Problem solve Get help with specific problems with your technologies, process and projects.

Protect SAP against hackers using word attack/dictionary methods

This program uses UNIX hacking dictionary (CRACK) as input & filters and varies the words based upon SAP password rules.

Protect SAP against hackers using "word attack/dictionary" methods
By Imre Kabai

This tip is published with the permission of Imre Kabai.

Hacking methods like "word attack" or "dictionary method" achieve a surprisingly high password cracking percentage on SAP systems. Despite SAP's extensive protection system (irreversible password, password aging, minimum length, having to be different from the last 5 passwords, cannot contain the first three characters of the username ...), there is no good protection against weak (guess-able) passwords.

This program takes one of the most popular UNIX hacking dictionaries (CRACK, available on the web) as an input, and after filtering and varying the words based upon the SAP password rules, it uploads them to USR40 (illegal passwords). This will prevent the users from using weak passwords. Schedule this program to run in batch, because it runs for a couple of hours.


REPORT ZUSR40 NO STANDARD PAGE HEADING.

TABLES: USR02, USR40.
DATA: I TYPE I, MIN_LENGTH TYPE I.
DATA: NUMBERS(11) VALUE ' 0123456789'.

DATA: BEGIN OF DATA_TAB OCCURS 5000,
    LINE(12),
END OF DATA_TAB.
data: begin of variation_tab occurs 5000,
    LINE(12),
end of variation_tab.

DATA: BEGIN OF PARAMETER OCCURS 500,
    STATUS LIKE SY-INDEX,
    NAME(60),
    CURRENT(60),
    DEFAULT(60),
END OF PARAMETER.

* Find out the value of login/min_password_lng
CALL 'C_SAPGALLPARAM' ID 'PAR_SUB' FIELD PARAMETER-*SYS*.
LOOP AT PARAMETER.
  IF PARAMETER-NAME = 'login/min_password_lng'.
    MIN_LENGTH = PARAMETER-CURRENT.
    EXIT.
  ENDIF.
ENDLOOP.

* Upload from the frontend workstation
*call function 'WS_UPLOAD'
*exporting
*filename = 'c:tempdict.txt'
*tables
*data_tab = data_tab.

* Upload from the application server
OPEN DATASET '/tmp/dict.txt' IN TEXT MODE FOR INPUT.
DO.
  READ DATASET '/tmp/dict.txt' INTO DATA_TAB.
  IF SY-SUBRC <> 0.EXIT.ENDIF.
  APPEND DATA_TAB.
ENDDO.

* Remove the short and long words
MIN_LENGTH = MIN_LENGTH - 1.
LOOP AT DATA_TAB.
  I = STRLEN( DATA_TAB ).
* Does not make sense to use longer words than 8 (USR40-BCODE = 8) or
* shorter than login/min_password_lng - 1.
  IF I > 8 OR I < MIN_LENGTH.
    DELETE DATA_TAB.
  ELSE.
    TRANSLATE DATA_TAB TO UPPER CASE.
    MODIFY DATA_TAB.
  ENDIF.
ENDLOOP.

* Add a taliling number (f.e. PENCIL -> PENCIL0, PENCIL1, PENCIL2 ...)
LOOP AT DATA_TAB.
  DO 10 TIMES.
    variation_tab = data_tab.
    variation_tab+11(1) = numbers+sy-index(1).
    condense variation_tab no-gaps.
    append variation_tab.
  ENDDO.
ENDLOOP.

************************************************************************
* Insert your own code here to add further variations:
* words backwards, number substitutions such as 3 for E, 1 for I or L,
* 5 or 2 for S, 7 for L ...
************************************************************************

* Merge the results and drop the stuff that is still too short.
LOOP AT DATA_TAB.
  I = STRLEN( DATA_TAB ).
  IF I > MIN_LENGTH.
    variation_tab = data_tab.
    append variation_tab.
  ENDIF.
ENDLOOP.
CLEAR DATA_TAB. REFRESH DATA_TAB.

* Who knows, what kind of data we have in the dictionary file
SORT VARIATION_TAB BY LINE.
DELETE ADJACENT DUPLICATES FROM VARIATION_TAB.

* Fill up USR40
INSERT USR40 FROM TABLE VARIATION_TAB ACCEPTING DUPLICATE KEYS.

Visit Kabai.com to view this tip or to browse through a collection of other useful ABAP programs.

Did you like this tip? If so (or if not) let us know. Send an email to tell us. Or go to our tips page and rate this and other tips, or send us one of your own.

Related Book
SAP R/3 System: A Client/Server Technology
Author : Rudiger Buck-Emden
Publisher : Addison Wesley
ISBN/CODE : 0201403501
Cover Type : Hard Cover
Pages : 255
Published : Aug 1996
Summary:
SAP's R/3 System is setting the standard for development of modern business applications. The client/server technology on which it is based readily meets today's requirements for scalability, portability, openness and high performance. This book presents the basic principles of this technology and how they are applied in the SAP R/3 System.

Dig Deeper on SAP security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchERP

SearchOracle

SearchDataManagement

SearchAWS

SearchBusinessAnalytics

SearchContentManagement

SearchHRSoftware

Close