Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 11 Dec 2005 16:48:01 +0100
From: "Frank Dittrich" <>
Subject: Re: MSSQL/SAP hashes?

Simon Marechal wrote:
>Jeroen wrote:
>>Also, there seems to be a SAP plugin for john.
>If there is one, it's not public. AFAIK the algorithm has not been
>disclosed. (But i thought the oracle algorithm had not been too, so i
>might be wrong).

The algorithm(s) are not public.
Nevertheless, it's possible to find out how SAP password hashes are

Actually, there are 3 different hash algorithms for SAP R/3.
When SAP R/3 has been released in 1992, only one algorithm has been
implemented (CODVN A, now depreciated due to many flaws in the
design and implementation.)

Around 1994 or 1995, CODVN A has been replaced by CODVN B, so that
CODVN A is only used for passwords which haven't been changed for
about 10 years.

As a reaction to my first article regarding SAP password security,
published in August, 2003,,
SAP created a slightly changed version, called CODVN D.
CODVN B is still the default. To use CODVN D for newly created
passwords, a recent SAP kernel and adjusting the SAP profile
parameter login/password_charset is required.
(Though I don't recommend switching to CODVN D.)

I mentioned a patch to John the Ripper which enables cracking
SAP passwords for CODVN B and D in my second article, published
in Octover, 2004:

Unfortunately, both articles are in German.
I didn't have the time to translate them into English, and I'm
afraid babelfish doesn't produce useful results.
I'm also not sure how much of what I wrote in those articles is
on topic in this mailing list.
If there is common interest for the contents of those articles,
I might summarize them in English - at least those parts which
could be on topic here.

If you have additional questions, feel free to contact me directly.
I'm, however, not going to publish the patch or mention details
about the algorithms being used.
(I'd like to contribute work to John the Ripper, because I
appreatiate the work done by Solar Designer and others, but I think
publishing the patch wouldn't be a good idea.
The reason is that it's very hard, if not impossible, to protect
SAP password hashes against unauthorized access.
That's why, publishing the algorithm IMO would have a disastrous
effect on the security of SAP systems, instead of increasing the
security by allowing the admin to discover weak passwords.)

Another somewhat off-topic remark:
SAP password security is just a minor issue.
I just picked this topic because it's relatively easy to cover.
There are many other problems regarding the security of SAP
system landscapes.
(I have yet to see a production system which doesn't allow an
arbitrary number of sufficiently skilled users to execute arbitrary
code, install any back door they like, ... - in most cases even
without the risk of being discovered.)

Someone important must have disliked the second article, so that it
seems to have disappeared from Google's and some other search engines'
About a year ago, the article appeared among the first few hits
when using a sensible search term.
But today, it's impossible to find the article when searching Google,
and hard enough to find it on some other search engines.

Finally, some information regarding the performance on a linux
system with an AMD Athlon(TM) XP 2100+ processor.
I compiled the patched john 1.6.39 with  -march=athlon-xp,
and started it in single user mode with nice -19:

Benchmarking: Traditional DES [64/64 BS MMX]... DONE
Many salts:	648051 c/s real, 648051 c/s virtual
Only one salt:	595622 c/s real, 595622 c/s virtual

Benchmarking: BSDI DES (x725) [64/64 BS MMX]... DONE
Many salts:	21606 c/s real, 21606 c/s virtual
Only one salt:	21235 c/s real, 21235 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw:	5104 c/s real, 5104 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw:	300 c/s real, 300 c/s virtual

Benchmarking: Kerberos AFS DES [48/64 4K MMX]... DONE
Short:	128512 c/s real, 128512 c/s virtual
Long:	451840 c/s real, 451840 c/s virtual

Benchmarking: NT LM DES [64/64 BS MMX]... DONE
Raw:	5675K c/s real, 5675K c/s virtual

Benchmarking: SAP R/3 codvn B [B-v0.4]... DONE
Many salts:	1683K c/s real, 1683K c/s virtual
Only one salt:	1495K c/s real, 1495K c/s virtual

Benchmarking: SAP R/3 codvn D [D-v0.4]... DONE
Many salts:	1738K c/s real, 1738K c/s virtual
Only one salt:	1415K c/s real, 1415K c/s virtual

(The patch just "works for me", i.e., since I don't have other
hardware, it doesn't support big-endian architectures,
doesn't make use of sse, uses MAX_KEYS_PER_CRYPT 1 ...
I doubt that performace can be increased significantly,
but minor tweaks are still possible.)

Regards, Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.