{"id":19144082,"url":"https://github.com/sensepost/punch-q","last_synced_at":"2025-04-16T01:23:29.153Z","repository":{"id":52925044,"uuid":"134721306","full_name":"sensepost/punch-q","owner":"sensepost","description":"👊 A small utility to play with IBM MQ","archived":false,"fork":false,"pushed_at":"2023-05-23T11:14:41.000Z","size":94,"stargazers_count":58,"open_issues_count":2,"forks_count":13,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-05-02T05:05:58.568Z","etag":null,"topics":["ibm","ibm-mq","mq","security","websphere-mq"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sensepost.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-05-24T13:44:54.000Z","updated_at":"2024-06-21T17:36:35.151Z","dependencies_parsed_at":"2024-06-21T17:52:01.171Z","dependency_job_id":null,"html_url":"https://github.com/sensepost/punch-q","commit_stats":{"total_commits":52,"total_committers":2,"mean_commits":26.0,"dds":"0.019230769230769273","last_synced_commit":"185521d1c739ff91ee23d108b01f09f044518279"},"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sensepost%2Fpunch-q","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sensepost%2Fpunch-q/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sensepost%2Fpunch-q/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sensepost%2Fpunch-q/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sensepost","download_url":"https://codeload.github.com/sensepost/punch-q/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249179711,"owners_count":21225587,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ibm","ibm-mq","mq","security","websphere-mq"],"created_at":"2024-11-09T07:33:39.821Z","updated_at":"2025-04-16T01:23:29.134Z","avatar_url":"https://github.com/sensepost.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e\n  \u003cbr\u003e\n    👊 punch-q\n  \u003cbr\u003e\n  \u003cbr\u003e\n\u003c/h1\u003e\n\n\u003ch4 align=\"center\"\u003eA small utility to play with IBM MQ\u003c/h4\u003e\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://twitter.com/leonjza\"\u003e\u003cimg src=\"https://img.shields.io/badge/twitter-%40leonjza-blue.svg\" alt=\"@leonjza\" height=\"18\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://pypi.python.org/pypi/punch-q\"\u003e\u003cimg src=\"https://badge.fury.io/py/punch-q.svg\" alt=\"PyPI version\" height=\"18\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://hub.docker.com/r/leonjza/punch-q\"\u003e\u003cimg alt=\"Docker Cloud Build Status\" src=\"https://img.shields.io/docker/cloud/build/leonjza/punch-q\" height=\"18\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\u003cbr\u003e\n\n## introduction\n\n`punch-q` is a small Python utility used to play with IBM MQ instances. Using `punch-q`, it is possible to perform  security related tasks such as manipulating messages on an IBM MQ queue granting one the ability to tamper with business processes at an integration layer.\n\n## features\n\nWith `punch-q`, you can:\n\n- GET / PUT / SNIFF messages on message queues.\n- Execute commands using MQ services.\n- Perform various brute force attacks.\n\n### examples\n\nSniffing messages from a message queue:\n\n![message sniff](https://i.imgur.com/sAt2v1U.png)\n\nExecuting commands via MQ services:\n\n![command execution](https://i.imgur.com/vEvRem0.png)\n\n## installation - docker\n\nA docker container for `punch-q` exists and can be used with:\n\n```text\ndocker run --rm -ti leonjza/punch-q\n```\n\nAlternatively the container can be built locally with:\n\n```text\ngit clone https://github.com/sensepost/punch-q.git\ncd punch-q\ndocker build -t punch-q:local .\n```\n\nOnce done, you can run `punch-q` with (note the tag if you build it yourself):\n\n```text\ndocker run --rm -ti leonjza/punch-q --help\n```\n\n## installation - host\n\nThis utility relies on [pymqi](https://github.com/dsuch/pymqi) and needs to be successfully installed for `punch-q` to work. The installation of `pymqi` relies on the IBM MQ client utilities to be available which you would need to download from IBM's website first. [This](https://github.com/dsuch/pymqi/issues/15#issuecomment-124772995) Github issue can be used as a reference to install the correct MQ Client libraries.\n\nAlternatively, a hint from [this](https://github.com/ibm-messaging/mq-golang/blob/master/Dockerfile#L53-L62) repository means one could just download and extract the archive in the correct location to compile `pymqi`. This is how the docker container does it.\n\nTo get the IBM MQ client for `pymqi` and `punch-q` working, you need to:\n\n- Download the IBM MQ Client libraries for Linux from IBM's website [here](https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqdev/redist/9.1.4.0-IBM-MQC-Redist-LinuxX64.tar.gz). Older versions and ibraries for other operating systems is also available [here](https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqdev/redist/).\n- Extract the downloaded archive to `/opt/mqm`.\n\nFinally, `punch-q` itself can be installed with:\n\n```bash\npip install punch-q\n```\n\n*Note:* When running `punch-q`, and you get an error similar to `Importing pymqi failed with: libmqic_r.so: cannot open shared object file: No such file or directory!`, simply set the `LB_LIBRARY_PATH` to /opt/mqm/lib64 library with:\n\n```bash\nexport LD_LIBRARY_PATH=/opt/mqm/lib64\n```\n\n## osquery table plugin\n\nAn osquery table plugin PoC can also be found in this repository [here](https://github.com/sensepost/punch-q/tree/master/osquery-mqtable).\n\n## license\n\n`punch-q` is licensed under a [GNU General Public v3 License](https://www.gnu.org/licenses/gpl-3.0.en.html). Permissions beyond the scope of this license may be available at [http://sensepost.com/contact/](http://sensepost.com/contact/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsensepost%2Fpunch-q","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsensepost%2Fpunch-q","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsensepost%2Fpunch-q/lists"}