Elevating privileges via cracking password hashes
The passwords of all Users in an ABAP system are stored as cryptographic hashes in various tables.
These Tables are:
- USR02
- USH02
- USRPWDHISTORY
- USH02_ARC_TMP
- VUSER001
- VUSR02_PWD
- USR_TOTP
- EDIDC (Idocs from CUA)
There are various ways to access the content of those tables with the consequence of disclosing the hashes. SAP development implemented different hash algorithms throughout the years. The below list shows a breif overview of the used algorithms, starting from the weakest first:
| Algorithm | comment |
|---|---|
| BCODE | outdated an highly insecure |
| PASSCODE | outdated and insecure |
| PWDSALTEDHASH | currently recommended version |
A detailed explanation is available here.
Weak protection of SAP password hash values stored in the mentioned tables due to old/outdated algorithms still actively used within your system may allow attackers to extract and recalculate original passwords. This enables authentication under different SAP user IDs, including highly privileged accounts. This circumvents legitimate access controls and permits impersonation of valid users, posing a significant risk to the availability and integrity of the systems as well as the confidentiality of business-critical data.
Older SAP password hash algorithms (such as those based on weak cryptographic functions) are vulnerable to brute-force or dictionary attacks using widely available cracking tools.
- Extraction of hashes using Transaction (SE16, SE16N, DBA_COCKPIT, etc)
- Extraction of hashes via OS Command (special case, access underlying database and tables mentioned above (SQL-Query with Select statement) (more information here)
- Cracking hashes (e.g. with Hashcat, John the Ripper)
- Supported hashtypes from Hashcat (by 26th September 2025):
- SAP CODVN B (BCODE)
- SAP CODVN B (BCODE) from RFC_READ_TABLE
- SAP CODVN F/G (PASSCODE)
- SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE
- SAP CODVN H (PWDSALTEDHASH) iSSHA-1
- SAP CODVN H (PWDSALTEDHASH) isSHA512
- Supported hashtypes from Hashcat (by 26th September 2025):
- Use at least PWDSALTEDHASH for all your current hashes
- Please check SAP recommended mitigations in SAP-Note 1237762
- Migrate to current hashing algorithms via silent-migration
- Removing depricated hashes
- Follow parameter recommendations from SAP security baseline template to enforce secure hashing algorithms
- Block & Monitor access to tables USR02, USH02 and USRPWDHISTORY to unauthorized users/accesses
- Use Authorization objects/groups to block table access
- Monitor access to table USR02, especially download of complete table data
- Disable user password login and use SSO (+SNC) authentication.
- Protection against password hash attacks
- Migrate hashes to latest version
- How to find user name with legacy hash values when executing report CLEANUP_PASSWORD_HASH_VALUES
- SAP Security Baseline Template
- In depth analysis - Password Hash Algorithms
- Report ZCLEANUP_PASSWORD_HASH_VALUESX - Remove weak password hash values
- Protect read access to password hash value tables
- SAP IDOC Hash Harvester
- Hashcat pasword bruteforcer
- John the Ripper