SAP Password Cracking with John the Ripper

With the recent releases of John the Ripper (1.7.8 and above) we now have password cracking with multiple cores available so we can crack SAP passwords faster than ever before. SAP password cracking requires the Community Edition otherwise known as the Jumbo Release to support the required hash formats.

Do not use this against systems you’re not authorised to do so.

Step 1: Dump the password hashes from SAP. You can use this ABAP Program to generate in the correct format for John the Ripper.  You could alternatively dump these direct from your backend database but it needs to be in the format the code generates.Matt Bartlett

Step 2: Download and Install John the Ripper. In the video I optionally compile for my Linux Backtrack Server and enable OpenMP for multiple core processing as this is my preference but you could alternatively download a plain precompiled version. There are also Windows binaries available you can download complete with OpenMP enabled which is partially handy if you don’t have access to multiple platforms. Which ever version you download don’t forget you need the Jumbo Community Version.

Step 3: Simply run John the Ripper against the hashes this will run through its standard rules and attempt to brute force the passwordsor with the –wordlist option to specify a dictionary attack based on any number of large word lists available.

SAP has a good note describing some features you can use to limit this type of attack – See SAP Note: 1237762

SAP Password Sniffing using Cain and Abel

If you’re looking to capture SAP Passwords by sniffing your network then the simplest and easiest way has to be using Cain and Abel. Cain and Abel is a fantastic tool which I’m been using for many years and was very pleasantly surprised to see the latest version 4.9.43 supports capturing and decompressing the SAP Diag protocol.

For a demo of how to capture SAP passwords using Cain and Abel see my video below.

In order to combat the vulnerability of having your SAP passwords sniffed then SAP recommends using SNC to provide end to end encryption but I have to admit I’ve not yet seen a company with this implemented. A good alternative method would be to encrypt everything on your network by using IPSEC

If you’re looking for a more in depth network capture of the SAP DIAG protocol then see my Wireshark Posting on the same topic.

SAP Password Sniffing using Wireshark

If you’re looking to capture SAP Passwords by sniffing your network then using Wireshark together with the Positive Technologies Research Labs Plugin is the perfect combination.

SAP GUI communication happens using the SAP DIAG protocol which is generally compressed making plain old networking sniffing out of the question which is exactly where the plugin comes into play.

If you want to experiment with what can be captured without compression set the system environment variable TDW_NOCOMPRESS to 1.

For a demo of how to capture SAP passwords using Wireshark see my video below.

In order to combat the vulnerability of having your SAP passwords sniffed then SAP recommends using SNC to provide end to end encryption but I have to admit I’ve not yet seen a company with this implemented.   A good alternative method would be to encrypt everything on your network by using IPSEC

If you’re looking for an even easier way to capture SAP User passwords see my Cain and Abel posting on the same topic.

MaxDB Password Reset Procedure Versions 7.6 7.7 7.8

Following an interesting conversation at the SAP User Group Conference about a lost password for SAP MaxDB I embarked on what I expected to be a quick bit of  investigation. I searched the SAP Support Portal along with the SDN and was amazed I couldn’t find a reset procedure.

MaxDB Password Reset Procedure – Video Walkthrough

Ideally take a backup first and if you’re able to bring the database down before editing then all the better, failing that a reboot immediately after seems to keep things happy. I have seen an error once or twice when then first changing the password but re-trying the command has always cleared things up.

MaxDB 7.6 Password Reset

Find the target user in the upc file, overwrite the hash with zeros. Save and reboot.

Setting the control users password to ‘password’

MaxDB 7.7 Password Reset

Find the target user in the upc file, paste in a password hash which sets to ‘password’. Save and reboot.

Sample Hashes :
password = 358883B07AA93121891B4A932433115FB3DC1CC00B5027D8
sap = D8835545B45CD7401D82B49D2433115FB3DC1CC00B5027D8

Setting the dbm users password to ‘newpassword’

MaxDB 7.8 Password Reset

Find the target user in the upc file, paste in a both password hashes as shown which sets to ‘password’. Save and reboot.

Sample Hashes:
password =  358883B07AA93121891B4A932433115FB3DC1CC00B5027D8                       041819B201CD7CA6281FC4507B5F3866145D8A61D7246E1FD928

D8835545B45CD7401D82B49D2433115FB3DC1CC00B5027D8          04188B272DD84C48BA488F55E5B9012916D651F522CEEF0D29DC
Setting the dbm users password to ‘newpassword’ with both the older version of dbmcli found in the database manager tool and then with current version, this keep everything in a happy consistent state.

