Protect SAP against hackers using word attack/dictionary methods

Protect SAP against hackers using word attack/dictionary methods

Protect SAP against hackers using "word attack/dictionary" methods
By Imre Kabai

This tip is published with the permission of Imre Kabai.

Hacking methods like "word attack" or "dictionary method" achieve a surprisingly high password cracking percentage on SAP systems. Despite SAP's extensive protection system (irreversible password, password aging, minimum length, having to be different from the last 5 passwords, cannot contain the first three characters of the username ...), there is no good protection against weak (guess-able) passwords.

This program takes one of the most popular UNIX hacking dictionaries (CRACK, available on the web) as an input, and after filtering and varying the words based upon the SAP password rules, it uploads them to USR40 (illegal passwords). This will prevent the users from using weak passwords. Schedule this program to run in batch, because it runs for a couple of hours.


REPORT ZUSR40 NO STANDARD PAGE HEADING.

TABLES: USR02, USR40.
DATA: I TYPE I, MIN_LENGTH TYPE I.
DATA: NUMBERS(11) VALUE ' 0123456789'.

DATA: BEGIN OF DATA_TAB OCCURS 5000,
    LINE(12),
END OF DATA_TAB.
data: begin of variation_tab occurs 5000,
    LINE(12),
end of variation_tab.

DATA: BEGIN OF PARAMETER OCCURS 500,
    STATUS LIKE SY-INDEX,
    NAME(60),
    CURRENT(60),
    DEFAULT(60),
END OF PARAMETER.

* Find out the value of login/min_password_lng
CALL 'C_SAPGALLPARAM' ID 'PAR_SUB' FIELD PARAMETER-*SYS*.
LOOP

    Requires Free Membership to View

    Login

    When you register, you will start receiving targeted emails from my award-winning team of editorial writers. Our goal is to keep you informed on the hottest topics and biggest challenges faced by SAP professionals today.

    Hannah Smalltree, Editorial Director

    By submitting your registration information to SearchSAP.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSAP.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

 AT PARAMETER.
  IF PARAMETER-NAME = 'login/min_password_lng'.
    MIN_LENGTH = PARAMETER-CURRENT.
    EXIT.
  ENDIF.
ENDLOOP.

* Upload from the frontend workstation
*call function 'WS_UPLOAD'
*exporting
*filename = 'c:tempdict.txt'
*tables
*data_tab = data_tab.

* Upload from the application server
OPEN DATASET '/tmp/dict.txt' IN TEXT MODE FOR INPUT.
DO.
  READ DATASET '/tmp/dict.txt' INTO DATA_TAB.
  IF SY-SUBRC <> 0.EXIT.ENDIF.
  APPEND DATA_TAB.
ENDDO.

* Remove the short and long words
MIN_LENGTH = MIN_LENGTH - 1.
LOOP AT DATA_TAB.
  I = STRLEN( DATA_TAB ).
* Does not make sense to use longer words than 8 (USR40-BCODE = 8) or
* shorter than login/min_password_lng - 1.
  IF I > 8 OR I < MIN_LENGTH.
    DELETE DATA_TAB.
  ELSE.
    TRANSLATE DATA_TAB TO UPPER CASE.
    MODIFY DATA_TAB.
  ENDIF.
ENDLOOP.

* Add a taliling number (f.e. PENCIL -> PENCIL0, PENCIL1, PENCIL2 ...)
LOOP AT DATA_TAB.
  DO 10 TIMES.
    variation_tab = data_tab.
    variation_tab+11(1) = numbers+sy-index(1).
    condense variation_tab no-gaps.
    append variation_tab.
  ENDDO.
ENDLOOP.

************************************************************************
* Insert your own code here to add further variations:
* words backwards, number substitutions such as 3 for E, 1 for I or L,
* 5 or 2 for S, 7 for L ...
************************************************************************

* Merge the results and drop the stuff that is still too short.
LOOP AT DATA_TAB.
  I = STRLEN( DATA_TAB ).
  IF I > MIN_LENGTH.
    variation_tab = data_tab.
    append variation_tab.
  ENDIF.
ENDLOOP.
CLEAR DATA_TAB. REFRESH DATA_TAB.

* Who knows, what kind of data we have in the dictionary file
SORT VARIATION_TAB BY LINE.
DELETE ADJACENT DUPLICATES FROM VARIATION_TAB.

* Fill up USR40
INSERT USR40 FROM TABLE VARIATION_TAB ACCEPTING DUPLICATE KEYS.

Visit Kabai.com to view this tip or to browse through a collection of other useful ABAP programs.

Did you like this tip? If so (or if not) let us know. Send an email to tell us. Or go to our tips page and rate this and other tips, or send us one of your own.

Related Book
SAP R/3 System: A Client/Server Technology
Author : Rudiger Buck-Emden
Publisher : Addison Wesley
ISBN/CODE : 0201403501
Cover Type : Hard Cover
Pages : 255
Published : Aug 1996
Summary:
SAP's R/3 System is setting the standard for development of modern business applications. The client/server technology on which it is based readily meets today's requirements for scalability, portability, openness and high performance. This book presents the basic principles of this technology and how they are applied in the SAP R/3 System.

This was first published in April 2001

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top