IBM WebSphere MQ Login Check - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/misc/ibm_mq_login metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: IBM WebSphere MQ Login Check
Module: auxiliary/scanner/misc/ibm_mq_login
Source code: modules/auxiliary/scanner/misc/ibm_mq_login.rb
Disclosure date: -
Last modification time: 2019-08-15 18:10:44 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 1414
List of CVEs: -
This module can be used to bruteforce usernames that can be used to connect to a queue manager. The name of a valid server-connection channel without SSL configured is required, as well as a list of usernames to try.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/misc/ibm_mq_login
msf auxiliary(ibm_mq_login) > show options
... show and set options ...
msf auxiliary(ibm_mq_login) > set RHOSTS ip-range
msf auxiliary(ibm_mq_login) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(ibm_mq_login) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(ibm_mq_login) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(ibm_mq_login) > set RHOSTS file:/tmp/ip_list.txt
Required Options
RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
USERNAMES_FILE: The file that contains a list of usernames. UserIDs are case insensitive!
Knowledge Base
Vulnerable Application
- IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
- Tested on IBM MQ 7.5, 8 and 9
- Usage:
- Download and install MQ Server from the above link
- Create a new Queue Manager
- Create a new channel (without SSL)
- Allow remote connections for admin users by removing the CHLAUTH record that denies all users or configure access for a specific username.
- Run the module
Verification Steps
- Install IBM MQ Server 7.5, 8, or 9
- Start msfconsole
- Do:
use auxiliary/scanner/misc/ibm_mq_login - Do:
set channel <admin_channel_name_without_ssl> - Do:
set queue_manager <queue_manager_name> - Do:
set usernames_file <list_of_usernames> - Do:
set rhosts <target_IP> - Do:
set rport <port> - Do:
run
Options
USERNAMES_FILE
This option should contain the path to a text file which contains a list of usernames that will be checked. One username per line.
QUEUE_MANAGER
This option should contain the name of the target Queue Manager.
CHANNEL
This option should contain the name of a server-connection channel that will be used to connect to the Queue Manager.
Scenarios
This module can be used to identify a list of usernames that are allowed to connect to the Queue Manager. This module requires the name of a valid server-connection channel, the Queue Manager's name which can be obtained by running the following 2 modules:
* auxiliary/scanner/misc/ibm_mq_channel_brute
* auxiliary/scanner/misc/ibm_mq_enum
After identifying a valid username, MQ Explorer can be used to connect to the Queue Manager using the information gathered.
msf auxiliary(scanner/misc/ibm_mq_login) > run
[*] 10.1.1.10:1416 - Found username: admin
[*] 10.1.1.10:1416 - Found username: test
[+] 10.1.1.10:1416 - 10.1.1.10:1416 Valid usernames found: ["admin", "test"]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the scanner/misc/ibm_mq_login auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/misc/ibm_mq_login
msf6 auxiliary(scanner/misc/ibm_mq_login) > show info
Name: IBM WebSphere MQ Login Check
Module: auxiliary/scanner/misc/ibm_mq_login
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Petros Koutroumpis
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CHANNEL SYSTEM.ADMIN.SVRCONN yes Channel to use
CONCURRENCY 10 yes The number of usernames to check concurrently
PASSWORD no Optional password to attempt with login
QUEUE_MANAGER yes Queue Manager name to use
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1414 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 5 yes The socket connect timeout in seconds
USERNAMES_FILE yes The file that contains a list of usernames. UserIDs are case insensitive!
Description:
This module can be used to bruteforce usernames that can be used to
connect to a queue manager. The name of a valid server-connection
channel without SSL configured is required, as well as a list of
usernames to try.
Module Options
This is a complete list of options available in the scanner/misc/ibm_mq_login auxiliary module:
msf6 auxiliary(scanner/misc/ibm_mq_login) > show options
Module options (auxiliary/scanner/misc/ibm_mq_login):
Name Current Setting Required Description
---- --------------- -------- -----------
CHANNEL SYSTEM.ADMIN.SVRCONN yes Channel to use
CONCURRENCY 10 yes The number of usernames to check concurrently
PASSWORD no Optional password to attempt with login
QUEUE_MANAGER yes Queue Manager name to use
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1414 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 5 yes The socket connect timeout in seconds
USERNAMES_FILE yes The file that contains a list of usernames. UserIDs are case insensitive!
