cancel
Showing results for 
Search instead for 
Did you mean: 

urgent need: how to decode usr02

Former Member
0 Kudos

On my laptop sandbox, I can see the password in table usr02 but

in an encrypted form.

Could you tell me how to decode the password?

Thanks and points.

Accepted Solutions (0)

Answers (9)

Answers (9)

Former Member
0 Kudos

yes,

if you have the same user in another system,

copy the value of usr02 of the system you know the password

to usr02 to the system you don't know the password.

the copy shoud be done at the DB level,

for example: update usr02 set bcode = 'XXXXXXXX' where mandt = 'YYY' and uname = 'ZZZ'

(I'm not sure if it is bname or uname)

where XXXXXXXX is the bcode value from the system you know the password,

YYY is the client, and ZZZ is the user.

Former Member
0 Kudos

This would lock the user.

Did you check the value of login/no_automatic_usr_sapstar?

(should be 0, otherwize the system will not recreate the sap* user)

You may also try (the last option that is avaible):

if you have another system (for example PROD),

you can over-ride the password of your users (field bcode in usr02)

from the system you know the password.

p.s

you can not copy password of diffrent user,

e.g: user A has password "ABCDE",

user B has password "ABCDE",

the values of the BCODE in usr02 would be diffrent from user A to B

although they thave the same passord,

this is because the encryption is per user,

however, user A that have the password "ABCDE"

in diffrent systems/client will have the same BCODE

(the encryption algoritem uses only the user-name to encrypt)

Former Member
0 Kudos

You say:

<b>You may also try (the last option that is avaible):

if you have another system (for example PROD),

you can over-ride the password of your users (field bcode in usr02)

from the system you know the password</b>.

Could you explain above in detail?

Thanks!

Message was edited by:

jennifer lee

Former Member
0 Kudos

please check the parameter: login/no_automatic_usr_sapstar

the first login would re-create the sap* user,

you may look at:

http://sap.ittoolbox.com/groups/technical-functional/sap-basis/reset-ddic-password-without-resetting...

and also:

Former Member
0 Kudos

the only way to find out the password,

is to write a Brute Force program,

which <u>try every possible password combination</u> untill

it found the password (for example: aaaaaaaa, aaaaaaab, aaaaaaac .... zzzzzzzz)

there are several ways to implement:

1. write an abap program,

which calls the encryption function with the name 'XX_PASS'

this function gets an en-encrypted password and encrypt it to bcode field in usr02.

You can't see this function in SE37, don't search it, this is an internal function, SAP somethimes uses kernel commands, which are not written in ABAP,

therefore, you can not see the algoritem behind the encryption (good way to hide from us).

2. use recording tools, like load-runner a try all the password combinations.

offcorse, this can takes hours at the best case, due to the fact that in 8 bytes of password, there are 18446744073709551616 possibilites (2568), in addition there is a new password policy that you can use, that gives up tp 20 bytes of password (25620)

Former Member
0 Kudos

This will lock the user.

Any better idea?

Former Member
0 Kudos

I forgot to mention, after you login with SAP* you can reset you own password (there is no need to decode password field (bcode) in usr02)

(p.s if you can not login with sap* after you delete it from usr02,

you would have to change the value of the parameter profile login/disable_sapstart_auto_login (or something like that to 0)

Former Member
0 Kudos

I know this trick but my system did not re-create sap* after

it was deleted.

Any more tricks?

Former Member
0 Kudos

once you have deleted the SAP* you can login with this users and password is "pass". its ok, you are not going to use this user anywhere and even SAP not recommands to use this, then what is the problem?

Cheers,

-Sunil

Former Member
0 Kudos

reseting or changing the password is simple solution for this as per as i know.

Former Member
0 Kudos

there is a simple solution for this problem,

just delete the user sap* from usr02,

and than logon with sap* with the default password (init/pass)

Former Member
0 Kudos
MichalKrawczyk
Active Contributor
0 Kudos

Hi Jennifer,

>>>>Could you tell me how to decode the password?

if it was possible (in any easy way) then SAP would not be very secure

would it ?

but have a look at this thread:

http://seclists.org/pen-test/2006/Feb/0044.html

it may give you some idea on how difficult it gets

Regards,

michal

Former Member
0 Kudos

i think you cant do it. other work around i would suggest is reset the password what you want to be.