Technical Articles
Communication channel password recovery
Hi experts,
I bring to you the final solution for that awkward question, “What is the password in the communication channel?”, I’m sure that not always you have an answer for it, but no more answers like “I don’t know it” after reading this blog.
You can find the communication channel passwords using the “SimpleQuery” tool, but their are encrypted, I wrote a simple java class to decrypt them:
import java.util.Base64;
public class LPQTP_SAP {
public static void main(String[] args) throws Exception {
System.out.println(new String(getPassword(Base64.getDecoder().decode(args[0]))));
}
public static byte[] getPassword(byte[] aByteArray)
throws Exception
{
if ((aByteArray == null) || (aByteArray.length == 0)) {
throw new Exception(" no password given ");
}
if (aByteArray[0] != 1) {
return null;
}
int len = aByteArray.length;
byte[] result = new byte[len - 1];
for (int i = 1; i < len; i++) {
result[(len - 1 - i)] = ((byte)(aByteArray[i] ^ 0x74));
}
return result;
}
}
Not forget, be curious! ?
Update “04.10.2019”:It seems that someone from SAP read this blog and they fixed this in SAP PO 7.5 SP 15 🙁
Best Regards.
Max.
Thanks Max, I would expect these passwords are anonymized in a more sophisticated way. Getting the password from existing channel is as easy as getting user with authorisation to run SimpleQuery to retrieve channel metadata with password. We end up with correct governance on SAP PI/PO to have strong solution here.
If it is masked with base64 it is not really encrypted as base64 is not encrypting technic to add security layer but the encoding technique to represent binary data.
Maybe changing encrypting word to encoding make sense in this blog?
Cheers,
Piotr
Hi Piotr,
They are masked in Base64 because they are encrypted!, it is not enough to decode them in Base64 to get the password, you need to apply the "decrypt algorithm" to get the password value.
Kind Regards.
Max.
Hi
Not an optimal use of an encryption algorithm of saving a password and give access to it.
It does look like the passwords on modules is just presented with ***, so here they have removed it.
When viewing data with HMI protocol that is used in developer studio it seems like the passwords is encrypted in a different way. Hopefully it uses some server side key to determinate if it has been changed.
Hi Daniel,
Regarding the password in the adapter modules, it is worst that I through, I can not reveal the details here, but it is not necessary decrypt them, they are directly exposed!, I can not believe the security of SAP PI/PO 🙁
Kind Regards.
Max.
Hi
That is not optimal. Clients should not get an unecrypted password. If they had just used a normal encryption it would not have been a problem. It is always a challenge to keep passwords safe.
I guess you should not be poking around in the API for something like it. I hope it will not mean that the SimpleQuery will be removed because it is really useful to fetch information about the system.
ya the question was awkward but u answered it
but its useful for few only
😉
Hello Maximiliano,
Can you please tell me have you used brute Force method to determine this
nope, just curiosity