SAP password hash hacking Part VI: extended wordlists

As explained in the previous blogs many people use a word followed by a rule like add special and digit. Or use a word and replace character with digit or special character.

In the first blog the 10.000 word list was used.

This blog will make you aware of the existence of far more word lists and how to counter these.

Wordlists

Wordlists available:

  • Dictionaries for each language, like Webster for English. Each language has their own preferred dictionary
  • Keyboard walk list: contains fragments like QWER, UIOP, ASDF etc. These fragments are used in so-called combination attacks by using multiple fragments like: Qwer1234!@#$ (which is 3 keyboard walks)
  • Wikipedia list; this list is huge and simply contains a list of ALL words ever used on Wikipedia
  • Public site or intranet site keywords; comparable to Wikipedia, but targeted towards a single organization. Many people use the company name, department name, project name or another internal name as part of their password
  • All placenames (cities, provinces, states, countries, rivers, etc) in the world
  • All movies, actors, actrices, characters
  • Sport names and sports players
  • Lists from previous password hacks: like the LinkedIn list, RockYou list, etc.

The creator of John The Ripper offers them for money on their site (for cracking, still use hascat…).

Counter measures for attacks done by word lists

Counter measures:

  • User education to use not a single word, but two or more words in the password
  • Use single sign on in stead of passwords
  • Use generated passwords in secure storage

SE16N_BATCH program

SE16N_BATCH is a very powerful and dangerous program. You can use it to run SE16 queries for large datasets in batch mode and later pick up the results from the spool.

But it can also be misused to fetch data that you are not authorized to see, but a batch user can see.

Good use

For example you need a lot of records from BSEG:

This might fail online. If you run it in batch mode, you can simply pick up the spool later with the needed data:

Misuse

The program can be used for hacking purposes as well. Suppose you want to get all user password hashes. SE16N for USR02 is blocked. Now run the program in batch (not with your own user, but with a batch job user with rights to read USR02 data). Now all data is available in the spool for the hacker….

OSS notes

3443282 – “submit se16n_batch exporting list to memory” doesn’t work in background run

SAP password hash strengthening

The SAP password hash can be deciphered. See for example this blog. By increasing the complexity of the hash, you can slow down this process.

Questions that will be answered in this blog are:

  • How can I strengthen my SAP password hash?
  • Does it also work when I use CUA?

Password hash algorithm strength

Main blog for SAP password hash algorithm is 1458262 – ABAP: recommended settings for password hash algorithms. Note 2140269 – ABAP password hash: supporting salt sizes up to 256 bits describes the actual parameter value.

In RZ11 you need to set parameter login/password_hash_algorithm to exactly this value: encoding=RFC2307, algorithm=iSSHA-512, iterations=15000, saltsize=256.

Make sure you follow the correct syntax. The syntax is listed in OSS note 991968 - List of values for "login/password_hash_algorithm". If you don't do it properly, you might get the issue reported in OSS note 3043774 - Iterated salted hash is empty after having assigned or changed a password.

End result

Example for a test user. Before the setting the PWDSALTEDHASH field has this value:

After change of the parameter we reset the password of the user and the hash now looks like this:

Really more complex, hence more complex to decipher: the hashes are far stronger now. It can still be cracked, but it takes far more time on either single password or large group of passwords.

The parameter only effects new passwords. Not the existing ones.

CUA

If you use CUA, the password can be distributed from CUA. If you CUA system and connected systems are modern enough there is no issue at all. See the CUA section of OSS note 1458262 – ABAP: recommended settings for password hash algorithms.

SAP password hash hacking Part V: optimizing the attack speed

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this fifth blog we will focus on optimizing the speed of attack. The preventive measures will focus on reducing the attack speed.

For the first blog on attacking the SAP BCODE hash click here.

For the second blog on attacking the SAP PASSCODE has click here.

For the third blog on attacking the SAP PWDSALTEDHASH has click here.

For the fourth blog on advanced topics, like the rule based attack, click here.

For more on extended word lists, click here.

Questions that will be answered in this blog are:

  • How to optimize the attack speed?
  • How to optimize getting hashes converted into real passwords?

