SAP Password Cracking with John the Ripper

With the recent releases of John the Ripper (1.7.8 and above) we now have password cracking with multiple cores available so we can crack SAP passwords faster than ever before. SAP password cracking requires the Community Edition otherwise known as the Jumbo Release to support the required hash formats.

Do not use this against systems you’re not authorised to do so.

Step 1: Dump the password hashes from SAP. You can use this ABAP Program to generate in the correct format for John the Ripper.  You could alternatively dump these direct from your backend database but it needs to be in the format the code generates.Matt Bartlett

Step 2: Download and Install John the Ripper. In the video I optionally compile for my Linux Backtrack Server and enable OpenMP for multiple core processing as this is my preference but you could alternatively download a plain precompiled version. There are also Windows binaries available you can download complete with OpenMP enabled which is partially handy if you don’t have access to multiple platforms. Which ever version you download don’t forget you need the Jumbo Community Version.

Step 3: Simply run John the Ripper against the hashes this will run through its standard rules and attempt to brute force the passwordsor with the –wordlist option to specify a dictionary attack based on any number of large word lists available.

SAP has a good note describing some features you can use to limit this type of attack – See SAP Note: 1237762

Connecting SAP on Microsoft SQL to an External Oracle Database Server

During a recent bit of consulting I was asked to connect SAP to various External Databases. SAP impressed me with its Multi-Connect feature and I thought it worthy of a couple of quick videos.

If you’re already running SAP on Oracle then you can skip to Step 5

Step 1: Download the database library. Under Kernel Patches and make sure you select the database version you want to connect to in this example Oracle.
Matt Bartlett
Matt Bartlett

Step 2:
Unpack and copy the library itself dboraslib.dll to your application instances kernel folders. In the video I leveraged the instance.lst file to get SAP to do this for me as part of the SAP startup sapcpe process.

Step 3: Download and unpack the Oracle Client Tools
Matt Bartlett

Step 4: Install the Client Tools. Select Runtime or Administrator
(InstantClient on its own is not enough)Matt Bartlett

Step 5: Configure Oracle Net Manager to point to our External Oracle ServerMatt BartlettAs the client tools are installed its very simple to test the connection using tnspingMatt Bartlett

Step 6: In SAP transaction SM30 table maintenance for DBCON. Add the connection using the connection name we just created in Oracle Net Manager.Matt Bartlett

Step 7: Code away. You can download my sample ABAP program here.

If you’re looking for this the other way around connecting from Oracle to Microsoft SQL see – http://www.mattbartlett.co.uk/connecting-sap-on-oracle-to-an-external-microsoft-sql-db

Connecting SAP on Oracle to an External Microsoft SQL Database Server

During a recent bit of consulting I was asked to connect SAP to various External Databases. SAP impressed me with its Multi-Connect feature and I thought it worthy of a couple of quick videos.

If you’re already running SAP on Microsoft SQL then you can skip Steps 2 and 3.

Step 1: Make sure your SQL server is setup to support SQL Server Authentication as the default is Windows Authentication Mode only.Matt BartlettIf in any doubt of your SQL configuration try using the standard Windows ODBC data source wizard. If you’re not getting a connection don’t forget your listeners.

Step 2: Download the database library. Under Kernel Patches and make sure you select the database version you want to connect to in this example MS SQL Server.Matt Bartlett
Matt Bartlett

Step 3: Unpack and copy the library itself dbmssslib.dll to your application instances kernel folders. In the video I leveraged the instance.lst file to get SAP to do this for me as part of the SAP startup sapcpe process.

Step 4: In SAP transaction SM30 table maintenance for DBCON. Add the connection. MSSQL_DBNAME is optional and you can use named pipes if you really want to by entering np:hostname instead of tcp:hostname.Matt Bartlett

Step 5: Code away. You can download my sample ABAP program here.

If you’re looking for this the other way around connecting from Microsoft SQL to Oracle see – http://www.mattbartlett.co.uk/connecting-sap-on-microsoft-sql-to-an-external-oracle-db/

One Thousand Video Views

Just a short note to mark the occasion as approximately six weeks after the website launch my videos have ticked over the one thousand views! There’s plenty of content brewing so look out for some more updates over the next few weeks.

Thank you to you all, Matt.

SAP Password Sniffing using Cain and Abel

If you’re looking to capture SAP Passwords by sniffing your network then the simplest and easiest way has to be using Cain and Abel. Cain and Abel is a fantastic tool which I’m been using for many years and was very pleasantly surprised to see the latest version 4.9.43 supports capturing and decompressing the SAP Diag protocol.

For a demo of how to capture SAP passwords using Cain and Abel see my video below.

