SAP password hash hacking Part II: SAP PASSCODE hash hacking

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this second blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures. Now we focus on the SAP PASSCODE hash.

For the first blog on attacking the SAP BCODE hash click here.

Questions that will be answered in this blog are:

  • How to attack the PASSCODE from the BCODE?
  • How does the hybrid mask attack mode work?
  • How does the combination attack mode work?
  • What more can I do to prevent a password attack?For follow up blog on hacking SAP PWDSALTEDHASH, click here.

    For follow up blog on improving attack speed by applying rule-based attack, click here. And the blog on optimizing the attack. And the blog on extended word lists.

How to attack the PASSCODE from the BCODE?

In the previous blog we have seen how easy it is to get the passwords from the BCODE. The BCODE is capturing the first 8 characters of the password in capital mode. The other characters of the password are not stored in the BCODE, but in the full PASSCODE. If the password is length 8 or below, you can already logon with the found BCODE password.

Now lets assume company password policy is:

  • Minimum password length is 10
  • Minimum 1 digit, 1 letter upper case, 1 letter lower case, 1 special

Pretty safe you might think.

We will use the previous 5 guessed test users. Their passwords from BCODE were: PASSWORD, LETMEIN, WELCOME, ILOVEYOU, STARWARS. We don’t know exactly which letters in the passwords are uppercase and which ones are lowercase. But we can make educated guess here, which we store in notepad file:

Notepad bcode file with guesses

As you can see these are logical variations. Most people use password as they type: First letter in upper case, rest in lower case.

Getting the PASSCODE from USR02 table

We use one of the many methods to get the PASSCODE hash strings from the USR02 table:

PASSCODE from USR02

And we put this into notepad file with user name and $ for separator:

Notepad passcodes

Hybrid mask attack

What we will do is use a so called hybrid mask attack. This attack uses certain patterns.

The first pattern we will use is use the file with the BCODE guesses and at the end at a digit and special character.

To start the hacking process go to the CMD command prompt and proceed to the hashcat directory. Then key in this command:

hashcat64 -a 6 -m 7800 -p : --session=all -o "C:\HC\TestuserPassCodeHashes_found.txt" --outfile-format=3 --markov-disable --remove --gpu-temp-abort=80 "C:\HC\TestuserPassCodeHashes.txt" "C:\HC\BCODEinputfilewithguesses.txt" ?d?s

Explanation of the command: 7800 means the hashes are SAP PASSCODE. Output goes to _found file. Input is the TestuserPassCodeHashes file. The text fie with the guesses is then combined with ?d?s. This means take every entry from the file and add first a digit, then a special. This will then try for example Password1!, Password2!, ….Password1@, Password2@, etc.

Result (after 1 min or so):

Hybrid ds

Password found: Password1! for testuser1. The output is in the output file. And the found hash is removed from the input file.

Hybrid mask patterns

Some patterns that can be used:

?l = letter, small caps

?d = digit

?s = special

?a = all possible input characters

If we continue with our example: we now will not scan for digit special combination but for any 2 or more characters. To do so: replace in the previous command the ?d?s with ?a?a.

After that we can run with ?a?a?a to find any combination with 3 characters at the end. Runtime: only 4 minutes:

Hybrid aaa

Only when we add ?a?a?a?a for 4 characters runtime starts to increase to 6 hours:

Hybrid aaaa

After these runs we have found: Welcome123! for testuser3, IloveYou@9 for testuser4 and Starwars99*& for testuser5.

Combination attack mode

The above method is fast and almost always guaranteed to work.  But is will only work for short extensions. There is even a faster way, but this method does not have full guarantee.

What we will do is construct a file with popular password extensions after the main word:

Popular extensions real file is much, much longer…

This file we will combine with the file of the already found words from the BCODE part. The combination of two files is called combination attack.

To start the hacking process go to the CMD command prompt and go to the hashcat directory. Then key in this command:

hashcat64 -a 1 -m 7800 -p : --session=all -o "C:\HC\TestuserPassCodeHashes_found.txt" --outfile-format=3 --remove --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\TestuserPassCodeHashes.txt" "C:\HC\BCODEinputfilewithguesses.txt" "C:\HC\Popular extensions.txt"

The attack mode 1 means combination attack to combine the two files.

After running this mode the Testuser2 password pops up: Letmein2018).

And yes: years in passwords are pretty popular.

End result

End result after all the different attacks:

end result passcode

And it really didn’t take long time. One overnight session is sufficient.