Optimizing the attack

First check if you can get hold of PASSCODE or preferably BCODE hashes. These ones are 10 to 20 times faster to hack than PWDSALTEDHASH codes.

Assuming the administrators have done their work and only PWDSALTEDHASH remains, there are still options to speed up the attack.

Get faster graphical card(s)

Don’t do password hacking on a laptop. The graphical card in any laptop is simply too slow. Use a gaming specification graphical card or cards (cost range is about 300 to 500 dollar or Euro per card).

Preparation of the attack

First thing to do is to get the password rules. Most common is 1 letter, 1 digit, 1 special and minimum length of 8. But differences occur. If for example minimum length is 10, you can adjust your dictionaries to remove all small words that will not comply.

Check the language: use the webster dictionary for English in all cases, but based on language of the company, you must use German, French, Spanish, Italian, Dutch, etc dictionaries as well.

If possible filter out high potential targets from you list. It is best to have a high value administrator or CEO, then a warehouse person who can do simple movements and write time.

Sequence of attacks

Start first with your library of most frequently used passwords. Maybe there is already a hit.

You will be surprised that about 1% will hit.

Second run is with a list of company, product and department names. If you want to target company called TARGET with product name PRODUCT, make a special file with names like:

Target2021!

Product2021!

Use the password rulebooks to generate as many variations as possible (examples are T@rget2021, Pr0duct2021!).

You will be surprised that about another 1% will hit. Who is using these simple to guess passwords? More people than you think!

Third run should be dictionary run with rulebook. Start with English and primary language of the company. Most successful Rule is word plus digit plus special.

You will be surprised that about another 1 to 3% will hit.

Pending on the speed and sizes the rulebook is a very good one to run for a longer time (consider 1 week constantly running this).

Fourth run should be a keyboard walk rulebook. The keyboard walk contains passwords like QWERtyui1234%^&*, or 1qaz@WSX (walk on keyboard…).

You will be surprised that about another 1% will hit.

Re-using the output file to generate new attack: fingerprint attack

When your first attacks are done, there is one final surprisingly successful last attack possible. For this you take your file with all the passwords you have already cracked.

These passwords you now cut into 2. Example Target2021! is cut into:

T and arget2021!

Ta and rget2021!

….

Target2021 and !

And the word itself Target2021!

Now you have 2 files. Use these into a combinator attack mode (see hashcat wiki for the exact syntax to use).

This procedure is called a fingerprint attack.

This might give surprising results like TargetProduct2021!

This attack will bring a surprising high number of hits. The better the first passwords you have cracked, the better the result here. Save this attack till last, since it can be a very lengthy one, and a lot of duplication with the previous attacks can happen.

Strengthening password technical strength

The ABAP password can be made more strong by technical means, by increasing the hash salt size. This will take longer time to crack. OSS notes:

Read more in this dedicated blog on password hash strengthening.

SAP password hash hacking Part IV: rule based attack

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this fourth blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures.

For the first blog on attacking the SAP BCODE hash click here.

For the second blog on attacking the SAP PASSCODE has click here.

For the third blog on attacking the SAP PWDSALTEDHASH has click here.

Questions that will be answered in this blog are:

  • How does the rule based attack work?
  • How to use the rules on found passwords?
  • Where to find good rule books?

The rule based attack

The dictionary rule book attack is using the dictionary as input and then applies rules to the dictionary to generate a new password candidate.

Example words we will use are Password and Welcome.

Examples of apply some rules:

  • Replace a with @ will give P@ssword
  • Replace o with 0 will give Passw0rd and Welc0me
  • Replace s with $ will give Pa$$word
  • Replace l with ! will give We!come
  • All rules above combined will give P@$$w0rd and We!c0me

For full list of possible rule syntax see Hashcat site on rule-based attack.

Suppose we have guessed one correct password for one user. He made the password Welcome1!.

