Posted: Sun Nov 25, 2007 2:22 am Post subject: Protect SAP against hackers using 'word attack/dictionary'
Protect SAP against hackers using "word attack/dictionary" methods
Code:
REPORT ZUSR40 NO STANDARD PAGE HEADING.
**************************************************************
*Hacking methods like "word attack" or "dictionary method"
*achieve a surprisingly high password cracking percentage on
*SAP systems. Despite Sap's extensive protection system
*(irreversible password, password aging, minimum length,
*has to be different from the last 5 passwords, can not contain
*the first three characters of the username ...) there is no
*good protection against week (guessable) passwords.
*
*This program takes one of the most popular UNIX hacking
*dictionary (CRACK , available on the web) as an input, and
*after filtering and varying the words based upon the SAP
*password rules, it uploads them to USR40 (illegal passwords).
*This will perent the users from using week passwords.
*Schedule this program to run in batch, because it runs for a
*couple of hours.
**************************************************************
TABLES: USR02, USR40.
DATA: I TYPE I, MIN_LENGTH TYPE I.
DATA: NUMBERS(11) VALUE ' 0123456789'.
DATA: BEGIN OF DATA_TAB OCCURS 5000,
LINE(12),
END OF DATA_TAB.
data: begin of variation_tab occurs 5000,
LINE(12),
end of variation_tab.
DATA: BEGIN OF PARAMETER OCCURS 500,
STATUS LIKE SY-INDEX,
NAME(60),
CURRENT(60),
DEFAULT(60),
END OF PARAMETER.
* Find out the value of login/min_password_lng
CALL 'C_SAPGALLPARAM' ID 'PAR_SUB' FIELD PARAMETER-*SYS*.
LOOP AT PARAMETER.
IF PARAMETER-NAME = 'login/min_password_lng'.
MIN_LENGTH = PARAMETER-CURRENT.
EXIT.
ENDIF.
ENDLOOP.
* Upload from the frontend workstation
*call function 'WS_UPLOAD'
*exporting
*filename = 'c:\temp\dict.txt'
*tables
*data_tab = data_tab.
* Upload from the application server
OPEN DATASET '/tmp/dict.txt' IN TEXT MODE FOR INPUT.
DO.
READ DATASET '/tmp/dict.txt' INTO DATA_TAB.
IF SY-SUBRC <> 0.EXIT.ENDIF.
APPEND DATA_TAB.
ENDDO.
* Remove the short and long words
MIN_LENGTH = MIN_LENGTH - 1.
LOOP AT DATA_TAB.
I = STRLEN( DATA_TAB ).
* Does not make sence to use longer words then 8 (USR40-BCODE = 8) or
* shorter than login/min_password_lng - 1.
IF I > 8 OR I < MIN_LENGTH.
DELETE DATA_TAB.
ELSE.
TRANSLATE DATA_TAB TO UPPER CASE.
MODIFY DATA_TAB.
ENDIF.
ENDLOOP.
* Add a taliling number (f.e. PENCIL -> PENCIL0, PENCIL1, PENCIL2 ...)
LOOP AT DATA_TAB.
DO 10 TIMES.
variation_tab = data_tab.
variation_tab+11(1) = numbers+sy-index(1).
condense variation_tab no-gaps.
append variation_tab.
ENDDO.
ENDLOOP.
************************************************************************
* Insert your own code here to add further variations:
* words backwards, number substitutions such as 3 for E, 1 for I or L,
* 5 or 2 for S, 7 for L ...
************************************************************************
* Merge the results and drop the stuff that is still too short.
LOOP AT DATA_TAB.
I = STRLEN( DATA_TAB ).
IF I > MIN_LENGTH.
variation_tab = data_tab.
append variation_tab.
ENDIF.
ENDLOOP.
CLEAR DATA_TAB. REFRESH DATA_TAB.
* Who knows, what kind of crappy data we have in the dictionary file
SORT VARIATION_TAB BY LINE.
DELETE ADJACENT DUPLICATES FROM VARIATION_TAB.
* Fill up USR40
INSERT USR40 FROM TABLE VARIATION_TAB ACCEPTING DUPLICATE KEYS.
Check, how well program protects the system
Code:
REPORT ZPWDCHK NO STANDARD PAGE HEADING.
********************************************************
* This program has to be used after running program above.
* Using USR40 it finds the users having "week" passwords
* and resets their usr02-ltime to force them to change
* password during the next logon. Then they will have
* to choose a better password, because USR40 is already
* maintained. The program with 250.000 words and 1500
* users runs for about 5 hours.
********************************************************
TABLES: USR02, *USR02, USR40.
DATA: PT(3), i type i.
DATA: BEGIN OF DATA_TAB OCCURS 5000,
LINE(8),
END OF DATA_TAB.
DATA: BEGIN OF USER OCCURS 250,
BNAME LIKE USR02-BNAME,
BCODE LIKE USR02-BCODE,
CODVN LIKE USR02-CODVN,
END OF USER.
DATA: BEGIN OF WEEK_USER OCCURS 100,
BNAME LIKE USR02-BNAME,
END OF WEEK_USER.
* Get the dictionary
SELECT * FROM USR40.
DATA_TAB = USR40.
APPEND DATA_TAB.
ENDSELECT.
* Get the users
SELECT * FROM USR02.
MOVE-CORRESPONDING USR02 TO USER.
APPEND USER.
ENDSELECT.
*The trick (only 3.1D and bellow)
SY-REPID = 'SAPMS01J'.
*End of the trick
* Find the week passwords
LOOP AT DATA_TAB.
LOOP AT USER.
PT = DATA_TAB.
IF USER-BNAME NS PT.
*USR02-BCODE = USER-BCODE.
* Works up to 3.1D
CALL 'XXPASS'
ID 'CODE' FIELD DATA_TAB
ID 'CODX' FIELD *USR02-BCODE
ID 'NAME' FIELD USER-BNAME
ID 'VERS' FIELD USER-CODVN.
* For higher versions use this:
* PERFORM CHECK_PASS(SAPMS01J) USING
* VARIATION_TAB
* *USR02-BCODE
* USER-BNAME
* USER-CODVN.
IF USER-BCODE = *USR02-BCODE.
i = i + 1.
WEEK_USER-BNAME = USER-BNAME.
APPEND WEEK_USER.
EXIT.
ENDIF.
ENDIF.
ENDLOOP.
ENDLOOP.
* Reset the week users ltime
LOOP AT WEEK_USER.
SELECT SINGLE * FROM USR02 WHERE BNAME = WEEK_USER-BNAME.
CLEAR USR02-LTIME.
UPDATE USR02.
ENDLOOP.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
All product names are trademarks of their respective companies. SAPNET.RU websites are in no way affiliated with SAP AG. SAP, SAP R/3, R/3 software, mySAP, ABAP, BAPI, xApps, SAP NetWeaver and any other are registered trademarks of SAP AG. Every effort is made to ensure content integrity. Use information on this site at your own risk.
