In order to interact with IBM MQ in any way, we need to install IBM MQ Client libraries, available only on IBM website. Account registration will be required to get hands on them.
### Step 1: Installing prerequisities
**Pre-requisites: IBM MQ Client**
1. Download the [IBM MQ V9.0.0.4 LTS Clients](http://ibm.biz/mq9004clients) - the file should be named: `9.0.0.4-IBM-MQC-LinuxX64.tar.gz` (_9.0.0.4 Client install image for IBM MQ on Linux X86-64_) - size: 397MB
These processes will be running impersonated as highly privileged service user name (according to the usernames table available below, at 2) . These users will act as local SAM users, which means we might be able to dump their NTLM passwords and crack them or even change them to whatever value we wish to facilitate successful IBM MQ server authentication.
**Externally:**
By using `punch-mq` we can:
1) Discover/Brute-Force available CHANNELS,
2) Enumerate usernames (valid UserId fields)
3) Enumerate Queue Manager names
4) List available Channels or Queues as an authenticated user.
5) PUT, GET, Dump, Save, Sniff messages given an existent QUEUE name, as an authenticated user
6) Issue OS Commands by the use of `PCFExecute` functionality
In order to successfully authenticate to the IBM MQ server, we will need to have upfront following informatio prepared:
- Hostname/IP address
- TCP Port, typically `1414/tcp`
- Queue Manager name - easily obtained by the use of nmap scripts: `nmap -p 1414 -sV <host>`
- Channel name (can be one of the below listed), at first start with: `SYSTEM.ADMIN.SVRCONN`
- Username (list of default system usernames below)
- Password
Incorrect access credentials will result in `pymqi` returning following response:
_(in order to view system objects - click "Show System Objects" on upper right side of the MQ Explorer interface)_
```
SYSTEM.ADMIN.SVRCONN
SYSTEM.AUTO.SVRCONN
SYSTEM.DEF.SVRCONN
SYSTEM.DEF.SERVER
SYSTEM.DEF.CLNTCONN
```
### 2) Default Userid's depending on target OS version:
| OS Version | UserId |
|----------------|--------------|
| Linux/Unix/AIX | mqm |
| Windows | MUSR_MQADMIN |
| Other | mqadmin |
### 5) Important Administration QUEUE names:
```
SYSTEM.ADMIN.COMMAND.QUEUE
SYSTEM.DEFAULT.MODEL.QUEUE
SYSTEM.AUTH.DATA.QUEUE
```
### 6) Remote Code Execution
**6.1. Programmable Command Format (PCF) Services**
Being authenticated to the Queue Manager and a corresponding channel, we might be able to execute PCF (_Programmable Command Format_) commands (on MQ v6+) that would give us OS command execution by the use a concept called _services_:
-`MQCMD_CREATE_SERVICE`,
-`MQCMD_START_SERVICE`,
-`MQCMD_STOP_SERVICE`,
-`MQCMD_DELETE_SERVICE`
That holds true as long as our impersonated user has sufficient permissions within OAM (Object Authority Manager) to perform requested PCF operation on the relevant objects.
Using `pymqi` or `punch-mq` this is as simple as invoking following code (source: [punch-mq](https://github.com/sensepost/punch-q/blob/master/libpunchq/cli.py) ):
Incomming command will then be executed most likely as a root user. `punch-mq` does not implement any way of getting command's result back so we will have to go blindly here, preferably just using reverse-shell oneliner.
If we wish to have our commands' results back, then more code will need to be added facilitating specification of output Queue where PCF should PUT it's results, then manual Queue read by the use of GET operation to retrieve OS command's outcome. Such a Queue could be created based on `SYSTEM.DEFAULT.MODEL.QUEUE` template. Martyn Ruks goes in details on that in his paper (ref: 1, page 24).
**6.2. Use of Triggers**
Martyn Ruks described (ref: 1, page 30) that we may also succeed invoking system commands by defining event triggers that would execute specified command as soon as preconfigured event fired up our malicious trigger.
1. [Martyn Ruks: WebSphere MQ Security. White Paper – Part 1](https://labs.f-secure.com/assets/141/original/mwri_websphere-mq-security-white-paper-part1_2008-05-06.pdf)