SAP R/3 форум ABAP консультантов
Russian ABAP Developer's Club

Home - FAQ - Search - Memberlist - Usergroups - Profile - Log in to check your private messages - Register - Log in - English
Blogs - Weblogs News

Protect SAP against hackers using 'word attack/dictionary'



 
Post new topic   Reply to topic    Russian ABAP Developer's Club Forum Index -> Security and Monitoring
View previous topic :: View next topic  
Author Message
admin
Администратор
Администратор



Joined: 01 Sep 2007
Posts: 1639

PostPosted: Sun Nov 25, 2007 2:22 am    Post subject: Protect SAP against hackers using 'word attack/dictionary' Reply with quote

Protect SAP against hackers using "word attack/dictionary" methods

Code:
REPORT ZUSR40 NO STANDARD PAGE HEADING.
**************************************************************
*Hacking methods like "word attack" or "dictionary method"
*achieve a surprisingly high password cracking percentage on
*SAP systems. Despite Sap's extensive protection system
*(irreversible password, password aging, minimum length, 
*has to be different from the last 5 passwords, can not contain
*the first three characters of the username ...) there is no
*good protection against week (guessable) passwords.
*
*This program takes  one of the most popular UNIX hacking
*dictionary (CRACK , available on the web) as an input, and
*after filtering and varying  the words based upon the SAP
*password rules, it uploads them to USR40 (illegal passwords).
*This will perent the users from using week passwords.
*Schedule this program to run in batch, because it runs for a
*couple of hours.
**************************************************************

TABLES: USR02, USR40.
DATA: I TYPE I, MIN_LENGTH TYPE I.
DATA: NUMBERS(11) VALUE ' 0123456789'.

DATA: BEGIN OF DATA_TAB OCCURS 5000,
    LINE(12),
END OF DATA_TAB.
data: begin of variation_tab occurs 5000,
    LINE(12),
end of variation_tab.

DATA: BEGIN OF PARAMETER OCCURS 500,
    STATUS LIKE SY-INDEX,
    NAME(60),
    CURRENT(60),
    DEFAULT(60),
END OF PARAMETER.

* Find out the value of login/min_password_lng
CALL 'C_SAPGALLPARAM' ID 'PAR_SUB' FIELD PARAMETER-*SYS*.
LOOP AT PARAMETER.
  IF PARAMETER-NAME = 'login/min_password_lng'.
    MIN_LENGTH = PARAMETER-CURRENT.
    EXIT.
  ENDIF.
ENDLOOP.

* Upload from the frontend workstation
*call function 'WS_UPLOAD'
*exporting
*filename = 'c:\temp\dict.txt'
*tables
*data_tab = data_tab.

* Upload from the application server
OPEN DATASET '/tmp/dict.txt' IN TEXT MODE FOR INPUT.
DO.
  READ DATASET '/tmp/dict.txt' INTO DATA_TAB.
  IF SY-SUBRC <> 0.EXIT.ENDIF.
  APPEND DATA_TAB.
ENDDO.

* Remove the short and long words
MIN_LENGTH = MIN_LENGTH - 1.
LOOP AT DATA_TAB.
  I = STRLEN( DATA_TAB ).
* Does not make sence to use longer words then 8 (USR40-BCODE = 8) or
* shorter than login/min_password_lng - 1.
  IF I > 8 OR I < MIN_LENGTH.
    DELETE DATA_TAB.
  ELSE.
    TRANSLATE DATA_TAB TO UPPER CASE.
    MODIFY DATA_TAB.
  ENDIF.
ENDLOOP.

* Add a taliling number (f.e. PENCIL -> PENCIL0, PENCIL1, PENCIL2 ...)
LOOP AT DATA_TAB.
  DO 10 TIMES.
    variation_tab = data_tab.
    variation_tab+11(1) = numbers+sy-index(1).
    condense variation_tab no-gaps.
    append variation_tab.
  ENDDO.
ENDLOOP.

