How to test the deletion before executing in a productive environment?
Why delete clients 001 and 066?
The clients 001 and 066 had a purpose in the past and do not have them any more.
The only thing they do now is pose a security threat. Access can be gained to these clients, for example via standard SAP users, and from these client you could take over the system via a cross client attack. Background on client 066 can be found in OSS note 1897372 – EarlyWatch Mandant 066 – Can Client 066 be deleted?.
Also unwanted batch jobs might be still running from these clients consuming resources.
The deletion can be tested on a development and QA system before it is done on productive system. If really in doubt copy the productive system to a different system and perform the deletion there first as a test.
This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.
In this fourth blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures.
For the first blog on attacking the SAP BCODE hash click here.
For the second blog on attacking the SAP PASSCODE has click here.
For the third blog on attacking the SAP PWDSALTEDHASH has click here.
Questions that will be answered in this blog are:
How does the rule based attack work?
How to use the rules on found passwords?
Where to find good rule books?
The rule based attack
The dictionary rule book attack is using the dictionary as input and then applies rules to the dictionary to generate a new password candidate.
Example words we will use are Password and Welcome.
Examples of apply some rules:
Replace a with @ will give P@ssword
Replace o with 0 will give Passw0rd and Welc0me
Replace s with $ will give Pa$$word
Replace l with ! will give We!come
All rules above combined will give P@$$w0rd and We!c0me
For full list of possible rule syntax see Hashcat site on rule-based attack.
Suppose we have guessed one correct password for one user. He made the password Welcome1!.
Now we will construct some rules:
Replace e with 3, rule will be se3
Replace l with 1 and l with !, rules will be sl1 and sl!
What has happened here? Why is this found now, and not before with the se3 rule, which should substitute the e with 3? Pretty simple: replace e with 3 in word Welcome1! will give W3lcom31!. So it replaces all and not first one. This is there background of having many rules.
Huge rulesets
With the Hashcat download you get a special directory called rules. Here there are some big rulesets available.
The nicest one is the RockYou list of rules. This is constructed based on the RockYou password list hacked in 2009 where 32 million passwords leaked. Based on English dictionary somebody has constructed the rules to come to most of these passwords.
Effectiveness of the attack
The effectiveness of the rule based attack is quite high. If you have found 1 password, you just run the complete ruleset of one of the huge lists to find multiple variations. People are not so inventive and creative. You will be surprised on the amount of password variations you find on the following words:
Welcome
Summer
Winter
Password
Apple
Android
Google
Hackers don’t start with the full dictionary. They start with the top 1000 words and apply many rules to them. From the passwords found they will start to derive patterns of the users. Any new password is processed through many new rules to generate candidates with higher potential.
The name and or abbreviation of a company is word number 1 to add to the favorite word list.
Further optimization of the attack speed
For optimizing the attack speed, read the fifth blog on SAP password hash hacking here.
Prevention measure 1: frequent change and large change per time
Many companies have implemented a more faster cycle of password changes. In the past once per year was common. Nowadays 60 to 90 days is more common practice. Set this in profile parameter: login/password_expiration_time.
More important is to make a larger change per time the password changes. This is to avoid the rule-attacks explained above to become very effective. How many people just simply change and increase single digit in password? Or increase the special with the next one on the keyboard. Set the profile parameter login/min_password_diff to sufficiently high value of 3 or more.
Prevention measure 2: length
Explain to your users that length is more important than complexity by using this famous explanation:
Prevention measure 3: stronger hashes
Stronger hashes simply take more time to crack. To set stronger hashes, read this dedicated blog.
Next blog on password hacking
The fifth blog on password hacking is about optimizing the attack speed. Read on in the blog. And the blog on extended word lists.
Running after transports and running in productive system
When you transport a role some changes might end up into the roles being updated, but the user comparison is not done. The end result is that the assigned authorization does not work, and you might get lots of complaints.
In oss note 571276 – PFCG: Transport of roles, SAP explains regarding the cleanup option: “If you schedule the user comparison in a way that means that there might be time overlaps with role imports, you should always deactivate the “Cleanups” option. Otherwise, imported profile data might be deleted.” and “The cleanup is not a security issue, so it does not have to be active for every comparison. Experience shows that it is sufficient to execute it once a week. However, it must be scheduled so that no role import is in progress at the same time.”.
That’s why it is wise to run the program behind PFUD, RHAUTUPD_NEW, in each system on daily or bi-daily basis without the cleanup option. And run it once per week in the weekend with the cleanup option enabled.
The new solution has 2 locking transactions: SM01_DEV for client independent locking and SM01_CUS for client dependent locking.
