We’ve all been there and suddenly you need to add another developer to your Cloud Connector but alas you can’t remember your username and/or password.

Here is a quick way to find the username and reset the password.

These details are contained within the users.xml file and in order to find its location load up services from control panel or search for services.msc

Find the SAP Cloud Connector and double clickNote in my example the folder is c:\SAP\scc20\

Open up Windows Explorer and browse to the folder and you should see the following

Look inside the config folder and open the users.xml file with notepad.

Here all users are displayed – note in my example users are Administrator and Matt

If I want to reset the password these are in SHA256 format – you can simply generate one using a website such as https://passwordsgenerator.net/sha256-hash-generator/

Copy the hash and paste into the users.xml file

Save the file and restart the service

Now I can login with Administrator and a password of mynewpassword

Some sample hashes for reference

password = 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8

manage = 181229424893BB65D94A74C2132B8B9E5ADFE851464FDB5CB9F49E8A8204BE7B

For more information on configuring and installing the Hana Cloud Connector I can recommend this book:

With the recent releases of John the Ripper (1.7.8 and above) we now have password cracking with multiple cores available so we can crack SAP passwords faster than ever before. SAP password cracking requires the Community Edition otherwise known as the Jumbo Release to support the required hash formats.

Do not use this against systems you’re not authorised to do so.

Step 1: Dump the password hashes from SAP. You can use this ABAP Program to generate in the correct format for John the Ripper.  You could alternatively dump these direct from your backend database but it needs to be in the format the code generates.

Step 2: Download and Install John the Ripper. In the video I optionally compile for my Linux Backtrack Server and enable OpenMP for multiple core processing as this is my preference but you could alternatively download a plain precompiled version. There are also Windows binaries available you can download complete with OpenMP enabled which is partially handy if you don’t have access to multiple platforms. Which ever version you download don’t forget you need the Jumbo Community Version.

Step 3: Simply run John the Ripper against the hashes this will run through its standard rules and attempt to brute force the passwordsor with the –wordlist option to specify a dictionary attack based on any number of large word lists available.

SAP has a good note describing some features you can use to limit this type of attack – See SAP Note: 1237762

I can also recommend this book for much more information around this topic –

If you’re looking to capture SAP Passwords by sniffing your network then the simplest and easiest way has to be using Cain and Abel. Cain and Abel is a fantastic tool which I’m been using for many years and was very pleasantly surprised to see the latest version 4.9.43 supports capturing and decompressing the SAP Diag protocol.

For a demo of how to capture SAP passwords using Cain and Abel see my video below.

In order to combat the vulnerability of having your SAP passwords sniffed then SAP recommends using SNC to provide end to end encryption but I have to admit I’ve not yet seen a company with this implemented. A good alternative method would be to encrypt everything on your network by using IPSEC

If you’re looking for a more in depth network capture of the SAP DIAG protocol then see my Wireshark Posting on the same topic.

If you’re looking to capture SAP Passwords by sniffing your network then using Wireshark together with the Positive Technologies Research Labs Plugin is the perfect combination.

SAP GUI communication happens using the SAP DIAG protocol which is generally compressed making plain old networking sniffing out of the question which is exactly where the plugin comes into play.

If you want to experiment with what can be captured without compression set the system environment variable TDW_NOCOMPRESS to 1.

For a demo of how to capture SAP passwords using Wireshark see my video below.

In order to combat the vulnerability of having your SAP passwords sniffed then SAP recommends using SNC to provide end to end encryption but I have to admit I’ve not yet seen a company with this implemented.   A good alternative method would be to encrypt everything on your network by using IPSEC

If you’re looking for an even easier way to capture SAP User passwords see my Cain and Abel posting on the same topic.

Following an interesting conversation at the SAP User Group Conference about a lost password for SAP MaxDB I embarked on what I expected to be a quick bit of  investigation. I searched the SAP Support Portal along with the SDN and was amazed I couldn’t find a reset procedure.

MaxDB Password Reset Procedure – Video Walkthrough

Ideally take a backup first and if you’re able to bring the database down before editing then all the better, failing that a reboot immediately after seems to keep things happy. I have seen an error once or twice when then first changing the password but re-trying the command has always cleared things up.

MaxDB 7.6 Password Reset

Find the target user in the upc file, overwrite the hash with zeros. Save and reboot.

Setting the control users password to ‘password’

MaxDB 7.7 Password Reset

Find the target user in the upc file, paste in a password hash which sets to ‘password’. Save and reboot.

Sample Hashes :
password = 358883B07AA93121891B4A932433115FB3DC1CC00B5027D8
sap = D8835545B45CD7401D82B49D2433115FB3DC1CC00B5027D8

Setting the dbm users password to ‘newpassword’

MaxDB 7.8 Password Reset

Find the target user in the upc file, paste in a both password hashes as shown which sets to ‘password’. Save and reboot.

Sample Hashes:
password =  358883B07AA93121891B4A932433115FB3DC1CC00B5027D8                       041819B201CD7CA6281FC4507B5F3866145D8A61D7246E1FD928

sap=
D8835545B45CD7401D82B49D2433115FB3DC1CC00B5027D8          04188B272DD84C48BA488F55E5B9012916D651F522CEEF0D29DC
Setting the dbm users password to ‘newpassword’ with both the older version of dbmcli found in the database manager tool and then with current version, this keep everything in a happy consistent state.

For a small bit of background check out How I Discovered the MaxDB Password Reset Procedure

Step 1: I fired up an excellent tool Process Monitor from SysInternals (Now Microsoft owned), opened up the database manager tool and reset my users password. I then reviewed all the events that had just happened, initially looking to see what files has been read from thus attempting to gain clues to how the change password operation might be working. Then later looking at what files had been written to ultimately hoping to see where the password might be saved.

Step 2: From analysis of the sdb.upc file I could see my users in plain text. I could be on to something interesting.

Step 3: After taking a backup of the upc file I changed the password once more and compared the two files. I could see clearly the only change made, this must be an encrypted version of the password.

Step 4: Now I was interested in see if the password was being salted with perhaps with a user name, hostname or some other secret. Comparing the password hashes across different servers, different versions and different database names showed no difference at all. Handy… for us.

A quick check proves I can simply copy and paste hashes between password files to reset them. I tried simply setting the password hash to all zeros which works nicely but only for version 7.6 as later versions generate an error.