Details about new SAP CODVN H - Iterated random-salted passwords (PWDSALTEDHASH)
#1
Currently in beta testing, oclHashCat added support for the SAP CODVN H - Iterated random-salted SHA1 (iSSHA-1) PWDSALTEDHASH (-m 10300) algorithm. The SHA2 based variants will be included soon (iSSHA-256, iSSHA-384, iSSHA-512).

Here you will find the details.

SAP uses different mechanisms (CODE versions) for generating and storing hashed passwords. (see http://www.daniel-berlin.de/security/sap...lgorithms/) for an overview.

oclHashcat currently supports code versions CODVN B (BCODE (-m 7700)) and CODVN F/G (PASSCODE (-m 7800)).

The SAP CODVN H mechanism uses a different scheme called "Iterated random-salted SHA1". It uses a random generated salt (length can be set with the saltsize parameter value, between 32-128 bits), a configurable number of iterations (1 - 2^32), the encoding (RFC2307/RFC3112) and the used hashing mechanism (iSSHA-1 / iSSHA-256 / iSSHA-384 / iSSHA-512SHA-1).

The use of the CODVN H mechanism and supported parameter settings is described in SAP notes:
  • SAP note 991968 - List of Values for "login/password_hash_algorithm". http://service.sap.com/sap/support/notes/991968 (need SAP service marketplace ID to access) Describes the configuration of iSSHA-1
  • SAP note 2076925 - Additional SHA password hash algorithms supported. http://service.sap.com/sap/support/notes/2076925 (need SAP service marketplace ID to access) Describes the use of iSSHA-256,iSSHA-384, iSSHA-512SHA-1 which i think is only supported in the latest support package levels.

Recent SAP kernels use iSSHA-1 / CODVN H code version as a default. Settings are controlled in a profile. The default parameter settings are:
login/password_hash_algorithm = encoding=RFC2307, algorithm=iSSHA-1, iterations=1024, saltsize=96

The stored hash (PWDSALTEDHASH) in table USR02 for iSSHA-1 hashes looks like:
{x-issha, 1024}IlU5JC/UaAzvUl8ncaxIBlFQ1Nfd0C5YxkizRFg970g=
(1024 is the default number of iterations, but it can be adjusted as explained before)

The mechanism used by SAP for its code version H is described in patent US 20080235772 A1 "Iterated password hash systems and methods for preserving password entropy" See http://www.google.com/patents/US20080235772

In short the idea is this (see patent):

HV 1 =HF(P+S)
HV n =HF(HV n-1 +P)

where:
P represents the password data;
S represents the salt value;
n represents the iteration count;
HF represents the hash function; and
HV represents the hash value.

To reproduce you have to decode the base64 encoded string, which results in the example above in 32 bytes of data. The first 20 bytes is the hashed end-value, the last 12 bytes is the random generated salt.
Note that you have to use the binary digest of the salt value (only first iteration) and the binary digest of resulting HV1/HVn value (in other words, not the hex value).

A quick Proof of Concept Perl script to reproduce the scheme (fixed on saltsize of 96 bits, 1024 iterations, SHA1 and RFC2307 encoding):
Code:
# SAP PWDSALTEDHASH (CODVN H) {x-issha, 1024}
# e.g. {x-issha, 1024}IlU5JC/UaAzvUl8ncaxIBlFQ1Nfd0C5YxkizRFg970g=
# Controlled by SAP profile parameter setting (default setting below):
# login/password_hash_algorithm = encoding=RFC2307, algorithm=iSSHA-1, iterations=1024, saltsize=96
use Crypt::Digest::SHA1  qw(sha1);
use MIME::Base64;
$issha=decode_base64("IlU5JC/UaAzvUl8ncaxIBlFQ1Nfd0C5YxkizRFg970g=");      # sample hash, password is "Pindakaas!"
$issha_data=substr($issha,0,20);                                           # first 20 bytes is final hashed data
$issha_salt=substr($issha,20,12);                                          # last 12 bytes are salt (saltsize 96 bits)
$password="Pindakaas!";                                                    # clear text password to test
$result= sha1($password.$issha_salt);                                      # first iteration SHA1(password+salt)
for ($iteration=2; $iteration <=1024; $iteration++)                        # repeat till iterations reached (def. is 1024)
        {$result=sha1($password.$result);}                                 # SHA(password+SHA1 result last round)
if ($result eq $issha_data) { print "Found! Password is ",$password}
else {print "Password not correct"};

The other CODVN H variants based on SHA2 work exactly the same. Just adjust the substr lengths, iterations and digest in the above code.

These mechanisms are only supported in the latest SAP kernels, however the default is still iSSHA-1.

Below are some sample hashes for iSSHA-256, iSSHA-384 and iSSHA-512. The password for the 256 and 384 is set to "HashCat!". The iSSHA-512 is set to "testtest".

encoding=RFC2307, algorithm=iSSHA-256, iterations=10000, saltsize=128
{x-isSHA256, 10000}MMuaPcoQH1RbzPUdV3/kjNsG27X6UYILSCW8yDSD70skvasBGNvXXhFPKJcWKmDS

encoding=RFC2307, algorithm=iSSHA-384, iterations=7500, saltsize=96
{x-isSHA384, 7500}kqOPN/VxvZXpD8zEiRBAe1L6fW6GTXRd/RFl0AbaEbyCZFeMBA8+NKV6MG2Me2u3ZRlCdflPuccjtr55

encoding=RFC2307, algorithm=iSSHA-512, iterations=15000, saltsize=128
{x-isSHA512, 15000}lbaY7cwziH2rPfBdr9T3mZKT/DMXstwSzT1mXNipjYxqoIXfmKBIrcfSNkwq/S5DbqtrDCKX7iOnzPhnIyXRitydEZPrB/BseZ799wYL2O0=

In general to reduce the risk, SAP recommends limiting access to the tables containing password hash values. You can read more about this in SAP notes:
cheers,

MV
#2
Great.

Very well done.

But there is a very important thing you missed in your nice description:
as far as we know oclHashcat is the first cracker to support cracking those sap h hashes
Tongue
No other cracker does currently support this format and the algorithm details were not even known before.

Thanks
#3
Many thanks, MV!!!

Here's a benchmark:

Quote:oclHashcat v1.32 starting in benchmark-mode...

Device #1: Hawaii, 3072MB, 1000Mhz, 44MCU
Device #2: Hawaii, 3072MB, 1000Mhz, 44MCU

Hashtype: SAP CODVN H (PWDSALTEDHASH) iSSHA-1
Workload: 1024 loops, 16 accel

Speed.GPU.#1.: 2257.3 kH/s
Speed.GPU.#2.: 2257.5 kH/s
Speed.GPU.#*.: 4514.8 kH/s

Started: Mon Nov 3 23:07:54 2014
Stopped: Mon Nov 3 23:08:09 2014