The real live sequence of cracking would be to start with the popular extensions to remove the quick wins. Then time can be spent on the hybrid mask attack: this attack goes faster when there is less input.

Preventive measures

Preventive measure 1: forbid simple password parts

By filling table USR40 you can forbid simple password parts to be used. Think about filling this table with words like:

  • Your company name
  • password
  • welcome
  • letmein
  • The current year
  • All the full names of the months (january, etc)
  • ….

For more inspiration see list of most used passwords on Wikipedia.

Preventive measure 2: forbid display access to password tables

Forbid access to password tables. The hashes are stored in tables protected by the SPWD object. Don’t grant read access with S_TABU_DIS authorization object to this table group. Check via SUIM who currently has access and restrict it to only people you think really need it.

More information on the access protection can be found in OSS note 1484692.

Next blog

The next blog will explain on hacking PWDSALTEDHASH.

SAP password hacking Part I: SAP BCODE hash hacking

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

Questions that will be answered are:

  • Where are SAP password hashes stored?
  • Which software do I need to install for hacking the password hash?
  • How does the brute force method work?
  • How does the simple 10k most used password list attack work?

For follow up blog on hacking SAP PASSCODE, click here.

For follow up blog on hacking SAP PWDSALTEDHASH, click here.

For follow up blogs:

  • Improving attack speed by applying rule-based attack, click here.
  • blog on optimizing the attack.
  • blog on extended word lists

SAP password hashes

SAP has 3 main password hashes:

  1. SAP BCODE (oldest one and very weak): not to be used any more
  2. SAP PASSCODE (less old, stronger than BCODE, but still weak): not to be used any more
  3. SAP PWDSALTEDHASH (newest, strongest)

New SAP installations only use the newest method by default. Older system still might have stored older versions.

From user password to hash

When a users password is set initially or is changed is it hashed and stored in 2 tables:

  1. USR02, which contains the current password
  2. USRPWDHISTORY, which contains the history of the passwords

Older systems or wrongly configured systems store all the 3 password types mentioned above.

To start the password attack you need to get the user ID’s and hashes from the USR02 table.

Methods for getting this data (and many more):

  • SE11/SE16N table display
  • Write simple ABAP program
  • Database access on low level (HANA, Oracle, etc)
  • …. more creative methods….

For this weeks example we will use a couple of test users. The first 5 users are given simple passwords. The 6th user is given a fully random password.

USR02 BCODE

The attack: from hash back to password

When you have the hashes all of the rest is now outside of the SAP system.

First step is to download a password cracking tool. A very good one is Hashcat.

Hashcat

Warning: this software might be considered as real hacking tool comparable to possessing burglary tools. Either only use on private laptop or after agreement of your local company security team.

Hashcat is based on GPU power and not CPU power. This means the speed of cracking depends on the quality and speed of your graphical card(s). Modern graphics card can have up to 4000 cores. Hashcat is written intelligently to use these 4000 cores via parallel processing or multiple cards.

Download the software from the site and unzip it on your local PC.

Hashcat requires for cracking BCODES the following format per line:

<<USERID>>$<<BCODE HASH>>

For the example above this results into the following file:

USR02 BCODE hashes in notepad

The brute force method

Let’s start by making a file with only TESTUSER6. This is stored in the file TestuserBcodeHashes.txt.

To start the hacking process go to the CMD command prompt, and proceed to the hashcat directory. Then key in this command:

hashcat64 -a 3 -m 7700 -p : --session=all -o "C:\HC\TestuserBcodeHashes_found.txt" --outfile-format=3 --markov-disable --remove --gpu-temp-abort=80 "C:\HC\TestuserBcodeHashes.txt"

Long command, but some part are simpler: -a 3 means brute force, -m 7700 means hashes are SAP BCODE hashes, file output and output, and very important the command to abort if the GPU temperature exceeds 80 degrees Celsius.

For full help options: go to the Hashcat website or key in Hashcat64 –help.

Result of this command is following screen:

TESTUSER6

The brute force attack will use some common pattern, but as you can see per pattern it takes about 16 hours (faster GPU means less time).

Guessing speed is at 57.000 tries per second, which is about 5 billion tries per day. Having a password with 8 random characters (26 letters, 10 digits, 33 specials) would take 69*69*69*69*69*69*69*69 = 513.000 billion options, meaning it would take 100.000 days.

Pretty good you would say. But nobody uses the brute force method.

Attacking with 10.000 most commonly used password list

People tend to user more simpler and more repetitive passwords. See wikipedia for most common and 10.000 most common used passwords. For full list read this blog.

