MSMQ Nmap service probe

README.md

MSMQ Nmap service probe

⚠️ Disclaimer: testing of this probe is limited and the MSMQ protocol is proprietary and undocumented. Use this probe at your own risk. ⚠️

Nmap currently has no way to detect whether the service running on TCP port 1801 is Microsoft Message Queuing (MSMQ). The file msmq-service-probe here has been developed to give Nmap the capability to detect MSMQ. The objective is to help identify assets with MSMQ exposed, that may be vulnerable to CVE-2023-21554, aka QueueJumper.

This works by sending a MSMQ packet to port 1801 and checking if the response matches an expected fingerprint.

You can run this probe as follows:

nmap -Pn -n -v -p1801 -sV --versiondb msmq-service-probe 127.0.0.1

If the service running on the port is MSMQ, Nmap will output the following:

PORT     STATE SERVICE VERSION
1801/tcp open  msmq    Microsoft MQ

If the server is not MSMQ this is printed instead:

PORT     STATE SERVICE VERSION
1801/tcp open  msmq?

msmq-service-probe

# Nmap service detection probe list -*- mode: fundamental; -*-
#
# This is a database of custom probes and expected responses that the
# Nmap Security Scanner ( https://nmap.org ) uses to
# identify what services (eg http, smtp, dns, etc.) are listening on
# open ports.  Contributions to this database are welcome.
# Instructions for obtaining and submitting service detection fingerprints can
# be found in the Nmap Network Scanning book and online at
# https://nmap.org/book/vscan-community.html
#
# For details on how Nmap version detection works, why it was added,
# the grammar of this file, and how to detect and contribute new
# services, see https://nmap.org/book/vscan.html.

Exclude T:9100-9107

##############################NEXT PROBE##############################
# Microsoft MQ probe
Probe TCP NULL q|\x10\0\x0b\0\x4c\x49\x4f\x52\x3c\x02\0\0\xff\xff\xff\xff\0\0\x02\0\x06\x55\x3d\x51\x36\xdf\xc7\x40\x96\x43\x17\x5c\x3c\xe7\x6c\xaa\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xd2\x29\x1d\x06\x10\x03\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|

ports 1801

match msmq m|^\x10\x5a\x0b\0\x4c\x49\x4f\x52\x3c\x02\0\0\xff\xff\xff\xff\0\0\x02\0\x06\x55\x3d\x51\x36\xdf\xc7\x40\x96\x43\x17\x5c\x3c\xe7\x6c\xaa| p/Microsoft MQ/
# .*ZZZ$ should end the regex, but detection fails in some cases with this. Unsure why

totalwaitms 6000