SM01_DEV locking transaction
Start tcode SM01_DEV:
In this example we will lock transaction SE30_OLD. On the next screen select the transaction and press the lock button. Fill out the transport number. End result:
When starting SE30_OLD you now get this error message:
SM01_CUS locking transaction
In this example we want to lock transaction S_ALR_87012271. The start screen is identical to SM01_DEV. If you want to lock the transaction you get a popup screen in which you can differentiate for WinGui or non WinGUI.
The transaction will be locked, but not be put into a transport. If you want to transport the lock, you have to use the transport button.
After locking tcode S_ALR_87012271 and starting it you get this message now:
The transaction is now only locked in the local client. If you have more client or want a full central lock, then you have to run SM01_CUS from client 000.
Differences SM01_DEV and SM01_CUS
Differences between the 2 transactions:
SM01_DEV locks global and has mandatory transport
SM01_CUS locks per client and has an optional feature to transport
Overview of locked transactions
Program RSAUDITC can be used to get an overview of all locked transactions.
This blog will explain how you can optimize your process of security notes via System Recommendations.
Questions that will be answered are:
What is the System Recommendations tool?
How do I set up the System Recommendations tool?
How do I deal with the results of the System Recommendations tool?
Where to find even more information on the System Recommendations tool?
What is the System Recommendations tool?
System Recommendations is a tool that runs in SAP solution manager. It weekly check SAP for new security notes and compares it with your own system. New notes will be alerted as new in the System Recommendations list. Notes you have applied will be removed from the list.
This automated procedure save you a lot of time checking for and follow up on security notes.
Alternative in SAP Focused Run
SAP Focused Run has a superior alternative for checking security notes with it’s Configuration and Security validation tool. Read more in this blog.
Setting up System Recommendations
If solution manager is properly setup, system recommendations is already enabled.
To verify if the system recommendations job is running start transaction SOLMAN_SETUP and select Mandatory Configuration and then Basic Configuration. Then select in the roadmap on top step number 2 and look for the system recommendations job, which will typically run every week:
Adding a system to System Recommendations
In SOLMAN_SETUP goto the managed system configuration of the system you want to add to system recommendations.
Select the full configuration for the system. On the roadmap select step 5: Enter System Parameters. On the screen below tick the box for Enable System Recommendations:
Now the system is added you need to wait until the weekly job runs.
System recommendations result
In solution manager goto the System Recommendations tile:
Upon clicking you get the list of systems and OSS notes per category:
Now you can zoom in for example on the security notes:
Per OSS note you can keep track of the status:
Dealing with the list
Some notes you can implement via SNOTE automatically. After they are implemented (normally via transport import if you run System Recommendations against productive system) they will be gone with the next run of system recommendations.
Some notes depend on kernel patch: also here, you can mark the status as to-be-implemented and wait for the actual implementation of the kernel patch.
Some notes might be non-relevant: you can mark them and they will no longer show in the open list of security notes.
DB and OS versions
The security notes will pickup all the database and OS versions for security notes, even if you don’t run them. To reduce the list goto transaction SM30 and maintain the content of table AGSSR_OSDB:
Flag the unused Databases and OS to Inactive and they will be filtered away next run.
More features
System recommendations function has more features. If you want to read all of them, please read the SAP full document. You need to use transaction SM30_DNOC_USERCFG_SR to configure these settings.
OSS note backbone settings
If you have issues updating most recent notes, or anything at all, please check in transaction SM30_DNOC_USERCFG_SR. Make sure there is no entry there for SYSREC_RFC_CALL. If it is there delete it. This is due to the SAP technical backbone change.
In SAP solution manager there is a free out-of-the-box tool available to quickly scan for security items in your system: the Security Optimization Service.
Questions that will be answered in this blog are:
How to run the Security Optimization Service?
How does the questionnaire work?
How does a sample result look like?
How to run Security Optimization Service
In solution manager 7.2 go to the tile Active Sessions for Service Delivery:
You now arrive in the sessions overview screen:
If you are first time using: hit the button Content Update to fetch the latest content from SAP. When done, you are ready to run.
Select the button create to make a new service. From the list choose the option SAP Security Optimization:
There might be multiple. In that case select this one (the others won’t work):
Then select the system for which you want to run the service. Do this by clicking the Add button in the Technical System section:
Finish the roadmap. After the final step the detailed roadmap will appear:
In the first step select the logon and test the connection:
In the next step you need to assign a questionnaire:
If you run the SOS before you can re-use or change the template. The first time you need to create the questionnaire:
In the questionnaire you can maintain whitelist. In the example above user from the basis team is added to the list of system administrators. These users will no longer appear in the report as exceptions.