Now we will construct some rules:

  1. Replace e with 3, rule will be se3
  2. Replace l with 1 and l with !, rules will be sl1 and sl!
  3. Replace o with 0, rule will be so0

We use these 3 hashes as input:

{x-issha, 1024}riqL3PXHJMOKkofOv1I4ObteIEGKw/OMny0U8MzMZ04=
{x-issha, 1024}7SC51LKZChMcpwmixb/ca/+qYvDxsXTbR3mE0IPrsaU=
{x-issha, 1024}AxErKhue0RAUveCTBgpAiJIaSDWGKdjpooiDSn5sTtg=

We construct an input file with word Welcome1! and a file with these rules:

se3

sl!

sl1

so0

Now we call Hashcat with the rule based attack mode:

hashcat64 -a 0 -m 10300 -p : --session=all -o "C:\hashes_found.txt" --outfile-format=3 -n 32 --gpu-temp-abort=80 -r "C:\simplerules.txt" "C:\hashes.txt" "C:\welcome.txt"

Great: 2 catches out of 3:

{x-issha, 1024}riqL3PXHJMOKkofOv1I4ObteIEGKw/OMny0U8MzMZ04=:We1come1!
{x-issha, 1024}AxErKhue0RAUveCTBgpAiJIaSDWGKdjpooiDSn5sTtg=:Welc0me1!

Now let’s add these rules:

o03
o13
o23

This means replace first character with digit 3, repeat for second and third.

We run again Hashcat and find the 3rd one:

{x-issha, 1024}7SC51LKZChMcpwmixb/ca/+qYvDxsXTbR3mE0IPrsaU=:W3lcome1!

What has happened here? Why is this found now, and not before with the se3 rule, which should substitute the e with 3? Pretty simple: replace e with 3 in word Welcome1! will give W3lcom31!. So it replaces all and not first one. This is there background of having many rules.

Huge rulesets

With the Hashcat download you get a special directory called rules. Here there are some big rulesets available.

The nicest one is the RockYou list of rules. This is constructed based on the RockYou password list hacked in 2009 where 32 million passwords leaked. Based on English dictionary somebody has constructed the rules to come to most of these passwords.

Effectiveness of the attack

The effectiveness of the rule based attack is quite high. If you have found 1 password, you just run the complete ruleset of one of the huge lists to find multiple variations. People are not so inventive and creative. You will be surprised on the amount of password variations you find on the following words:

  • Welcome
  • Summer
  • Winter
  • Password
  • Apple
  • Android
  • Google

Hackers don’t start with the full dictionary. They start with the top 1000 words and apply many rules to them. From the passwords found they will start to derive patterns of the users. Any new password is processed through many new rules to generate candidates with higher potential.

The name and or abbreviation of a company is word number 1 to add to the favorite word list.

Further optimization of the attack speed

For optimizing the attack speed, read the fifth blog on SAP password hash hacking here.

Prevention measure 1: frequent change and large change per time

Many companies have implemented a more faster cycle of password changes. In the past once per year was common. Nowadays 60 to 90 days is more common practice. Set this in profile parameter: login/password_expiration_time.

More important is to make a larger change per time the password changes. This is to avoid the rule-attacks explained above to become very effective. How many people just simply change and increase single digit in password? Or increase the special with the next one on the keyboard. Set the profile parameter login/min_password_diff to sufficiently high value of 3 or more.

Prevention measure 2: length

Explain to your users that length is more important than complexity by using this famous explanation:

correct horse battery staple

Prevention measure 3: stronger hashes

Stronger hashes simply take more time to crack. To set stronger hashes, read this dedicated blog.

Next blog on password hacking

The fifth blog on password hacking is about optimizing the attack speed. Read on in the blog. And the blog on extended word lists.

SAP password hash hacking Part III: SAP PWDSALTEDHASH hash hacking

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this third blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures. Now we focus on the SAP PWDSALTEDHASH hash.

For the first blog on attacking the SAP BCODE hash click here.

For the second blog on attacking the SAP PASSCODE has click here.

For follow up blog on improving attack speed by applying rule-based attack, click here. And the blog on optimizing the attack. And the blog on extended word lists.

Questions that will be answered in this blog are:

  • How to get the PWDSALTEDHASH codes?
  • How does the dictionary attack work?
  • How does the dictionary combination attack work?
  • How does the dictionary with mask attack work?
  • What more can I do to prevent a password attack?