In order to combat the vulnerability of having your SAP passwords sniffed then SAP recommends using SNC to provide end to end encryption but I have to admit I’ve not yet seen a company with this implemented. A good alternative method would be to encrypt everything on your network by using IPSEC

If you’re looking for a more in depth network capture of the SAP DIAG protocol then see my Wireshark Posting on the same topic.

SAP Password Sniffing using Wireshark

If you’re looking to capture SAP Passwords by sniffing your network then using Wireshark together with the Positive Technologies Research Labs Plugin is the perfect combination.

SAP GUI communication happens using the SAP DIAG protocol which is generally compressed making plain old networking sniffing out of the question which is exactly where the plugin comes into play.

If you want to experiment with what can be captured without compression set the system environment variable TDW_NOCOMPRESS to 1.

For a demo of how to capture SAP passwords using Wireshark see my video below.

In order to combat the vulnerability of having your SAP passwords sniffed then SAP recommends using SNC to provide end to end encryption but I have to admit I’ve not yet seen a company with this implemented.   A good alternative method would be to encrypt everything on your network by using IPSEC

If you’re looking for an even easier way to capture SAP User passwords see my Cain and Abel posting on the same topic.

Setting up SOAP in SAP and Connecting with PHP

Video Walkthrough

SAP Setup
In transaction SICF active the following servicesMatt Bartlett

Create your function modules in SE80 / SE37 don’t forget these must be remote-enabled
Matt Bartlett

 

 

 

 

 

 

Optionally Create Service User.

From within the transaction soamanager:
Business administration – Web Service Administration.
Matt Bartlett

Find your web service and choose the Overview Tab. Get the WSDL URL from the link “Open WSDL document for selected binding”Matt BartlettOptionally you can also setup authentication here.

PHP Setup
Most installations have SOAP compiled in or enabled by default.
You can double check this with the function phpinfoMatt Bartlett

Template Program with comments – Download Here
Matt Bartlett

For a video of a couple of examples of the kinds of things you can do see – SAP and PHP Demo (Using SOAP Connectivity)

MaxDB Password Reset Procedure Versions 7.6 7.7 7.8

Following an interesting conversation at the SAP User Group Conference about a lost password for SAP MaxDB I embarked on what I expected to be a quick bit of  investigation. I searched the SAP Support Portal along with the SDN and was amazed I couldn’t find a reset procedure.

MaxDB Password Reset Procedure – Video Walkthrough

Ideally take a backup first and if you’re able to bring the database down before editing then all the better, failing that a reboot immediately after seems to keep things happy. I have seen an error once or twice when then first changing the password but re-trying the command has always cleared things up.

MaxDB 7.6 Password Reset

Find the target user in the upc file, overwrite the hash with zeros. Save and reboot.

Setting the control users password to ‘password’

MaxDB 7.7 Password Reset

Find the target user in the upc file, paste in a password hash which sets to ‘password’. Save and reboot.

Sample Hashes :
password = 358883B07AA93121891B4A932433115FB3DC1CC00B5027D8
sap = D8835545B45CD7401D82B49D2433115FB3DC1CC00B5027D8

Setting the dbm users password to ‘newpassword’

MaxDB 7.8 Password Reset

Find the target user in the upc file, paste in a both password hashes as shown which sets to ‘password’. Save and reboot.

Sample Hashes:
password =  358883B07AA93121891B4A932433115FB3DC1CC00B5027D8                       041819B201CD7CA6281FC4507B5F3866145D8A61D7246E1FD928

sap=
D8835545B45CD7401D82B49D2433115FB3DC1CC00B5027D8          04188B272DD84C48BA488F55E5B9012916D651F522CEEF0D29DC
Setting the dbm users password to ‘newpassword’ with both the older version of dbmcli found in the database manager tool and then with current version, this keep everything in a happy consistent state.

For a small bit of background check out How I Discovered the MaxDB Password Reset Procedure

How I Discovered the MaxDB Password Reset Procedure

Step 1: I fired up an excellent tool Process Monitor from SysInternals (Now Microsoft owned), opened up the database manager tool and reset my users password. I then reviewed all the events that had just happened, initially looking to see what files has been read from thus attempting to gain clues to how the change password operation might be working. Then later looking at what files had been written to ultimately hoping to see where the password might be saved.Matt Bartlett

Step 2: From analysis of the sdb.upc file I could see my users in plain text. I could be on to something interesting. Matt Bartlett

Step 3: After taking a backup of the upc file I changed the password once more and compared the two files. I could see clearly the only change made, this must be an encrypted version of the password.

Matt Bartlett

Step 4: Now I was interested in see if the password was being salted with perhaps with a user name, hostname or some other secret. Comparing the password hashes across different servers, different versions and different database names showed no difference at all. Handy… for us.Matt Bartlett

A quick check proves I can simply copy and paste hashes between password files to reset them. I tried simply setting the password hash to all zeros which works nicely but only for version 7.6 as later versions generate an error.