on 03-24-2007 2:52 PM
On my laptop sandbox, I can see the password in table usr02 but
in an encrypted form.
Could you tell me how to decode the password?
Thanks and points.
yes,
if you have the same user in another system,
copy the value of usr02 of the system you know the password
to usr02 to the system you don't know the password.
the copy shoud be done at the DB level,
for example: update usr02 set bcode = 'XXXXXXXX' where mandt = 'YYY' and uname = 'ZZZ'
(I'm not sure if it is bname or uname)
where XXXXXXXX is the bcode value from the system you know the password,
YYY is the client, and ZZZ is the user.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This would lock the user.
Did you check the value of login/no_automatic_usr_sapstar?
(should be 0, otherwize the system will not recreate the sap* user)
You may also try (the last option that is avaible):
if you have another system (for example PROD),
you can over-ride the password of your users (field bcode in usr02)
from the system you know the password.
p.s
you can not copy password of diffrent user,
e.g: user A has password "ABCDE",
user B has password "ABCDE",
the values of the BCODE in usr02 would be diffrent from user A to B
although they thave the same passord,
this is because the encryption is per user,
however, user A that have the password "ABCDE"
in diffrent systems/client will have the same BCODE
(the encryption algoritem uses only the user-name to encrypt)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You say:
<b>You may also try (the last option that is avaible):
if you have another system (for example PROD),
you can over-ride the password of your users (field bcode in usr02)
from the system you know the password</b>.
Could you explain above in detail?
Thanks!
Message was edited by:
jennifer lee
please check the parameter: login/no_automatic_usr_sapstar
the first login would re-create the sap* user,
you may look at:
and also:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
the only way to find out the password,
is to write a Brute Force program,
which <u>try every possible password combination</u> untill
it found the password (for example: aaaaaaaa, aaaaaaab, aaaaaaac .... zzzzzzzz)
there are several ways to implement:
1. write an abap program,
which calls the encryption function with the name 'XX_PASS'
this function gets an en-encrypted password and encrypt it to bcode field in usr02.
You can't see this function in SE37, don't search it, this is an internal function, SAP somethimes uses kernel commands, which are not written in ABAP,
therefore, you can not see the algoritem behind the encryption (good way to hide from us).
2. use recording tools, like load-runner a try all the password combinations.
offcorse, this can takes hours at the best case, due to the fact that in 8 bytes of password, there are 18446744073709551616 possibilites (2568), in addition there is a new password policy that you can use, that gives up tp 20 bytes of password (25620)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I forgot to mention, after you login with SAP* you can reset you own password (there is no need to decode password field (bcode) in usr02)
(p.s if you can not login with sap* after you delete it from usr02,
you would have to change the value of the parameter profile login/disable_sapstart_auto_login (or something like that to 0)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
there is a simple solution for this problem,
just delete the user sap* from usr02,
and than logon with sap* with the default password (init/pass)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI,
Dont try , it will not possible , it is very difficult.
see the below links
http://help.sap.com/saphelp_nw2004s/helpdata/en/f7/c2953fc405330ee10000000a114084/frameset.htm
http://help.sap.com/saphelp_nw2004s/helpdata/en/c5/9b2f03f05011d3a6510000e835363f/frameset.htm
http://help.sap.com/saphelp_nw2004s/helpdata/en/cd/96c041a2236a24e10000000a1550b0/frameset.htm
Regards
Chilla
<i>reward points if it is helpful..</i>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jennifer,
>>>>Could you tell me how to decode the password?
if it was possible (in any easy way) then SAP would not be very secure
would it ?
but have a look at this thread:
http://seclists.org/pen-test/2006/Feb/0044.html
it may give you some idea on how difficult it gets
Regards,
michal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
i think you cant do it. other work around i would suggest is reset the password what you want to be.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.