Getting the PWDSALTEDHASH codes

The testusers 1 to 5 have been given a new password and the security admin has done its job. This is what you see in USR02:

After clean up USR02

Double clicking on a line and scrolling down will give you the PWDSALTEDHASH field content:

pwdsaltedhash from USR02

Getting many is too much work. For this you can use code of the program ZFETCH_PWDSALTEDHASH below:

*&--------------------------------------------------------------------*
*& Report ZFETCH_PWDSALTEDHASH
*&--------------------------------------------------------------------*
 REPORT ZFETCH_PWDSALTEDHASH.
 DATALV_USR02 TYPE USR02.
 DATALV_STRING TYPE STRING.
 SELECT FROM USR02 INTO LV_USR02 WHERE PWDSALTEDHASH NE SPACE.
   CONCATENATE LV_USR02-BNAME '

The output for our testusers is now:

Testuser PWDSALTEDHASH hashes

You need to save the part from {x-issha etc in a new file. The user ID in front is not needed. It is just needed in case you decrypt a password from a hash to go find the user ID.

The dictionary attack

We still assume that there is a very strict policy on strong password:

  • Minimum length 10
  • Minimum 1 upper, lower, digit and special

Since the admin has cleaned up the BCODE we have no idea on the first 8 characters now.

The trick we will use is the dictionary attack. We assume some of the users will use a password with the following rule:

  1. Take a word
  2. Capitalize first letter, rest is small
  3. Add a digit
  4. Add a special character

As input file for this attack we take all word from the Webster Dictionary: webster dictionary file.

We now go back to our Hashcat directory on C:\HC and give following command:

hashcat64 -a 6 -m 10300 -p : --session=all --force -o "C:\HC\users_found.txt" --outfile-format=3 --markov-disable --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" ?d?s

Command explanation: attack mode 6 for dictionary attack and 10300 for SAP PWDALSTEDHASH format.

And now hashcat is showing is parallelization power:

dictionary attack

To test all the combinations on the 5 users only 30 minutes are needed, with almost 200.000 tries per second.

2 passwords were found: TESTUSER1 with password Theobald1! and TESTUSER5 with password Tetrazotization5{.

Especially the last one is striking: this is normally not considered a simple password: Tetrazotization5{. But because it appears in a dictionary it is relative simple to retrieve.

Combination attack with dictionary

To really show the speed, we will now perform the combination attack explained in the previous blog again. We will use the dictionary in combination with the popular extension file. Command to give:

hashcat64 -a 1 -m 10300 -p : --session=all --force -o "C:\HC\testusers_found.txt" --outfile-format=3 --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" "C:\HC\Popular extensions.txt"

And now the performance and speed is even higher:

combination dictionary

2 out of 3 remaining passwords were found in 1 minute only!

TESTUSER2 with Themis2018! and TESTUSER3 with Vacation123!

Dictionary with mask attack

For the last to be found password, we will use the dictionary with mask attack.

Command to give:

hashcat64 -a 6 -m 10300 -p : --session=all --force -o "C:\HC\testusers_found.txt" --outfile-format=3 --markov-disable --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" ?a?a

We try with 2 random characters after the word. After some time nothing. Then we increase to 3 characters:

hashcat64 -a 6 -m 10300 -p : --session=all --force -o "C:\HC\testusers_found.txt" --outfile-format=3 --markov-disable --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" ?a?a?a

It runs for 4 hours with about 200.000 guesses per second:

dictionary mask attack

And it finally finds the last password: TESTUSER4 with Organoid1@#

Dictionaries

The example above is just one dictionary. Also think about dictionaries with names of persons, football clubs, cities and countries, etc. Largest dictionary so far is called the Wikipedia dictionary. It is about 250 MB large and contains all the unique words used on Wikipedia.

Preventive measures

Preventive measure 1: user education

Educate your users not to take a dictionary word directly and only add a digit letter.

Especially power users, like basis and user administrators, should really receive this education. Don’t assume they know. 90% of them does not, or even hands out passwords like Welcome2018!

