Sap. brute-force cracking of the ddic account password of the SAP system

Goller. cn sap Education	Sponsor Link
Www.goller.cn

Reference:
Data from searchsap.com.
Here is how to find lostSAP* AndDdicPasswords:
1) Logon As DB admin (on Oracle: ora, for Informix: Informix)
2.) run the SQL program of your database (on Oracle: sqlplus, for Informix: dbaccess)
3.) Important: Make a current snapshot of the table. Do an export on table usr02
(Oracle: Use the command exp, Informix: Use dbexport)... alternative: Create
Table copy of usr02 this will be used if anything goes wrong.
4.) now do a SELECT command on table usr02. the idea is to check ifSAP* Is present
In the client you want. (command: Select * From usr02 where mandt = 'xxx' and
Bname ='SAP* '... Mandt here is the client)... this is an optional step...
5.) The next step is to make a copy ofSAP* Table Record (to be used on step
#9). For Oracle, create a temporary table with usr02 structure and insert the value
SAP* From the client that you want. For Informix, you may just copy the exported
Usr02 data and edit it using VI to delete other records otherSAP* .. Or use
The same steps as in Oracle.
6.) Delete the recordSAP* On the required client only on table usr02. (command:
Delete from usr02 where mandt = 'xxx' and bname ='SAP*').
Commit the changes, if needed.
7.) Now logonSAP. Use the IDSAP* And PasswordPass(Or 06071992). You can now
Edit the password forDdicUser ID. You have to create a user ID or give
AuthorizationDdic(If needed) to access transaction su01.

Thanks to Dragon. Lan

Test environment:
Windows 2003 SP1
Sap r/3 ides 4.71 <Sid: r3d>
Oracle 9.2.0.1
Client 800 (ddic: 123456)
Client 100 (ddic: 123456) Copy 800

Export r3d data tables using Exp:
C:/> exp

Export: Release 9.2.0.2.1-production on Fri Feb 1 21:58:00 2008

Copyright (c) 1982,200 2, Oracle Corporation. All rights reserved.

Username: sapr3d 'schema default sap <Sid>
Password:

Connected to: Oracle9i Enterprise Edition Release 9.2.0.2.1-Production
With the partitioning, OLAP and Oracle Data Mining options
Jserver release 9.2.0.2.0-Production
Enter array fetch buffer size: 4096>

Export File: expdat. DMP> 200802012158_usr02.dmp

(2) U (SERS), or (3) T (Ables): (2) U> T

Export table data (yes/no): Yes> Y

Compress extents (yes/no): Yes> Y

Export done in we8dec Character Set and utf8 nchar Character Set

About to export specified tables via conventional path...
Table (t) or partition (T: p) to be exported: (return to quit)> usr02

.. Exporting table usr02 2138 rows exported

Query ddic account records in client100:
C:/> sqlplus/nolog

SQL * Plus: Release 9.2.0.2.0-production on Fri Feb 1 22:01:33 2008

Copyright (c) 1982,200 2, Oracle Corporation. All rights reserved.

SQL> conn sapr3d/SAP @ r3d
Connected.
SQL> select * From usr02 where bname = 'ddic' and mandt = 100; 'be case sensitive.

Man bname bcode gltgv gltgb U class locnt
----------------------------------------------------------------------
Uflag accnt aname erdat trdat ltime ocod1
------------------------------------------------------------------------
Bcda1 C ocod2 bcda2 C ocod3 bcda3 C
-----------------------------------------------------------
Ocod4 bcda4 C ocod5 bcda5 C ver C tzone Z
-------------------------------------------------------------
Passcode
----------------------------------------
100 ddic 404cde71ee977fde 00000000 00000000 a super 0
0 sap * 19920619 20071108 205051 61dda-28640dbab5
20270712 B 26c6795eeefb72a9 20021028 B 5fc8939ab19d23ca 20000713 B

Man bname bcode gltgv gltgb U class locnt
----------------------------------------------------------------------
Uflag accnt aname erdat trdat ltime ocod1
------------------------------------------------------------------------
Bcda1 C ocod2 bcda2 C ocod3 bcda3 C
-----------------------------------------------------------
Ocod4 bcda4 C ocod5 bcda5 C ver C tzone Z
-------------------------------------------------------------
Passcode
----------------------------------------
0398bc76ddc790ab 20000713 B 5fc8939ab19d23ca 19991116 B
0000000000000000000000000000000000000000

Delete ddic user records:
SQL> Delete from usr02 where bname = 'ddic' and mandt = 100;
***************

Start the SAP system and successfully log on to the application ddic account. The password used at this time is still 123456, maybe because client100 is copying client800, And the ddic password in client800 has been changed to 123456 before the copy;

Query ddic user records again:
SQL> select * From usr02 where bname = 'ddic' and mandt = 100;

No rows selected

After the SAP system is stopped, query the ddic user records:

SQL> select * From usr02 where bname = 'ddic' and mandt = 100; 'be case sensitive.

Man bname bcode gltgv gltgb U class locnt
----------------------------------------------------------------------
Uflag accnt aname erdat trdat ltime ocod1
------------------------------------------------------------------------
Bcda1 C ocod2 bcda2 C ocod3 bcda3 C
-----------------------------------------------------------
Ocod4 bcda4 C ocod5 bcda5 C ver C tzone Z
-------------------------------------------------------------
Passcode
----------------------------------------
100 ddic 404cde71ee977fde 00000000 00000000 a super 0
0 sap * 19920619 20071108 205051 61dda-28640dbab5
20270712 B 26c6795eeefb72a9 20021028 B 5fc8939ab19d23ca 20000713 B

Man bname bcode gltgv gltgb U class locnt
----------------------------------------------------------------------
Uflag accnt aname erdat trdat ltime ocod1
------------------------------------------------------------------------
Bcda1 C ocod2 bcda2 C ocod3 bcda3 C
-----------------------------------------------------------
Ocod4 bcda4 C ocod5 bcda5 C ver C tzone Z
-------------------------------------------------------------
Passcode
----------------------------------------
0398bc76ddc790ab 20000713 B 5fc8939ab19d23ca 19991116 B
0000000000000000000000000000000000000000

Apply exp to output the usr02 data table ......

Why can't I find the account record of ddic? Ddic cannot be used either when logging on to the system, and the existence of ddic users cannot be found in application su01...

 

 

Ask the expert on the next day, and prompt: only sap * can be deleted, but do not delete ddic

Related operation records:

Sqlplus output records, delete sap * records in usr02 table;
Exit sqlplus;
Start the SAP system;
Log on to sqlplus to query sap * Records
C:/> sqlplus/nolog

SQL * Plus: Release 9.2.0.2.0-production on Sun Feb 3 21:09:12 2008

Copyright (c) 1982,200 2, Oracle Corporation. All rights reserved.

SQL> conn sapr3d/SAP @ r3d
Connected.
SQL> select * From usr02 where bname = 'sap * 'and mandt = '000000 ';

No rows selected
Log on to sap through GUI;
SAP *:PassLog on to the system and use su01 to query the sap * account. At this time, no information can be found, but the ddic password can be changed;