If you have a recent run, you can select it here. If no run is present, hit the button Schedule new ST14 analysis run. Pending on your system size and speed the run will take between 5 and 60 minutes. If the run is finished select the run and complete the roadmap.
The SOS session is now scheduled.
Authorizations
You need authorizations in the backend system for ST14. If that is missing you get this message:
Usually the run is done overnight and you can fetch the results next day. Go to the active services tile, select your run and go to the column Documents. Click on the document to get the results.
Example of an SOS report can be found at this URL.
Follow up
If you find issues: solve them and rerun the report.
If you find many users with too many rights: start to revoke the rights and rerun the report.
If you find basis and authorization staff in the list with rights they should have, add their user ID’s to the corresponding section in the questionnaire, and rerun the report.
In general it will take a few runs to come to a more cleaned up system.
This blog will explain the use of security policies in user maintenance.
Questions that will be answered are:
Why to use security policies?
How to setup security policies?
How to assign a security policy to a user?
Why to use security policies?
Security policies can be used to set more strict password rules on critical user ID’s like the system administrators, user administrators and background users. This is one of the measures to avoid password attacks as explained in the password hash hacking blogs.
How to setup security policies?
Security policies can be setup in customizing under the following node (or by using transaction SECPOL):
On the next screen create the needed security polices as definition (identifier and description):
Select one of the policies, to set the detailed attributes per policy:
In this example the policy for ADMIN is set more strict than the system settings. Setting it less strict than the password rules set in the system profile is not allowed.
Assign security policy to user
In SU01 on the tab Logon Data you can now assigned the appropriate Security Policy for the user:
There is a second use case for security policies: in the new netweaver releases you can set parameter to lock out users for maintenance rather than locking them in SU01 or SU10. For more information read this blog.
This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.
In this third blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures. Now we focus on the SAP PWDSALTEDHASH hash.
For the first blog on attacking the SAP BCODE hash click here.
For the second blog on attacking the SAP PASSCODE has click here.
For follow up blog on improving attack speed by applying rule-based attack, click here. And the blog on optimizing the attack. And the blog on extended word lists.
Questions that will be answered in this blog are:
How to get the PWDSALTEDHASH codes?
How does the dictionary attack work?
How does the dictionary combination attack work?
How does the dictionary with mask attack work?
What more can I do to prevent a password attack?
Getting the PWDSALTEDHASH codes
The testusers 1 to 5 have been given a new password and the security admin has done its job. This is what you see in USR02:
Double clicking on a line and scrolling down will give you the PWDSALTEDHASH field content:
Getting many is too much work. For this you can use code of the program ZFETCH_PWDSALTEDHASH below:
*&--------------------------------------------------------------------**& Report ZFETCH_PWDSALTEDHASH*&--------------------------------------------------------------------*REPORT ZFETCH_PWDSALTEDHASH.DATA: LV_USR02 TYPE USR02.DATA: LV_STRING TYPE STRING.SELECT * FROM USR02 INTO LV_USR02 WHERE PWDSALTEDHASH NE SPACE.CONCATENATE LV_USR02-BNAME '
The output for our testusers is now:
You need to save the part from {x-issha etc in a new file. The user ID in front is not needed. It is just needed in case you decrypt a password from a hash to go find the user ID.
The dictionary attack
We still assume that there is a very strict policy on strong password:
Minimum length 10
Minimum 1 upper, lower, digit and special
Since the admin has cleaned up the BCODE we have no idea on the first 8 characters now.
The trick we will use is the dictionary attack. We assume some of the users will use a password with the following rule:
Take a word
Capitalize first letter, rest is small
Add a digit
Add a special character
As input file for this attack we take all word from the Webster Dictionary: webster dictionary file.
We now go back to our Hashcat directory on C:\HC and give following command:
Command explanation: attack mode 6 for dictionary attack and 10300 for SAP PWDALSTEDHASH format.
And now hashcat is showing is parallelization power:
To test all the combinations on the 5 users only 30 minutes are needed, with almost 200.000 tries per second.
2 passwords were found: TESTUSER1 with password Theobald1! and TESTUSER5 with password Tetrazotization5{.
Especially the last one is striking: this is normally not considered a simple password: Tetrazotization5{. But because it appears in a dictionary it is relative simple to retrieve.