Preventive measure 2: extra strong passwords for background and power users

You can set extra strong password requirements for background users and power users (basis and user administrators). This can be done by setting up specific security policies. This is explained in this blog.

Preventive measure 3: stronger hashes

By creating stronger hashes, the attackers need more time. It will not stop them, but slow them down. Read more on setting stronger hashes in this dedicated blog.

Next blog

The next blog will focus on rule based attack mode, which is one of the most effective methods.

SAP password hash hacking Part II: SAP PASSCODE hash hacking

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this second blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures. Now we focus on the SAP PASSCODE hash.

For the first blog on attacking the SAP BCODE hash click here.

Questions that will be answered in this blog are:

  • How to attack the PASSCODE from the BCODE?
  • How does the hybrid mask attack mode work?
  • How does the combination attack mode work?
  • What more can I do to prevent a password attack?For follow up blog on hacking SAP PWDSALTEDHASH, click here.

    For follow up blog on improving attack speed by applying rule-based attack, click here. And the blog on optimizing the attack. And the blog on extended word lists.

How to attack the PASSCODE from the BCODE?

In the previous blog we have seen how easy it is to get the passwords from the BCODE. The BCODE is capturing the first 8 characters of the password in capital mode. The other characters of the password are not stored in the BCODE, but in the full PASSCODE. If the password is length 8 or below, you can already logon with the found BCODE password.

Now lets assume company password policy is:

  • Minimum password length is 10
  • Minimum 1 digit, 1 letter upper case, 1 letter lower case, 1 special

Pretty safe you might think.

We will use the previous 5 guessed test users. Their passwords from BCODE were: PASSWORD, LETMEIN, WELCOME, ILOVEYOU, STARWARS. We don’t know exactly which letters in the passwords are uppercase and which ones are lowercase. But we can make educated guess here, which we store in notepad file:

Notepad bcode file with guesses

As you can see these are logical variations. Most people use password as they type: First letter in upper case, rest in lower case.

Getting the PASSCODE from USR02 table

We use one of the many methods to get the PASSCODE hash strings from the USR02 table:

PASSCODE from USR02

And we put this into notepad file with user name and $ for separator:

Notepad passcodes

Hybrid mask attack

What we will do is use a so called hybrid mask attack. This attack uses certain patterns.

The first pattern we will use is use the file with the BCODE guesses and at the end at a digit and special character.

To start the hacking process go to the CMD command prompt and proceed to the hashcat directory. Then key in this command:

hashcat64 -a 6 -m 7800 -p : --session=all -o "C:\HC\TestuserPassCodeHashes_found.txt" --outfile-format=3 --markov-disable --remove --gpu-temp-abort=80 "C:\HC\TestuserPassCodeHashes.txt" "C:\HC\BCODEinputfilewithguesses.txt" ?d?s

Explanation of the command: 7800 means the hashes are SAP PASSCODE. Output goes to _found file. Input is the TestuserPassCodeHashes file. The text fie with the guesses is then combined with ?d?s. This means take every entry from the file and add first a digit, then a special. This will then try for example Password1!, Password2!, ….Password1@, Password2@, etc.

Result (after 1 min or so):

Hybrid ds

Password found: Password1! for testuser1. The output is in the output file. And the found hash is removed from the input file.

Hybrid mask patterns

Some patterns that can be used:

?l = letter, small caps

?d = digit

?s = special

?a = all possible input characters

If we continue with our example: we now will not scan for digit special combination but for any 2 or more characters. To do so: replace in the previous command the ?d?s with ?a?a.

After that we can run with ?a?a?a to find any combination with 3 characters at the end. Runtime: only 4 minutes:

Hybrid aaa

Only when we add ?a?a?a?a for 4 characters runtime starts to increase to 6 hours:

Hybrid aaaa

After these runs we have found: Welcome123! for testuser3, IloveYou@9 for testuser4 and Starwars99*& for testuser5.

Combination attack mode

The above method is fast and almost always guaranteed to work.  But is will only work for short extensions. There is even a faster way, but this method does not have full guarantee.

