Skip to Content
Technical Articles
Author's profile photo Maximiliano Colman

Communication channel password recovery

Hi experts,

I bring to you the final solution for that awkward question, “What is the password in the communication channel?”, I’m sure that not always you have an answer for it, but no more answers like “I don’t know it” after reading this blog.

 

You can find the communication channel passwords using the “SimpleQuery” tool, but their are encrypted, I wrote a simple java class to decrypt them:

 

import java.util.Base64;
public class LPQTP_SAP {

	public static void main(String[] args) throws Exception {
		System.out.println(new String(getPassword(Base64.getDecoder().decode(args[0]))));
	}
	public static byte[] getPassword(byte[] aByteArray)
			throws Exception
	{
		if ((aByteArray == null) || (aByteArray.length == 0)) {
			throw new Exception(" no password given ");
		}
		if (aByteArray[0] != 1) {
			return null;
		}
		int len = aByteArray.length;
		byte[] result = new byte[len - 1];
		for (int i = 1; i < len; i++) {
			result[(len - 1 - i)] = ((byte)(aByteArray[i] ^ 0x74));
		}
		return result;
	}
}

 

Not forget, be curious! ?

Update “04.10.2019”:It seems that someone from SAP read this blog and they fixed this in SAP PO 7.5 SP 15 🙁

Best Regards.

Max.

Assigned Tags

      10 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Piotr Radzki
      Piotr Radzki

      Thanks Max, I would expect these passwords are anonymized in a more sophisticated way. Getting the password from existing channel is as easy as getting user with authorisation to run SimpleQuery to retrieve channel metadata with password. We end up with correct governance on SAP PI/PO to have strong solution here.

      If it is masked with base64 it is not really encrypted as base64 is not encrypting technic to add security layer but the encoding technique to represent binary data.

      Maybe changing encrypting word to encoding make sense in this blog?

      Cheers,

      Piotr

      Author's profile photo Maximiliano Colman
      Maximiliano Colman
      Blog Post Author

      Hi Piotr,

      They are masked in Base64 because they are encrypted!, it is not enough to decode them in Base64 to get the password, you need to apply the "decrypt algorithm" to get the password value.

       

      Kind Regards.

      Max.

      Author's profile photo Daniel Graversen
      Daniel Graversen

      Hi

      Not an optimal use of an encryption algorithm of saving a password and give access to it.

      It does look like the passwords on modules is just presented with ***, so here they have removed it.

      When viewing data with HMI protocol that is used in developer studio it seems like the passwords is encrypted in a different way. Hopefully it uses some server side key to determinate if it has been changed.

       

      Author's profile photo Maximiliano Colman
      Maximiliano Colman
      Blog Post Author

      Hi Daniel,

      Regarding the password in the adapter modules, it is worst that I through, I can not reveal the details here, but it is not necessary decrypt them, they are directly exposed!, I can not believe the security of SAP PI/PO 🙁

       

      Kind Regards.

      Max.

      Author's profile photo Daniel Graversen
      Daniel Graversen

      Hi

      That is not optimal. Clients should not get an unecrypted password. If they had just used a normal encryption it would not have been a problem. It is always a challenge to keep passwords safe.

      I guess you should not be poking around in the API for something like it. I hope it will not mean that the SimpleQuery will be removed because it is really useful to fetch information about the system.

       

      Author's profile photo rahul tandle
      rahul tandle

      ya the question was awkward but u answered it

      but its useful for few only

      Author's profile photo Maximiliano Colman
      Maximiliano Colman
      Blog Post Author

      😉

      Author's profile photo ASUTOSH MAHARANA
      ASUTOSH MAHARANA

      Hello Maximiliano,

      Can you please tell me have you used brute Force method to determine this

      (aByteArray[i] ^ 0x74)
      Author's profile photo Maximiliano Colman
      Maximiliano Colman
      Blog Post Author

      nope, just curiosity

      Author's profile photo Binod Thakur
      Binod Thakur
      Hi Maximiliano,


      Thanks for the blog.


      We are getting encrypted password in 7.1 version only, in 7.4, 7.5 v encrypted password is not coming in Simple Query it just come like ****.

      Is there any way that we can able to fetch the password from channel from either 7.4 or 7.5 PO version ?



      Thanks,

      Binod