Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 13 Jul 2011 19:22:24 +0200
From: Frank Dittrich <>
Subject: Re: Charset options

Am 13.07.2011 17:10, schrieb Maximilian Melcher:
> Hi list,
> is it possible to crack SAP RFC password hashes (its from rfcdes like
> written here )?
> The format is:
> User                  Hash
> RFC_TEST        C4520A225A6A69429C6C7689B85AB01F
> and thats longer than a sapB or sapG hash. The password is abcdefgh
> My first guess was that its md5 but when I start john
> with RFC_TEST:C4520A225A6A69429C6C7689B85AB01F it says LM and cant crack it
> with given wordlist. If I force it to md5 => no passwords loaded.

This is not a hash, but an encrypted/obfuscated password
for a SAP basis release 6.x.
If you repeatedly change the password for the RFC
connection ("RFC" is a SAP specific abbreviation for
"remote function call"), you should get different resulting
hex strings for the same password.

Years ago I found out how to get the clear text password
for such a hex string using a Linux TestDrivre installation
on my own PC.
Currently, I don't have a private SAP installation.

So, if an attacker gets access to the encrypted password
that is stored in table RFCDES, you have to assume
he knows the password.

That's why, system administrators configuring
RFC destinations should't reuse those passwords
for other accounts.

But if the user specified in the RFC connecion is
a communication user and not a regular dialog user,
you cannot use the known password and user name
to login.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.