For a small bit of background check out How I Discovered the MaxDB Password Reset Procedure

How I Discovered the MaxDB Password Reset Procedure

Step 1: I fired up an excellent tool Process Monitor from SysInternals (Now Microsoft owned), opened up the database manager tool and reset my users password. I then reviewed all the events that had just happened, initially looking to see what files has been read from thus attempting to gain clues to how the change password operation might be working. Then later looking at what files had been written to ultimately hoping to see where the password might be saved.Matt Bartlett

Step 2: From analysis of the sdb.upc file I could see my users in plain text. I could be on to something interesting. Matt Bartlett

Step 3: After taking a backup of the upc file I changed the password once more and compared the two files. I could see clearly the only change made, this must be an encrypted version of the password.

Matt Bartlett

Step 4: Now I was interested in see if the password was being salted with perhaps with a user name, hostname or some other secret. Comparing the password hashes across different servers, different versions and different database names showed no difference at all. Handy… for us.Matt Bartlett

A quick check proves I can simply copy and paste hashes between password files to reset them. I tried simply setting the password hash to all zeros which works nicely but only for version 7.6 as later versions generate an error.

UK Cyber Security Challenge. Are you in…? Well you should be!

If you’re reading this then the chances are you have at least a mild interest in IT security. I’ve been competing in the UK Cyber Security Challenge this year and I urge you to get involved. So far it’s been a fantastic experience and really got my interest sparked in this area. This year there has been a variety of different of paths from secure network design, penetration testing (or hacking) and forensics. There’s been theory and hands on challenges for example where you’ve had the opportunity to try out your skills against the clock to hack into as many servers as possible to gain root and administrator access. If more considered approach is more your thing then the Linux forensic investigation competition was brilliant and my personal favourite, here you had to identify 24 different compromises and identify how they were pulled off and how you could defend against them. I’ve seen some really clever cunning exploits and learnt a ‘stack’ of new tricks.

The top man James Lyne from Sophos explains more

As this is my blog it’s just about ok to blow my own trumpet with my results so far…

Linux Forensic Challenge – 1st Place
Sophos and SANS Penetration Test – 1st Place
SAIC CyberNEXS Penetration Test – 1st Place

Not just because of the results so far, it really has been a worthwhile and rewarding experience.

The challenge will be back next year bigger and better than ever.

The Origin of Bartlett Remains Unimpressed

Those that have known me for some time know that wherever possible I like to get my catch phrase in “Bartlett Remains unimpressed”.

This is where it all began… Computing December 1999
Page 3 – Business Sites Open to Abuse

Matt BartlettMatt BartlettMatt Bartlett













INTERNET service provider Global Internet has admitted that it left user names and passwords for 200 business web sites in an easily accessible file – but has no plans to warn its customers, writes Steve Ranger. The file could be downloaded by any of Global lnternet’s customers whose sites were hosted on the same machine. The file was protected by simple encryption, which could easily be broken by tools available on the Internet, said Matt Bartlett, who found the file. ‘Anyone who’s used Linux or Unix usually knows this sort of thing, especially those involved in administration tasks,’ said Bartlett, an IT technician at Global Internet customer Wilts Wholesale Electrical. ‘Now we know about it, we’ll change our passwords. But what about the other companies?’ Peter Venmore, a director at Global Internet, blamed human error and said: ‘We have a dozen of these servers and they are set up correctly.’ Warning customers to change their passwords is ‘not necessarily required’, he said, because ordinary users will be unable to decrypt the file. He admitted, however:  If you want to throw a dictionary programme at it and the passwords are in plain text then you would be able to get access.’ Global Intemet is continuing its investigation, but Bartlett remains unimpressed. ‘All this is basic security, there is nothing clever involved,’ he said.

What clever devious way did I get hold of this password file?

‘get /etc/passwd’

ohh the days before shadow password files!

How I solved Part 1 of the GCHQ Challenge.

My Video for my solution to part 1 of the GCHQ challenge.

A video is worth 10,000 words but basically this is the process I followed.

Hand typed the hex shown on the webpage into a file.

Uploaded the file to Linux and ran to ‘file’ command to give me a clue.

Command ‘ndisasm’ passes the file as assembly. It is assembly.

Used IDA Disassembler together with the Bochs x86 Emulator to step through the code. There is a check routine that points to the fact we are missing data.

Analysis of the original image shows a hidden comment within the raw content. Looks like base 64 encoded as the string is all printable characters and ends with ‘==’. Converted to hex using this online tool and pasted back into the original file.

Back into IDA Disassembler ran the code and analysed the memory revealing the solution to part 1.