Combination attack with dictionary
To really show the speed, we will now perform the combination attack explained in the previous blog again. We will use the dictionary in combination with the popular extension file. Command to give:
It runs for 4 hours with about 200.000 guesses per second:
And it finally finds the last password: TESTUSER4 with Organoid1@#
Dictionaries
The example above is just one dictionary. Also think about dictionaries with names of persons, football clubs, cities and countries, etc. Largest dictionary so far is called the Wikipedia dictionary. It is about 250 MB large and contains all the unique words used on Wikipedia.
Preventive measures
Preventive measure 1: user education
Educate your users not to take a dictionary word directly and only add a digit letter.
Especially power users, like basis and user administrators, should really receive this education. Don’t assume they know. 90% of them does not, or even hands out passwords like Welcome2018!
Preventive measure 2: extra strong passwords for background and power users
You can set extra strong password requirements for background users and power users (basis and user administrators). This can be done by setting up specific security policies. This is explained in this blog.
Preventive measure 3: stronger hashes
By creating stronger hashes, the attackers need more time. It will not stop them, but slow them down. Read more on setting stronger hashes in this dedicated blog.
Next blog
The next blog will focus on rule based attack mode, which is one of the most effective methods.
This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.
In this second blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures. Now we focus on the SAP PASSCODE hash.
For the first blog on attacking the SAP BCODE hash click here.
Questions that will be answered in this blog are:
How to attack the PASSCODE from the BCODE?
How does the hybrid mask attack mode work?
How does the combination attack mode work?
What more can I do to prevent a password attack?For follow up blog on hacking SAP PWDSALTEDHASH, click here.
For follow up blog on improving attack speed by applying rule-based attack, click here. And the blog on optimizing the attack. And the blog on extended word lists.
How to attack the PASSCODE from the BCODE?
In the previous blog we have seen how easy it is to get the passwords from the BCODE. The BCODE is capturing the first 8 characters of the password in capital mode. The other characters of the password are not stored in the BCODE, but in the full PASSCODE. If the password is length 8 or below, you can already logon with the found BCODE password.
Now lets assume company password policy is:
Minimum password length is 10
Minimum 1 digit, 1 letter upper case, 1 letter lower case, 1 special
Pretty safe you might think.
We will use the previous 5 guessed test users. Their passwords from BCODE were: PASSWORD, LETMEIN, WELCOME, ILOVEYOU, STARWARS. We don’t know exactly which letters in the passwords are uppercase and which ones are lowercase. But we can make educated guess here, which we store in notepad file:
As you can see these are logical variations. Most people use password as they type: First letter in upper case, rest in lower case.
Getting the PASSCODE from USR02 table
We use one of the many methods to get the PASSCODE hash strings from the USR02 table:
And we put this into notepad file with user name and $ for separator:
Hybrid mask attack
What we will do is use a so called hybrid mask attack. This attack uses certain patterns.
The first pattern we will use is use the file with the BCODE guesses and at the end at a digit and special character.
To start the hacking process go to the CMD command prompt and proceed to the hashcat directory. Then key in this command:
Explanation of the command: 7800 means the hashes are SAP PASSCODE. Output goes to _found file. Input is the TestuserPassCodeHashes file. The text fie with the guesses is then combined with ?d?s. This means take every entry from the file and add first a digit, then a special. This will then try for example Password1!, Password2!, ….Password1@, Password2@, etc.
Result (after 1 min or so):
Password found: Password1! for testuser1. The output is in the output file. And the found hash is removed from the input file.
Hybrid mask patterns
Some patterns that can be used:
?l = letter, small caps
?d = digit
?s = special
?a = all possible input characters
If we continue with our example: we now will not scan for digit special combination but for any 2 or more characters. To do so: replace in the previous command the ?d?s with ?a?a.
After that we can run with ?a?a?a to find any combination with 3 characters at the end. Runtime: only 4 minutes:
Only when we add ?a?a?a?a for 4 characters runtime starts to increase to 6 hours:
After these runs we have found: Welcome123! for testuser3, IloveYou@9 for testuser4 and Starwars99*& for testuser5.
Combination attack mode
The above method is fast and almost always guaranteed to work. But is will only work for short extensions. There is even a faster way, but this method does not have full guarantee.
What we will do is construct a file with popular password extensions after the main word:
real file is much, much longer…
This file we will combine with the file of the already found words from the BCODE part. The combination of two files is called combination attack.
To start the hacking process go to the CMD command prompt and go to the hashcat directory. Then key in this command:
The attack mode 1 means combination attack to combine the two files.
After running this mode the Testuser2 password pops up: Letmein2018).
And yes: years in passwords are pretty popular.
End result
End result after all the different attacks:
And it really didn’t take long time. One overnight session is sufficient.