************************************************************************
* Insert your own code here to add further variations:
* words backwards, number substitutions such as 3 for E, 1 for I or L,
* 5 or 2 for S, 7 for L ...
************************************************************************

* Merge the results and drop the stuff that is still too short.
LOOP AT DATA_TAB.
  I = STRLEN( DATA_TAB ).
  IF I > MIN_LENGTH.
    variation_tab = data_tab.
    append variation_tab.
  ENDIF.
ENDLOOP.
CLEAR DATA_TAB. REFRESH DATA_TAB.

* Who knows, what kind of crappy data we have in the dictionary file
SORT VARIATION_TAB BY LINE.
DELETE ADJACENT DUPLICATES FROM VARIATION_TAB.

* Fill up USR40
INSERT USR40 FROM TABLE VARIATION_TAB ACCEPTING DUPLICATE KEYS.


Check, how well program protects the system
Code:
REPORT ZPWDCHK NO STANDARD PAGE HEADING.
********************************************************
* This program has to be used after running program above.
* Using USR40 it finds the users having "week" passwords
* and resets their usr02-ltime to force them to change
* password during the next logon. Then they will have
* to choose a better password, because USR40 is already
* maintained. The program with 250.000 words and 1500
* users runs for about 5 hours.
********************************************************
TABLES: USR02, *USR02, USR40.
DATA: PT(3), i type i.
DATA: BEGIN OF DATA_TAB OCCURS 5000,
   LINE(8),
END OF DATA_TAB.
DATA: BEGIN OF USER OCCURS 250,
   BNAME LIKE USR02-BNAME,
   BCODE LIKE USR02-BCODE,
   CODVN LIKE USR02-CODVN,
END OF USER.
DATA: BEGIN OF WEEK_USER OCCURS 100,
   BNAME LIKE USR02-BNAME,
END OF WEEK_USER.

* Get the dictionary
SELECT * FROM USR40.
  DATA_TAB = USR40.
  APPEND DATA_TAB.
ENDSELECT.

* Get the users
SELECT * FROM USR02.
  MOVE-CORRESPONDING USR02 TO USER.
  APPEND USER.
ENDSELECT.

*The trick (only 3.1D and bellow)
SY-REPID = 'SAPMS01J'.
*End of the trick
           

* Find the week passwords
LOOP AT DATA_TAB.
  LOOP AT USER.
    PT = DATA_TAB.
    IF USER-BNAME NS PT.
       *USR02-BCODE = USER-BCODE.

* Works up to 3.1D
      CALL 'XXPASS'
          ID 'CODE' FIELD DATA_TAB
          ID 'CODX' FIELD *USR02-BCODE
          ID 'NAME' FIELD USER-BNAME
          ID 'VERS' FIELD USER-CODVN.
* For higher versions use this:
* PERFORM CHECK_PASS(SAPMS01J) USING
*          VARIATION_TAB           
*          *USR02-BCODE           
*          USER-BNAME             
*          USER-CODVN.

      IF USER-BCODE = *USR02-BCODE.
        i = i + 1.
        WEEK_USER-BNAME = USER-BNAME.
        APPEND WEEK_USER.
        EXIT.
      ENDIF.
    ENDIF.
  ENDLOOP.
ENDLOOP.

* Reset the week users ltime
LOOP AT WEEK_USER.
  SELECT SINGLE * FROM USR02 WHERE BNAME = WEEK_USER-BNAME.
  CLEAR USR02-LTIME.
  UPDATE USR02.
ENDLOOP.

write: / i, 'user had week password'.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Russian ABAP Developer's Club Forum Index -> Security and Monitoring All times are GMT + 4 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


All product names are trademarks of their respective companies. SAPNET.RU websites are in no way affiliated with SAP AG.
SAP, SAP R/3, R/3 software, mySAP, ABAP, BAPI, xApps, SAP NetWeaver and any other are registered trademarks of SAP AG.
Every effort is made to ensure content integrity. Use information on this site at your own risk.