to compute, even if it is applied twice with some operations thrown in), the maximum password length is eight characters and as you can argue that is one of the weakest point in the algorithm. The characters in the password are all uppercase and so we can avoid lowercase characters, another aspect we can turn to our advantage. The password can contain both numbers and 32 special characters that we will be using on John’s rules. The salt is computed based on the username (also using uppercase characters) and the database field that contains the hash is called BCODE.

CODVN G, instead, is overall stronger that CODVN B as it is based on sha1 (applied twice with some operations thrown in), the maximum password length is 48 characters with UTF-8 encoding. The password can contain numbers, 32 special characters and it can contain characters with grave accent. The salt is calculated only from the username (uppercase characters) and the field on the database where it stored is called PASSCODE.

Both algorithms salt the password hashes using only the username; System-ID and client values are not involved in the process thus a user/password tuple has the same hash on a different system with a different client. Just take a quick search with google using default SAP user hashes as search words and see for yourself?

Cracking SAP password saga

1. Introduction
2. ABAP Algorithms – BCODE and PASSCODE
3. How to retrieve hashes from a SAP ABAP System
4. The Wordlist
5. Cracking BCODE
6. Cracking PASSCODE
7. How to retrieve hashes from SAP Portal JAVA Application
8. Conclusions

Co-Author: Panfilo Salutari

Security Advisory Home

Lettura contenuti offline

Audit & Assurance

Consulting

Deloitte Private

Financial Advisory

Legal

Officine Innovazione

Risk Advisory

Tax

Deloitte Business Solution

Consumer

Energy, Resources & Industrials

Financial Services

Government & Public Services

Life Sciences & Health Care

Technology, Media & Telecommunications

Join Deloitte

Studenti

Life at Deloitte

Cracking SAP password – abap algorithms bcode passcode

ABAP algorithms – BCODE and PASSCODE

Cracking SAP password saga

Consigliati

Collega i tuoi account

Lettura contenuti offline

Cracking SAP password – abap algorithms bcode passcode

ABAP algorithms – BCODE and PASSCODE

Cracking SAP password saga

Consigliati

Collega i tuoi account

Hai già effettuato l'accesso a My Deloitte tramite il tuo indirizzo email. Accedi nuovamente per collegare i tuoi social media account.

You've previously logged into My Deloitte with a different account. Link your accounts by re-verifying below, or by logging in with a social media account.

Sembra che tu ti sia registrato con la tua email e social media. Collega i tuoi account accedendo con la tua email o social media.