You can download the file 10.000 most common here: 10k most common

Again we start now Hashcat tool, but now with different command and we will use the file with all the 6 hashes:

 -a 6 -m 7700 -p : --session=all -o "C:\HC\TestuserBcodeHashes_found.txt" --outfile-format=3 --markov-disable --remove --gpu-temp-abort=80 "C:\HC\TestuserBcodeHashes.txt" "C:\HC\10k most common.txt"

Attack mode (wordlist) is chosen and we have given the 10k most common text file as wordlist input.

Result:

Run results 10k passwords

Recovered passwords: 5 out of 6 in about 0 seconds!

TESTUSER1$D1FD06BD3B0744D9:PASSWORD
TESTUSER2$93D7C1E614C14B85:LETMEIN
TESTUSER3$EE3DAC02B26F87D5:WELCOME
TESTUSER4$C8172A9B5BFC09F6:ILOVEYOU
TESTUSER5$9157294124B1EAA4:STARWARS

You now can logon with these passwords.

This means that we can decrypt the password way much faster than the theoretical example from previous chapter.

How to protect yourself from password hash attacks?

Prevention 1: set password complexity

Set the password complexity rules to at least 1:

login/min_password_digits
login/min_password_letters
login/min_password_lowercase
login/min_password_uppercase
login/min_password_specials

If you have only letters, then the guesses for most users will be 26*26*26*26*26*26*26*26 = 208 billion only. By filtering out the hardly used q and x, it could even be 110 billion only.

Prevention 2: disallow the old hashes

Set parameter login/password_compliance_to_current_policy to 1 to forbid the old passwords to be used (in old systems this might require some testing before it is done in productive system, and changes of old passwords that are there for very long time).

Prevention 3: clean up the old hashes

Use program CLEANUP_PASSWORD_HASH_VALUES to clean up the old hashes (see OSS note 2845609 – How to find user name with legacy hash values when executing report CLEANUP_PASSWORD_HASH_VALUES for detailed manual):

CLEANUP_PASSWORD_HASH_VALUES

After checking, start the actual cleanup.

More information on program CLEANUP_PASSWORD_HASH_VALUE  can be found in OSS note 2845609 – How to find user name with legacy hash values when executing report CLEANUP_PASSWORD_HASH_VALUES.

Prevention 4: instructions to basis and authorization team to use the password generator for initial passwords

When generating new password: do use the password generator button. This will generate very complex password. Do use it.

Also you should make it known to basis and authorization team not to use simple and repetitive passwords like Welcome-2018 or Passw0rd! Soon you will see a pattern and can already guess new users passwords that they will select. Tell them to use the password generator.

Prevention 5: increase hash strength

You can increase the hash strength. This will make the attack last longer, since it simply takes more computing time to try stronger hashes. Read more in this blog.

Next blog

The next blog will explain on the hacking the SAP PASSCODE.

SAP netweaver gateway FIORI tips & tricks

This blog will give some tips & tricks on SAP netweaver gateway FIORI from the basis perspective.

Questions that will be answered are:

  • Where can I find information on Netweaver Gateway FIORI deployment options?
  • Can  I adjust the layout of standard SAP FIORI apps?
  • Where can I find overview of all the SAPUI5 versions and its support status?
  • Which versions of SAPUI5 does my system currently have?
  • How can I find a version of any standard SAP app?
  • How do I clear caches in case of issues and or new deployments that cause issues?
  • How to recalculate app indexes?
  • How to test FIORI apps with user with high latency or slow network?
  • How can I setup FIORI notifications?
  • How to set FIORI timeout and timeout warning for end users?
  • How to transport FIORI content and activate in productive system?
  • How can I get statistics on the use of the FIORI apps?
  • How to integrate google analytics into FIORI?
  • How to activate ODATA V4?
  • How can I see 3D in FIORI apps?
  • How does FIORI app support work?
  • How can I monitor FIORI gateway system?

SAP netweaver gateway FIORI deployment options

SAP netweaver gateway FIORI can be run into 2 modes:

  • Embedded in application sever
  • As central hub

The considerations for embedded or central hub are kept up to date by SAP in this blog. The blog also contains the most recent version of document “SAP Fiori Deployment Options and System Landscape Recommendations“.

Please take note that SAP has a new recommendation per S4HANA1809 to go for embedded deployment.

