REPORT ZUSR40 NO STANDARD PAGE HEADING.
**************************************************************
*Hacking methods like "word attack" or "dictionary method"
*achieve a surprisingly high password cracking percentage on
*SAP systems. Despite Sap's extensive protection system
*(irreversible password, password aging, minimum length,
*has to be different from the last 5 passwords, can not contain
*the first three characters of the username ...) there is no
*good protection against week (guessable) passwords.
*
*This program takes one of the most popular UNIX hacking
*dictionary (CRACK , available on the web) as an input, and
*after filtering and varying the words based upon the SAP
*password rules, it uploads them to USR40 (illegal passwords).
*This will perent the users from using week passwords.
*Schedule this program to run in batch, because it runs for a
*couple of hours.
**************************************************************
TABLES: USR02, USR40.
DATA: I TYPE I, MIN_LENGTH TYPE I.
DATA: NUMBERS(11) VALUE ' 0123456789'.
DATA: BEGIN OF DATA_TAB OCCURS 5000,
LINE(12),
END OF DATA_TAB.
data: begin of variation_tab occurs 5000,
LINE(12),
end of variation_tab.
DATA: BEGIN OF PARAMETER OCCURS 500,
STATUS LIKE SY-INDEX,
NAME(60),
CURRENT(60),
DEFAULT(60),
END OF PARAMETER.
* Find out the value of login/min_password_lng
CALL 'C_SAPGALLPARAM' ID 'PAR_SUB' FIELD PARAMETER-*SYS*.
LOOP AT PARAMETER.
IF PARAMETER-NAME = 'login/min_password_lng'.
MIN_LENGTH = PARAMETER-CURRENT.
EXIT.
ENDIF.
ENDLOOP.
* Upload from the frontend workstation
*call function 'WS_UPLOAD'
*exporting
*filename = 'c:\temp\dict.txt'
*tables
*data_tab = data_tab.
* Upload from the application server
OPEN DATASET '/tmp/dict.txt' IN TEXT MODE FOR INPUT.
DO.
READ DATASET '/tmp/dict.txt' INTO DATA_TAB.
IF SY-SUBRC <> 0.EXIT.ENDIF.
APPEND DATA_TAB.
ENDDO.
* Remove the short and long words
MIN_LENGTH = MIN_LENGTH - 1.
LOOP AT DATA_TAB.
I = STRLEN( DATA_TAB ).
* Does not make sence to use longer words then 8 (USR40-BCODE = 8) or
* shorter than login/min_password_lng - 1.
IF I > 8 OR I < MIN_LENGTH.
DELETE DATA_TAB.
ELSE.
TRANSLATE DATA_TAB TO UPPER CASE.
MODIFY DATA_TAB.
ENDIF.
ENDLOOP.
* Add a taliling number (f.e. PENCIL -> PENCIL0, PENCIL1, PENCIL2 ...)
LOOP AT DATA_TAB.
DO 10 TIMES.
variation_tab = data_tab.
variation_tab+11(1) = numbers+sy-index(1).
condense variation_tab no-gaps.
append variation_tab.
ENDDO.
ENDLOOP.
************************************************************************
* Insert your own code here to add further variations:
* words backwards, number substitutions such as 3 for E, 1 for I or L,
* 5 or 2 for S, 7 for L ...
************************************************************************
* Merge the results and drop the stuff that is still too short.
LOOP AT DATA_TAB.
I = STRLEN( DATA_TAB ).
IF I > MIN_LENGTH.
variation_tab = data_tab.
append variation_tab.
ENDIF.
ENDLOOP.
CLEAR DATA_TAB. REFRESH DATA_TAB.
* Who knows, what kind of crappy data we have in the dictionary file
SORT VARIATION_TAB BY LINE.
DELETE ADJACENT DUPLICATES FROM VARIATION_TAB.
* Fill up USR40
INSERT USR40 FROM TABLE VARIATION_TAB ACCEPTING DUPLICATE KEYS.