Checking SAP passwords strength - part II (JAVA)
Hello! Today's post can be considered as a appendix to our previous post. We will learn how to validate the strength of SAP passwords by trying to crack them. We'll focus on the password hashes coming from the SAP JAVA Application Server.
SAP JAVA “stack” password hashes are stored in a database table called UME_STRINGS. The JAVA password hashes can be filtered by the “attr” field (attr = 'j_password'). We can get the user name along with its corresponding hash by executing the following SQL query:
SELECT pid, val FROM UME_STRINGS WHERE attr = 'j_password'
After executing this query on a test SAP Java Application Server Database, we will get the following results:
The relevant information needed for the cracking process is marked in bold. This information would be the user name first, and then the password hash for that user.
The cracking process
JtR supports SSHA-1 algorithm, so to start the process, we need to create a file to feed John with the password hashes. This file should be created with all of its entries having the following format:
To find out the password which originated this hash we have to execute the following command:
./john --wordlist=/path_to_our_preferred_wordlist --format=ssha1 /path_to_file_containing_the_hash_file
And, if the process discovered the password corresponding for that hash, we will get something like this:
Loaded 1 password hash (Salted SHA-1 [128/128 AVX intrinsics 8x])
guesses: 1 time: 0:00:00:03 DONE (Mon Feb 25 16:08:57 2013) c/s: 9203K trying: zzzz1111
Use the "--show" option to display all of the cracked passwords reliably
As mentioned in our previous post, the most important countermeasure that we should apply in order to secure the passwords and to mitigate the risk of password cracking is to restrict access to the SAP Application Server OS and database, and of course, configure a strong password policy.