sensepost / punch-q Goto Github PK

View Code? Open in Web Editor NEW

59.0 5.0 13.0 94 KB

👊 A small utility to play with IBM MQ

License: GNU General Public License v3.0

Python 88.75% Makefile 1.62% Go 6.89% Dockerfile 2.55% Shell 0.19%

ibm websphere-mq security ibm-mq mq

punch-q's Introduction

👊 punch-q

A small utility to play with IBM MQ

introduction

punch-q is a small Python utility used to play with IBM MQ instances. Using punch-q, it is possible to perform security related tasks such as manipulating messages on an IBM MQ queue granting one the ability to tamper with business processes at an integration layer.

features

With punch-q, you can:

GET / PUT / SNIFF messages on message queues.
Execute commands using MQ services.
Perform various brute force attacks.

examples

Sniffing messages from a message queue:

Executing commands via MQ services:

installation - docker

A docker container for punch-q exists and can be used with:

docker run --rm -ti leonjza/punch-q

Alternatively the container can be built locally with:

git clone https://github.com/sensepost/punch-q.git
cd punch-q
docker build -t punch-q:local .

Once done, you can run punch-q with (note the tag if you build it yourself):

docker run --rm -ti leonjza/punch-q --help

installation - host

This utility relies on pymqi and needs to be successfully installed for punch-q to work. The installation of pymqi relies on the IBM MQ client utilities to be available which you would need to download from IBM's website first. This Github issue can be used as a reference to install the correct MQ Client libraries.

Alternatively, a hint from this repository means one could just download and extract the archive in the correct location to compile pymqi. This is how the docker container does it.

To get the IBM MQ client for pymqi and punch-q working, you need to:

Download the IBM MQ Client libraries for Linux from IBM's website here. Older versions and ibraries for other operating systems is also available here.
Extract the downloaded archive to /opt/mqm.

Finally, punch-q itself can be installed with:

pip install punch-q

Note: When running punch-q, and you get an error similar to Importing pymqi failed with: libmqic_r.so: cannot open shared object file: No such file or directory!, simply set the LB_LIBRARY_PATH to /opt/mqm/lib64 library with:

export LD_LIBRARY_PATH=/opt/mqm/lib64

osquery table plugin

An osquery table plugin PoC can also be found in this repository here.

license

punch-q is licensed under a GNU General Public v3 License. Permissions beyond the scope of this license may be available at http://sensepost.com/contact/.

punch-q's People

Contributors

Stargazers

Watchers

Forkers

vysecurity ashr w00t3k open-sec cjsatuforc sasqwatch 5l1v3r1 kentyu06 phish tobigrimm mikekilpatrick phantomoverride zemlya25

punch-q's Issues

Multi-queue sniffing

Implement multi-queue sniffing of messages (and saving them to a file).

BUG: Using `--source-string` results in error

When using punch-q from the provided Dockerfile the flag --source-string seems to allways throw an error
ie
punch-q --dump-config --host mq --port 1414 --channel SYSTEM.DEF.SVRCONN --qm_name <QMNAME> --username <USER> --password <PASSWORD> messages push -q '<QUEUENAME>' --source-string 'test'

This results in the following error:

Message (truncated): test
Traceback (most recent call last):
  File "/usr/local/bin/punch-q", line 10, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.7/dist-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.7/dist-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.7/dist-packages/click/core.py", line 1066, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.7/dist-packages/click/core.py", line 1066, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.7/dist-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.7/dist-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.7/dist-packages/libpunchq/cli.py", line 896, in push
    mqqueue.put(message, put_mqmd, put_opts)
  File "/usr/local/lib/python3.7/dist-packages/pymqi/__init__.py", line 1710, in put
    check_not_py3str(msg)  # Python 3 bytes check
  File "/usr/local/lib/python3.7/dist-packages/pymqi/__init__.py", line 144, in check_not_py3str
    raise TypeError("Python 3 style string found but not allowed here: '{0}'. Convert to bytes.".format(var))
TypeError: Python 3 style string found but not allowed here: 'test'. Convert to bytes.

workaround

Currently, we have been able to workaround this by using process substitution with the --source-file cmd instead ie.
--source-file <(echo 'test')

pymqi.MQMIError: MQI Error. Comp: 2, Reason 2537: FAILED: MQRC_CHANNEL_NOT_AVAILABLE

Hi there,

Looks like a great tool you have there and I love.

However, I run into an error when using it.

pymqi.MQMIError: MQI Error. Comp: 2, Reason 2537: FAILED: MQRC_CHANNEL_NOT_AVAILABLE

I did some googling, it seems that Common causes of this reason code are:
The channel is currently in stopped state.
The channel has been stopped by a channel exit.

The channel seems ok based on what I see.

Any suggestions on how can i resolve this error?

Thank you.

Execution log attached below.

root@kali:~/Desktop/MQTools# punch-q --dump-config --config config.yml discover channels
Effective configuration for this run:

Host:
Port: 1414
Queue Manager Name: None
Channel: None
Username: None
Password: None

Traceback (most recent call last):
File "/usr/local/bin/punch-q", line 11, in
sys.exit(cli())
File "/usr/lib/python2.7/dist-packages/click/core.py", line 722, in call
return self.main(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/usr/lib/python2.7/dist-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/lib/python2.7/dist-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/lib/python2.7/dist-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib/python2.7/dist-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/libpunchq/cli.py", line 273, in channels
raise ce
pymqi.MQMIError: MQI Error. Comp: 2, Reason 2537: FAILED: MQRC_CHANNEL_NOT_AVAILABLE

"SYSTEM.AUTO.SVRCONN" might exist, but wants SSL

Hi everyone ,

I was trying to discover channels with the command :

punch-q --host 127.0.0.1 --port 1423 discover channels

but I think there is a mutual SSL certificate required, so I was wondering if there is a flag to
use a specific SSL certificate

Raised errors (invalid arguments to pymqi)

Hello,

With last release of punch-q (Without docker), I have an error by using messages dump, messages sniff (With or without -q myqueue) or command execute:

raise TypeError('Invalid arguments: %r' % [queue_manager, channel, conn_info, user, password])
TypeError: Invalid arguments: [None, None, 'IP(PORT)', None, None]

Is it a bug or am I missing something in configuration ?

Detailed information

Can you please make a more detailed explanation about the tool ?

Best Regards