Advanced Options
Here is a complete list of advanced options supported by the scanner/misc/ibm_mq_login auxiliary module:
msf6 auxiliary(scanner/misc/ibm_mq_login) > show advanced
Module advanced options (auxiliary/scanner/misc/ibm_mq_login):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/misc/ibm_mq_login module can do:
msf6 auxiliary(scanner/misc/ibm_mq_login) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/misc/ibm_mq_login auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/misc/ibm_mq_login) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Channel name cannot be more that 20 characters.
- Queue Manager name cannot be more that 48 characters.
- <IP>:<RPORT> No valid users found.
- Passwords greater than 12 characters are unsupported. Truncating...
- Channel name must be less than 20 characters.
- Queue Manager name must be less than 48 characters.
- Username must be less than 12 characters.
- Channel needs to be MQI type!
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Channel name cannot be more that 20 characters.
Here is a relevant code snippet related to the "Channel name cannot be more that 20 characters." error message:
30: end
31:
32: def run_host(ip)
33: @usernames = []
34: if datastore['CHANNEL'].length.to_i > 20
35: print_error("Channel name cannot be more that 20 characters.")
36: exit
37: end
38: if datastore['QUEUE_MANAGER'].length.to_i > 48
39: print_error("Queue Manager name cannot be more that 48 characters.")
40: exit
Queue Manager name cannot be more that 48 characters.
Here is a relevant code snippet related to the "Queue Manager name cannot be more that 48 characters." error message:
34: if datastore['CHANNEL'].length.to_i > 20
35: print_error("Channel name cannot be more that 20 characters.")
36: exit
37: end
38: if datastore['QUEUE_MANAGER'].length.to_i > 48
39: print_error("Queue Manager name cannot be more that 48 characters.")
40: exit
41: end
42: begin
43: username_list
44: rescue ::Rex::ConnectionError
<IP>:<RPORT> No valid users found.
Here is a relevant code snippet related to the "<IP>:<RPORT> No valid users found." error message:
45: rescue ::Exception => e
46: print_error("#{e} #{e.backtrace}")
47: end
48: print_line
49: if(@usernames.empty?)
50: print_status("#{ip}:#{rport} No valid users found.")
51: else
52: print_good("#{ip}:#{rport} Valid usernames found: #{@usernames}")
53: report_note(
54: :host => rhost,
55: :port => rport,
Passwords greater than 12 characters are unsupported. Truncating...
Here is a relevant code snippet related to the "Passwords greater than 12 characters are unsupported. Truncating..." error message:
163: if datastore['PASSWORD'].nil?
164: password = "\x00" * 12
165: else
166: password = datastore['PASSWORD']
167: if (password.length > 12)
168: print_warning("Passwords greater than 12 characters are unsupported. Truncating...")
169: password = password[0..12]
170: end
171: password = password + ( "\x00" * (12-password.length) )
172: end
173: vprint_status("Using password: '#{password}' (Length: #{password.length})")
Channel name must be less than 20 characters.
Here is a relevant code snippet related to the "Channel name must be less than 20 characters." error message:
241: t << framework.threads.spawn("Module(#{self.refname})-#{rhost}:#{rport}", false, this_username) do |username|
242: connect
243: vprint_status "#{rhost}:#{rport} - Sending request for #{username}..."
244: channel = datastore['CHANNEL']
245: if channel.length > 20
246: print_error("Channel name must be less than 20 characters.")
247: next
248: end
249: channel += "\x20" * (20-channel.length.to_i) # max channel name length is 20
250: qm_name = datastore['QUEUE_MANAGER']
251: if qm_name.length > 48
Queue Manager name must be less than 48 characters.