If you are using the embedded option, you will need to update the FIORI UI component as well. This part can be separately upgraded. The relationship between Netweaver en UI version is described in notes per version. The latest current version is OSS note 2796216 – UI Version 6.0 for SAP NetWeaver: Mapping support package stack SAP_UI 7.54 to UI5 / UI2 versions. The requirement for SAP_UI 7.54 are again listed in OSS note 2796241 – SAP_UI 7.54 minimal installation requirements.

SAPUI5 version overview current and planned

The most recent SAPUI5 version overview and support status of each version can be found here.

Future SAPUI5 versions and planning can be found here.

If you need to generate stack file for SAP_UI5 only, without the application components, follow the instructions in OSS note 2431951 – How to generate a stack file for upgrading SAP_UI or kernel without updating other SAP components.

FIORI frontend server and FIORI marketing version

The FIORI frontend server version number follows a different numbering than the FIORI marketing version.

FIORI uses FIORI frontend server 1.0, 2.0 or 3.0.

FIORI 2.0 uses FIORI frontend server 4.0 or 5.0.

FIORI 3.0 uses FIORI frontend server 6.0.

More information on FIORI frontend server 6.0: 2775163 – SAP-Fiori-Frontend-Server 6.0 – General Information.

SAPUI5 version in your server

To check you own servers SAPUI5 version construct following URL:

http(s)://<your server><your port>/sap/public/bc/ui5_ui5/index.html

SAPUI5 version

This method is the easiest method. Other methods are described in OSS note 2282103 – How to check the version of SAPUI5 you have installed.

Main versions are delivered in new netweaver releases and/or support packages. There is a special blog written on the subject of last digit patching.

You can also check the main SAP UI component in the ABAP part with System/Status:

Per version you can look up upcoming ABAP UI component support pack stack information and planning at this SAP site.

Finding version of a specific standard SAP app

If you want to know the version information of a standard SAP app, you simply click on the Information button in the personalization when you in the app:

Then the version information is shown:

More information can be found in OSS note 2835783 – How to Know App Version and Minor version.

Adjusting standard SAP FIORI app

Most new SAP FIORI apps can easily be adjusted with the in app extensibility framework. Read more in this blog.

Rapid activation of FIORI apps

Most new FIORI apps can be mass activated via an STC01 script. Read more about rapid activation of FIORI apps in this blog.

Resetting and clearing caches

For resetting and clearing caches for FIORI, see this dedicated detailed blog.

Note on the cache cleanup: 2319491 – How to clean up the cache after applying changes that affect SAP Fiori apps.

Recalculating app indexes

Recalculation of app indexes is needed after an upgrade or support package installation with new apps. Also when you install extra addon this is needed. Another use case is when you have deployed your own new app via transport or when you applied a large OSS note with new app code via transport. Program to run is: /UI5/APP_INDEX_CALCULATE. You can run for single app. Or after support package: run in full. It is wise to have this program run in delta mode at least daily.

See OSS note 2884411 – Common errors in log for /UI5/APP_INDEX_CALCULATE for common errors.

Set default theme and reset user theme setting

If you have a custom theme created you can set it as default for everybody. For instruction see this blog. This blog also describes how to reset a users’ theme setting in case of issues a user might have after upgrade (garbled screen).

/UI2/FLP start issues

Transaction code /UI2/FLP can be used to start the FIORI launchpad. There can be issues using Internet Explorer. The best browser to develop and test issues is Chrome.

Read OSS notes for the description and solutions:

OSS note for troubleshooting

SAP has an updated document for the most common troubleshooting tasks. It is kept as PDF attachment to OSS note 1797736 – Troubleshooting Guide for SAP NetWeaver Gateway.

Setting FIORI gateway timeout and timeout warning for end users

Read this blog on how to set timeout and timeout warning for the end users.

Transport FIORI ODATA content

If you have stored the FIORI content and want to transport it, follow the instructions from this blog: 2424613 – How to assign an OData service from Local Object ($TMP) to a Transport Request (TR)? – SAP Gateway.

But as explained in this OSS note 2816116 – How to transport an OData Service from one System/Client to another System/Client, you still need to do a local activation of the ODATA service after the definition of the transport.

OSS note 2886433 – Fiori Setup: Activation of OData Services in Prod Systems with task lists contains a perfect PDF that describes how to carry out the activation in a productive system using the proper selections in the task list.

Generic ODATA transport FAQ note: 2244649 – SAP Netweaver Gateway Odata service transport FAQ.

Statistics on the use of FIORI apps

If you want to know more on the actual usage and statistics of the FIORI apps in use, please read OSS note 2629143 – Best practices to gather Fiori usage statistics for on-premise systems.