What we will do is construct a file with popular password extensions after the main word:

Popular extensions real file is much, much longer…

This file we will combine with the file of the already found words from the BCODE part. The combination of two files is called combination attack.

To start the hacking process go to the CMD command prompt and go to the hashcat directory. Then key in this command:

hashcat64 -a 1 -m 7800 -p : --session=all -o "C:\HC\TestuserPassCodeHashes_found.txt" --outfile-format=3 --remove --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\TestuserPassCodeHashes.txt" "C:\HC\BCODEinputfilewithguesses.txt" "C:\HC\Popular extensions.txt"

The attack mode 1 means combination attack to combine the two files.

After running this mode the Testuser2 password pops up: Letmein2018).

And yes: years in passwords are pretty popular.

End result

End result after all the different attacks:

end result passcode

And it really didn’t take long time. One overnight session is sufficient.

The real live sequence of cracking would be to start with the popular extensions to remove the quick wins. Then time can be spent on the hybrid mask attack: this attack goes faster when there is less input.

Preventive measures

Preventive measure 1: forbid simple password parts

By filling table USR40 you can forbid simple password parts to be used. Think about filling this table with words like:

  • Your company name
  • password
  • welcome
  • letmein
  • The current year
  • All the full names of the months (january, etc)
  • ….

For more inspiration see list of most used passwords on Wikipedia.

Preventive measure 2: forbid display access to password tables

Forbid access to password tables. The hashes are stored in tables protected by the SPWD object. Don’t grant read access with S_TABU_DIS authorization object to this table group. Check via SUIM who currently has access and restrict it to only people you think really need it.

More information on the access protection can be found in OSS note 1484692.

Next blog

The next blog will explain on hacking PWDSALTEDHASH.

SAP password hacking Part I: SAP BCODE hash hacking

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

Questions that will be answered are:

  • Where are SAP password hashes stored?
  • Which software do I need to install for hacking the password hash?
  • How does the brute force method work?
  • How does the simple 10k most used password list attack work?

For follow up blog on hacking SAP PASSCODE, click here.

For follow up blog on hacking SAP PWDSALTEDHASH, click here.

For follow up blogs:

  • Improving attack speed by applying rule-based attack, click here.
  • blog on optimizing the attack.
  • blog on extended word lists

SAP password hashes

SAP has 3 main password hashes:

  1. SAP BCODE (oldest one and very weak): not to be used any more
  2. SAP PASSCODE (less old, stronger than BCODE, but still weak): not to be used any more
  3. SAP PWDSALTEDHASH (newest, strongest)

New SAP installations only use the newest method by default. Older system still might have stored older versions.

From user password to hash

When a users password is set initially or is changed is it hashed and stored in 2 tables:

  1. USR02, which contains the current password
  2. USRPWDHISTORY, which contains the history of the passwords

Older systems or wrongly configured systems store all the 3 password types mentioned above.

To start the password attack you need to get the user ID’s and hashes from the USR02 table.

Methods for getting this data (and many more):

  • SE11/SE16N table display
  • Write simple ABAP program
  • Database access on low level (HANA, Oracle, etc)
  • …. more creative methods….

For this weeks example we will use a couple of test users. The first 5 users are given simple passwords. The 6th user is given a fully random password.

USR02 BCODE

The attack: from hash back to password

When you have the hashes all of the rest is now outside of the SAP system.

First step is to download a password cracking tool. A very good one is Hashcat.

Hashcat

Warning: this software might be considered as real hacking tool comparable to possessing burglary tools. Either only use on private laptop or after agreement of your local company security team.

Hashcat is based on GPU power and not CPU power. This means the speed of cracking depends on the quality and speed of your graphical card(s). Modern graphics card can have up to 4000 cores. Hashcat is written intelligently to use these 4000 cores via parallel processing or multiple cards.

Download the software from the site and unzip it on your local PC.

Hashcat requires for cracking BCODES the following format per line:

<<USERID>>$<<BCODE HASH>>

For the example above this results into the following file:

USR02 BCODE hashes in notepad

The brute force method

Let’s start by making a file with only TESTUSER6. This is stored in the file TestuserBcodeHashes.txt.

