Checking SAP passwords strength – part II (JAVA)

Hello! Today’s post can be considered as a appendix to our previous post. We will learn how to validate the strength of SAP passwords by trying to crack them. We’ll focus on the password hashes coming from the SAP JAVA Application Server.

The JAVA Application server stores the passwords in the form of hashes encoded in BASE64. The hash algorithm used is salted SHA-1, also known as SSHA1 [1].

SAP JAVA “stack” password hashes are stored in a database table called UME_STRINGS. The JAVA password hashes can be filtered by the “attr” field (attr = ‘j_password’). We can get the user name along with its corresponding hash by executing the following SQL query:

SELECT pid, val FROM UME_STRINGS WHERE attr = 'j_password'

After executing this query on a test SAP Java Application Server Database, we will get the following results:

UACC.PRIVATE_DATASOURCE.un:test7 {SSHA}WjidPOegHOA8Gk6WGWFnE4e9de4v9TbYqpM=
UACC.PRIVATE_DATASOURCE.un:test3 {SSHA}GVCl5xu3lr0pzDApBhd/kA1PwM77rJV/Qqc=

The relevant information needed for the cracking process is marked in bold. This information would be the user name first, and then the password hash for that user.

The cracking process

To detect weak passwords, we will again use the tool “John The Ripper” [2] (for more information check our previous post).

JtR supports SSHA-1 algorithm, so to start the process, we need to create a file to feed John with the password hashes. This file should be created with all of its entries having the following format:

username:{SSHA}HASH

For example:

CrackMe123:{SSHA}F9F5FIUbuqrPo3k2MyJJB8lhpFROY/gYmMA=

To find out the password which originated this hash we have to execute the following command:

./john --wordlist=/path_to_our_preferred_wordlist --format=ssha1 /path_to_file_containing_the_hash_file

And, if the process discovered the password corresponding for that hash, we will get something like this:

Loaded 1 password hash (Salted SHA-1 [128/128 AVX intrinsics 8x])
Test1234 (CrackMe123)
guesses: 1 time: 0:00:00:03 DONE (Mon Feb 25 16:08:57 2013) c/s: 9203K trying: zzzz1111
Use the "--show" option to display all of the cracked passwords reliably

Conclusions

As mentioned in our previous post, the most important countermeasure that we should apply in order to secure the passwords and to mitigate the risk of password cracking is to restrict access to the SAP Application Server OS and database, and of course, configure a strong password policy.

References

[1] http://en.wikipedia.org/wiki/Salt_(cryptography)
[2] http://www.openwall.com/john/

 

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>