For user measurement and use of the ODATA calls, you can use the FIORI ODATA metering functions in the Netweaver Gateway component. Read more in this blog.

Integration of google analytics into FIORI

To integrate google analytics into FIORI, follow the instructions in OSS note 2444406 – Google Analytics Integration with SAP Fiori.

Configure backend system to jump to FIORI frontend server

In some use cases, you want to jump from the ABAP backend system to the FIORI frontend server. This is possible, but requires setup. The setup is described at sap help files online.

FIORI search

To activate FIORI search, please read this dedicated blog.

FIORI notifications

FIORI can sent push notifications to the end-user:

FIOIRI notifications logo

To set up these push notifications, read this dedicated blog.

App recommendations

Based on ST03 data SAP can recommend the use of certain FIORI apps. Read more about this in this blog on the FIORI app recommendation tool.

FIORI app support

FIORI app support is a powerful tool to find out what the source of issue there is for your FIORI app. It can check missing ODATA activation, missing SICF activation, authorization issues. Log files can be downloaded to SAP for further analysis. Read more on FIORI app support in this blog.

FIORI apps impacted by an S4HANA upgrade

FIORI apps can change between versions. Older apps are replaced by new ones. You might need to act on this if the apps are used by the business. To get a list of SAP FIORI app differences, follow the instructions from this SAP blog.

Testing FIORI tiles for slow network or high latency

FIORI tiles and web developments might be slow with users further away from the server. If the application has many round trips built in the increase network latency will definitely kill the end user performance.

Read more in this blog on how you can simulate a distant user in Chrome to analyze the issue.

Manage KPI tiles

SAP FIORI comes with a powerful tool to setup KPI tiles based on embedded HANA views. Read more about the manage KPI tiles in this blog.

SEGW issues with standard SAP after upgrade

In the past you could solve SEGW FIORI ODATA exposing issues directly in the system. Now SAP has forbidden this. See OSS notes 2734074 – Editing of standard SEGW projects for customers is blocked and 2947430 – Editing Standard OData Service Project throws error: Editing Prohibited SAP delivered projects cannot be edited in your system. The emergency workaround is described in OSS note 3022546 – In Transaction SEGW, Error ‘SAP delivered projects cannot be edited in your system’ is encountered during change of the OData Project PS_PROJFIN_MNTR.

System refresh

A system refresh of a netweaver gateway hub system is not needed in most cases. In case of embedded gateway: if the system is refreshed (for example from productive system towards acceptance system), running the cache refresh and UI5 app indexing is sufficient. See OSS note 3111069 – Task list clarification post System copy/System Refresh in Embedded deployment.

Monitoring FIORI gateway system

You can monitor FIORI gateway system using SAP Focused Run. Read this dedicated blog on monitoring Gateway systems.

ODATA V2 versus ODATA V4

SAP is moving from ODATA V2 towards ODATA V4. Read more on ODATA V4 activation in this blog.

FIORI 3D visualization demo

For a demo on 3D visualization using FIORI element goto SAP web page and load the attached file: SAP Pocket Knife (unzip before use):

3D visualization example

The advantage of using the FIORI element to show 3D visualization is that you don’t need to install the fat client for 3D viewer on your laptop or desktop.

Further tips

Older troubleshooting blog .

Tips on FIORI performance can be read in this blog.

For performance and trouble shooting tips see the SAP wiki on FIORI issues.

For S4HANA specifically you can go to the dedicated SAP wiki for FIORI S4HANA.

Stop and start batch jobs for maintenance

This blog explains how to mass stop and mass start batch jobs as admin. This especially useful putting the SAP system in maintenance mode. Maintenance mode can be needed for upgrade, support package patching or data conversion.

Questions that will be answered are:

  • How to mass stop batch jobs?
  • Can I plan new jobs I need during the suspend mode?
  • How to mass start batch jobs again?

More batch jobs tips and tricks in this blog.

Stopping all batch jobs for maintenance mode

Stop all batch jobs: start transaction SE38 and start program BTCTRNS1.

BTCTRNS1 output

All currently planned jobs will be put into a Released/Suspended mode:

Batch jobs suspended mode

This means the already planned jobs (periodically or not) will not be started.

During this suspend mode new jobs can be planned by admin. These new jobs will be executed.

Starting all batch jobs after end of maintenance

Start all batch jobs again: start transaction SE38 and start program BTCTRNS2.

BTCTRNS2 output

Background

For more background information read OSS note 79424 – How do BTCTRNS1 / BTCTRNS2 work?.