Recently I´ve been on a situation where the password stored on SOAP Communication Channel was lost. Of course SAP protects the content by not allowing to view and copy the password, so some kind of recovery was needed.

The approach above works for any HTTP based communication using basic authentication. Should work for SOAP, HTTP and XI Adapters and also sm59 HTTP Connection type (H and G).

Never use it without knowledge of security team and system administrator.

SOAP Communication Channel HTTP destination (type H)
/wp-content/uploads/2016/04/cc_basic_authentication_926583.jpg /wp-content/uploads/2016/04/http_dest_926584.jpg

Basic Authentication is very unsafe because client sends the user and password unencrypted at http header. So a simple connection interception would be able to view the content in plain text.

1) So first install netcat (exists for windows and linux) on your local machine. Netcat will be our connection interceptor in this case.

2) Find out your local ip address (using ipconfig / ifconfig)

/wp-content/uploads/2016/04/ifconfig_926597.jpg

     In my case its 192.168.0.102.

3) Type the following command:

     # nc -l <your_ip> <any_port>

     In my case is:

     # nc -l 192.168.0.102 8080

    Netcat now listens on specified port.

4) Change your Communication Channel / HTTP Destination to your IP and port:

  

SOAP Communication Channel HTTP destination (type H)
/wp-content/uploads/2016/04/cc_changed_926599.jpg

/wp-content/uploads/2016/04/dest_changed_926598.jpg

   (also disable any SSL, SNC or Proxy, if any)

  

5) Save and activate

6) Run your connection test again and check netcat´s output:

/wp-content/uploads/2016/04/netcat_output_926600.jpg

The highlighted is the user and password header, encoded in base64.

7) Copy the content after Basic and run on some base64 decoder (https://www.google.com.br/?q=base+64+decoder+online#safe=off&q=base+64+decoder+online)

/wp-content/uploads/2016/04/decoded_926601.jpg

And that´s it!

This is one of the reasons that using Basic Authentication is not a good ideia. Using key pair certificate authentication is much more safe.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply