With the recent releases of John the Ripper (1.7.8 and above) we now have password cracking with multiple cores available so we can crack SAP passwords faster than ever before. SAP password cracking requires the Community Edition otherwise known as the Jumbo Release to support the required hash formats.
Do not use this against systems you’re not authorised to do so.
Step 1: Dump the password hashes from SAP. You can use this ABAP Program to generate in the correct format for John the Ripper. You could alternatively dump these direct from your backend database but it needs to be in the format the code generates.
Step 2: Download and Install John the Ripper. In the video I optionally compile for my Linux Backtrack Server and enable OpenMP for multiple core processing as this is my preference but you could alternatively download a plain precompiled version. There are also Windows binaries available you can download complete with OpenMP enabled which is partially handy if you don’t have access to multiple platforms. Which ever version you download don’t forget you need the Jumbo Community Version.
Step 3: Simply run John the Ripper against the hashes this will run through its standard rules and attempt to brute force the passwordsor with the –wordlist option to specify a dictionary attack based on any number of large word lists available.
SAP has a good note describing some features you can use to limit this type of attack – See SAP Note: 1237762
I can also recommend this book for much more information around this topic –