punch-q
is a small Python utility used to play with IBM MQ instances. Using punch-q
, it is possible to perform security related tasks such as manipulating messages on an IBM MQ queue granting one the ability to tamper with business processes at an integration layer.
With punch-q
, you can:
- GET / PUT / SNIFF messages on message queues.
- Execute commands using MQ services.
- Perform various brute force attacks.
Sniffing messages from a message queue:
Executing commands via MQ services:
A docker container for punch-q
exists and can be used with:
docker run --rm -ti leonjza/punch-q
Alternatively the container can be built locally with:
git clone https://github.com/sensepost/punch-q.git
cd punch-q
docker build -t punch-q:local .
Once done, you can run punch-q
with (note the tag if you build it yourself):
docker run --rm -ti leonjza/punch-q --help
This utility relies on pymqi and needs to be successfully installed for punch-q
to work. The installation of pymqi
relies on the IBM MQ client utilities to be available which you would need to download from IBM's website first. This Github issue can be used as a reference to install the correct MQ Client libraries.
Alternatively, a hint from this repository means one could just download and extract the archive in the correct location to compile pymqi
. This is how the docker container does it.
To get the IBM MQ client for pymqi
and punch-q
working, you need to:
- Download the IBM MQ Client libraries for Linux from IBM's website here. Older versions and ibraries for other operating systems is also available here.
- Extract the downloaded archive to
/opt/mqm
.
Finally, punch-q
itself can be installed with:
pip install punch-q
Note: When running punch-q
, and you get an error similar to Importing pymqi failed with: libmqic_r.so: cannot open shared object file: No such file or directory!
, simply set the LB_LIBRARY_PATH
to /opt/mqm/lib64 library with:
export LD_LIBRARY_PATH=/opt/mqm/lib64
An osquery table plugin PoC can also be found in this repository here.
punch-q
is licensed under a GNU General Public v3 License. Permissions beyond the scope of this license may be available at http://sensepost.com/contact/.