Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 25 Jun 2008 18:48:50 -0500
From: "sap friend" <>
Subject: patch for SAP-passwords (BCODE & PASSCODE)

Hello everyone,

finally, here's a patch for auditing SAP-passwords. There's one
module for the old (BCODE or CODVN B) and one for the new (PASSCODE
or CODVN G) SAP passwords which can be obtained from the table
USR02 or USH02.

This patch was tested on linux/x86 only and we're quite sure it
won't work on any other architecture w/o modifications. Sorry for
that ;-) But: feel free to adjust/port/modify the code! Hints about
adjustments to be made are welcome :-) There's an issue with cases,
too. Maybe Solar Designer can give a hint here... BTW: SD, if there
was more documentation for the plugins, the quality would be far

SAP password hashes are salted only with the username (the
system-ID is NOT involved!). So a special preparation of the
username-password-table is nesessary (see attached .pl-script). SAP
allows special characters in usernames (e.g. * $ <spaces> etc.).
Whitespaces at the end of the username will be stripped. Due to the
fact that the salt (remember: the username) varies in legth, we
came up with the great idea to fix the salt-length to the max
username legth (40, btw) and padd the rest w/ spaces, which will be
stripped by the plugin. Ugly, but has proven to work :-) So
basically, the format for our input-files looks like this (true for
G and B):

     DDIC:DDIC                                    $C94E2F7DD0178374

A small perl script is contributed as attachment of this posting.
It parses the content of a tab separeted file (SAP calls those 'XLS
files' - they contain the SAP table USR02 or USH02) and generates
two output files: BCODE and PASSCODE which can be fed into john.

If you have access to both password types (BCODE and G) you should
start cracking the BCODE first 'cause it's a lot faster. Note that
newer SAP-Systems (at least the ones we've seen) generate B and G!

So let's talk about the algorithms...

The BCODE (sapB) algorithm is pretty old and looks weak:
- the length of passwords is maximum 8 chars
- the password and username(=salt) are UPPER case
- passwords and usernames lose entropy (non-ascii chars get replaced by 0xff)
- at least, MD5 is applied twice (some magic in between), but
- the result is OR'd, so we will have only 8 bytes

The PASSCODE algorithm (sapG) is a bit more complex, but IDA and
Olly were able to reveal it's inner working (with a little support
of our brains<g>):
- the max. length of passwords is 48
- some pseudo-codepage-translation for passwords (>7bit ascii) is applied
- only the username(=salt) is always UPPERcase
- the hash is generated with two times SHA1 and some magic between both runs.

Feel free to check the details and comments in the patch. The patch
itself is public domain.

The patch is generated according to the infos from the wiki, so
there should be no trouble patching.
(please note: the patch contains the raw-MD5 and raw-SHA1 patch, too).

$ wget
$ tar xfz john-1.7.2.tar.gz
$ cd john-1.7.2/
$ patch -p1 <../john-1.7.2-SAPLover-1.diff
$ cd src
$ make linux-x86-mmx
$ cd ../run
$ ./john --test --format=sapB
Benchmarking: SAP BCODE [sapb]... DONE
Raw:    815536 c/s real, 815536 c/s virtual

$ ./john --test --format=sapG
Benchmarking: SAP CODVN G (PASSCODE) [sapg]... DONE
Many salts:     643218 c/s real, 643218 c/s virtual
Only one salt:  626108 c/s real, 626108 c/s virtual

       sap loverz

Be Yourself @!
Choose From 200+ Email Addresses
Get a Free Account at

Download attachment "john-1.7.2-SAPLover-1.diff" of type "application/octet-stream" (42914 bytes)

Download attachment "" of type "application/octet-stream" (2892 bytes)

To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.