Here is a relevant code snippet related to the "Queue Manager name must be less than 48 characters." error message:
247: next
248: end
249: channel += "\x20" * (20-channel.length.to_i) # max channel name length is 20
250: qm_name = datastore['QUEUE_MANAGER']
251: if qm_name.length > 48
252: print_error("Queue Manager name must be less than 48 characters.")
253: next
254: end
255: qm_name += "\x20" * (48-qm_name.length.to_i) # max queue manager name length is 48
256: if username.length > 12
257: print_error("Username must be less than 12 characters.")
Username must be less than 12 characters.
Here is a relevant code snippet related to the "Username must be less than 12 characters." error message:
252: print_error("Queue Manager name must be less than 48 characters.")
253: next
254: end
255: qm_name += "\x20" * (48-qm_name.length.to_i) # max queue manager name length is 48
256: if username.length > 12
257: print_error("Username must be less than 12 characters.")
258: next
259: end
260: uname = username + "\x20" * (64-username.length.to_i)
261: userid = username + "\x20" * (12 - username.length.to_i) # this doesnt make a difference
262: timeout = datastore['TIMEOUT'].to_i
Channel needs to be MQI type!
Here is a relevant code snippet related to the "Channel needs to be MQI type!" error message:
267: }
268: )
269: s.put(first_packet(channel,qm_name))
270: first_response = s.get_once(-1,timeout)
271: if first_response[-4..-1] == "\x00\x00\x00\x02" # CHANNEL_WRONG_TYPE code
272: print_error("Channel needs to be MQI type!")
273: next
274: end
275: s.put(second_packet(channel,qm_name))
276: second_response = s.get_once(-1,timeout)
277: s.put(send_userid(userid,uname))
Go back to menu.
Related Pull Requests
- #12205 Merged Pull Request: Update module and generate splats from http:// to https://
- #11042 Merged Pull Request: Spaces at EOL fixes
- #10877 Merged Pull Request: Add IBM WebSphere MQ Login Bruteforce module
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/scanner/misc/ibm_mq_channel_brute
- auxiliary/scanner/misc/ibm_mq_enum
- auxiliary/scanner/misc/cctv_dvr_login
- auxiliary/scanner/misc/cisco_smart_install
- auxiliary/scanner/misc/clamav_control
- auxiliary/scanner/misc/dahua_dvr_auth_bypass
- auxiliary/scanner/misc/dvr_config_disclosure
- auxiliary/scanner/misc/easycafe_server_fileaccess
- auxiliary/scanner/misc/freeswitch_event_socket_login
- auxiliary/scanner/misc/ib_service_mgr_info
- auxiliary/scanner/misc/java_jmx_server
- auxiliary/scanner/misc/java_rmi_server
- auxiliary/scanner/misc/oki_scanner
- auxiliary/scanner/misc/poisonivy_control_scanner
- auxiliary/scanner/misc/raysharp_dvr_passwords
- auxiliary/scanner/misc/rosewill_rxs3211_passwords
- auxiliary/scanner/misc/sercomm_backdoor_scanner
- auxiliary/scanner/misc/sunrpc_portmapper
- auxiliary/scanner/misc/zenworks_preboot_fileaccess
- auxiliary/admin/http/ibm_drm_download
- auxiliary/dos/http/ibm_lotus_notes
- auxiliary/dos/http/ibm_lotus_notes2
- auxiliary/dos/misc/ibm_sametime_webplayer_dos
- auxiliary/dos/misc/ibm_tsm_dos
- auxiliary/gather/ibm_bigfix_sites_packages_enum
- auxiliary/gather/ibm_sametime_enumerate_users
- auxiliary/gather/ibm_sametime_room_brute
- auxiliary/gather/ibm_sametime_version
- exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce
- auxiliary/admin/misc/sercomm_dump_config
- auxiliary/admin/misc/wol
- auxiliary/dos/misc/dopewars
- auxiliary/dos/misc/memcached
- exploit/dialup/multi/login/manyargs
Authors
Petros Koutroumpis
Version
This page has been produced using Metasploit Framework version 6.2.7-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