The real live sequence of cracking would be to start with the popular extensions to remove the quick wins. Then time can be spent on the hybrid mask attack: this attack goes faster when there is less input.
Preventive measures
Preventive measure 1: forbid simple password parts
By filling table USR40 you can forbid simple password parts to be used. Think about filling this table with words like:
Preventive measure 2: forbid display access to password tables
Forbid access to password tables. The hashes are stored in tables protected by the SPWD object. Don’t grant read access with S_TABU_DIS authorization object to this table group. Check via SUIM who currently has access and restrict it to only people you think really need it.
More information on the access protection can be found in OSS note 1484692.
Next blog
The next blog will explain on hacking PWDSALTEDHASH.
This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.
Questions that will be answered are:
Where are SAP password hashes stored?
Which software do I need to install for hacking the password hash?
How does the brute force method work?
How does the simple 10k most used password list attack work?
For follow up blog on hacking SAP PASSCODE, click here.
For follow up blog on hacking SAP PWDSALTEDHASH, click here.
For follow up blogs:
Improving attack speed by applying rule-based attack, click here.
SAP BCODE (oldest one and very weak): not to be used any more
SAP PASSCODE (less old, stronger than BCODE, but still weak): not to be used any more
SAP PWDSALTEDHASH (newest, strongest)
New SAP installations only use the newest method by default. Older system still might have stored older versions.
From user password to hash
When a users password is set initially or is changed is it hashed and stored in 2 tables:
USR02, which contains the current password
USRPWDHISTORY, which contains the history of the passwords
Older systems or wrongly configured systems store all the 3 password types mentioned above.
To start the password attack you need to get the user ID’s and hashes from the USR02 table.
Methods for getting this data (and many more):
SE11/SE16N table display
Write simple ABAP program
Database access on low level (HANA, Oracle, etc)
…. more creative methods….
For this weeks example we will use a couple of test users. The first 5 users are given simple passwords. The 6th user is given a fully random password.
The attack: from hash back to password
When you have the hashes all of the rest is now outside of the SAP system.
First step is to download a password cracking tool. A very good one is Hashcat.
Warning: this software might be considered as real hacking tool comparable to possessing burglary tools. Either only use on private laptop or after agreement of your local company security team.
Hashcat is based on GPU power and not CPU power. This means the speed of cracking depends on the quality and speed of your graphical card(s). Modern graphics card can have up to 4000 cores. Hashcat is written intelligently to use these 4000 cores via parallel processing or multiple cards.
Download the software from the site and unzip it on your local PC.
Hashcat requires for cracking BCODES the following format per line:
<<USERID>>$<<BCODE HASH>>
For the example above this results into the following file:
The brute force method
Let’s start by making a file with only TESTUSER6. This is stored in the file TestuserBcodeHashes.txt.
To start the hacking process go to the CMD command prompt, and proceed to the hashcat directory. Then key in this command:
Long command, but some part are simpler: -a 3 means brute force, -m 7700 means hashes are SAP BCODE hashes, file output and output, and very important the command to abort if the GPU temperature exceeds 80 degrees Celsius.
For full help options: go to the Hashcat website or key in Hashcat64 –help.
Result of this command is following screen:
The brute force attack will use some common pattern, but as you can see per pattern it takes about 16 hours (faster GPU means less time).
Guessing speed is at 57.000 tries per second, which is about 5 billion tries per day. Having a password with 8 random characters (26 letters, 10 digits, 33 specials) would take 69*69*69*69*69*69*69*69 = 513.000 billion options, meaning it would take 100.000 days.
Pretty good you would say. But nobody uses the brute force method.
Attacking with 10.000 most commonly used password list
If you have only letters, then the guesses for most users will be 26*26*26*26*26*26*26*26 = 208 billion only. By filtering out the hardly used q and x, it could even be 110 billion only.
Prevention 2: disallow the old hashes
Set parameter login/password_compliance_to_current_policy to 1 to forbid the old passwords to be used (in old systems this might require some testing before it is done in productive system, and changes of old passwords that are there for very long time).
Prevention 4: instructions to basis and authorization team to use the password generator for initial passwords
When generating new password: do use the password generator button. This will generate very complex password. Do use it.
Also you should make it known to basis and authorization team not to use simple and repetitive passwords like Welcome-2018 or Passw0rd! Soon you will see a pattern and can already guess new users passwords that they will select. Tell them to use the password generator.
Prevention 5: increase hash strength
You can increase the hash strength. This will make the attack last longer, since it simply takes more computing time to try stronger hashes. Read more in this blog.
Next blog
The next blog will explain on the hacking the SAP PASSCODE.