To start the hacking process go to the CMD command prompt, and proceed to the hashcat directory. Then key in this command:

hashcat64 -a 3 -m 7700 -p : --session=all -o "C:\HC\TestuserBcodeHashes_found.txt" --outfile-format=3 --markov-disable --remove --gpu-temp-abort=80 "C:\HC\TestuserBcodeHashes.txt"

Long command, but some part are simpler: -a 3 means brute force, -m 7700 means hashes are SAP BCODE hashes, file output and output, and very important the command to abort if the GPU temperature exceeds 80 degrees Celsius.

For full help options: go to the Hashcat website or key in Hashcat64 –help.

Result of this command is following screen:

TESTUSER6

The brute force attack will use some common pattern, but as you can see per pattern it takes about 16 hours (faster GPU means less time).

Guessing speed is at 57.000 tries per second, which is about 5 billion tries per day. Having a password with 8 random characters (26 letters, 10 digits, 33 specials) would take 69*69*69*69*69*69*69*69 = 513.000 billion options, meaning it would take 100.000 days.

Pretty good you would say. But nobody uses the brute force method.

Attacking with 10.000 most commonly used password list

People tend to user more simpler and more repetitive passwords. See wikipedia for most common and 10.000 most common used passwords. For full list read this blog.

You can download the file 10.000 most common here: 10k most common

Again we start now Hashcat tool, but now with different command and we will use the file with all the 6 hashes:

 -a 6 -m 7700 -p : --session=all -o "C:\HC\TestuserBcodeHashes_found.txt" --outfile-format=3 --markov-disable --remove --gpu-temp-abort=80 "C:\HC\TestuserBcodeHashes.txt" "C:\HC\10k most common.txt"

Attack mode (wordlist) is chosen and we have given the 10k most common text file as wordlist input.

Result:

Run results 10k passwords

Recovered passwords: 5 out of 6 in about 0 seconds!

TESTUSER1$D1FD06BD3B0744D9:PASSWORD
TESTUSER2$93D7C1E614C14B85:LETMEIN
TESTUSER3$EE3DAC02B26F87D5:WELCOME
TESTUSER4$C8172A9B5BFC09F6:ILOVEYOU
TESTUSER5$9157294124B1EAA4:STARWARS

You now can logon with these passwords.

This means that we can decrypt the password way much faster than the theoretical example from previous chapter.

How to protect yourself from password hash attacks?

Prevention 1: set password complexity

Set the password complexity rules to at least 1:

login/min_password_digits
login/min_password_letters
login/min_password_lowercase
login/min_password_uppercase
login/min_password_specials

If you have only letters, then the guesses for most users will be 26*26*26*26*26*26*26*26 = 208 billion only. By filtering out the hardly used q and x, it could even be 110 billion only.

Prevention 2: disallow the old hashes

Set parameter login/password_compliance_to_current_policy to 1 to forbid the old passwords to be used (in old systems this might require some testing before it is done in productive system, and changes of old passwords that are there for very long time).

Prevention 3: clean up the old hashes

Use program CLEANUP_PASSWORD_HASH_VALUES to clean up the old hashes (see OSS note 2845609 – How to find user name with legacy hash values when executing report CLEANUP_PASSWORD_HASH_VALUES for detailed manual):

CLEANUP_PASSWORD_HASH_VALUES

After checking, start the actual cleanup.

More information on program CLEANUP_PASSWORD_HASH_VALUE  can be found in OSS note 2845609 – How to find user name with legacy hash values when executing report CLEANUP_PASSWORD_HASH_VALUES.

Prevention 4: instructions to basis and authorization team to use the password generator for initial passwords

When generating new password: do use the password generator button. This will generate very complex password. Do use it.

Also you should make it known to basis and authorization team not to use simple and repetitive passwords like Welcome-2018 or Passw0rd! Soon you will see a pattern and can already guess new users passwords that they will select. Tell them to use the password generator.

Prevention 5: increase hash strength

You can increase the hash strength. This will make the attack last longer, since it simply takes more computing time to try stronger hashes. Read more in this blog.

Next blog

The next blog will explain on the hacking the SAP PASSCODE.