Message Brokers Penetration Test
What is SMPP?
How it’s work?
The SMPP protocol is a set of operations, each one taking the form of a request and response Protocol Data Unit (PDU) containing an SMPP command. For example, if an ESME wishes to submit a short message, it may send a submit_sm PDU to the MC. The MC responds with a submit_sm_resp PDU, indicating the success or failure of the request. Likewise, if an MC wishes to deliver a message to an ESME, it may send a deliver_sm PDU to an ESME, which in turn responds with a deliver_sm_resp PDU as a means of acknowledging the delivery.
Some operations are specific to an ESME with others specific to the MC. Others may be specific to a given session type. Referring to the submit_sm and deliver_sm examples above, an ESME may send a submit_sm to an MC only if it has established a TX or TRX session with that Message Centre. Likewise, an MC may send deliver_sm PDUs only to ESMEs that have established RX or TRX sessions.
Operations are broadly categorized into the following groups:
- Session Management — These operations are designed to enable the establishment of SMPP sessions between an ESME and MC and provide means of handling unexpected errors.
- Message Submission — These operations are explicitly designed for the submission of messages from ESME(s) to the MC.
- Message Delivery — These operations enable an MC to deliver messages to the ESME.
- Message Broadcast — These operations are designed to provide Cell Broadcast service within a Message Centre.
- Ancillary Operations — These operations are designed to provide enhanced features such as cancellation, query, or replacement of messages.
PDU format
The SMPP PDUs are binary encoded for efficiency. They start with a header which may be followed by a body:
PDU header
Each PDU starts with a header. The header consists of 4 fields, each of length of 4 octets:
- command_length — Is the overall length of the PDU in octets (including command_length field itself); must be ≥ 16 as each PDU must contain the 16 octet header
- command_id — Identifies the SMPP operation (or command). If the most significant bit is cleared, this is a request operation. Otherwise, it is a response.
- command_status — Always has a value of 0 in requests; in responses, it carries information about the result of the operation
- sequence_number — Is used to correlate requests and responses within an SMPP session; allows asynchronous communication (using a sliding window method)
All numeric fields in SMPP use the big endian order, which means that the first octet is the Most Significant Byte (MSB).
What are Apache Kafka and RabbitMQ?
Apache Kafka and RabbitMQ are two open-source and commercially-supported pub/sub systems, readily adopted by enterprises. RabbitMQ is an older tool released in 2007 and was a primary component in messaging and SOA systems. Today it is also being used for streaming use cases. Kafka is a newer tool, released in 2011, which, from the onset, was built for streaming scenarios.
RabbitMQ is a general purpose message broker that supports protocols including, MQTT, AMQP, and STOMP. It can deal with high-throughput use cases, such as online payment processing. It can handle background jobs or act as a message broker between microservices.
Kafka is a message bus developed for high-ingress data replay and streams. Kafka is a durable message broker that enables applications to process, persist and re-process streamed data. Kafka has a straightforward routing approach that uses a routing key to send messages to a topic.
Understanding environment
As with other products and applications, Kafka and RabbitMQ have some security recommendations for install and after install.
Some of these recommendations can be dangerous if the application is exposed over the Internet and the tools try to explore the security configuration mistakes to stolen information.
Tools
Kafkacat
kafkacat is a generic producer and consumer for Apache Kafka and can be thought of as a netcat for Kafka.
You can execute a docker or install a binary on your machine.
We have a extensible list when we excute $ kafkacat -h , but in summary the help command show us some examples like:
RabbitMQ
In this case, I use rabbitmqctl instead of a specific penetration test tool.
Rabbitmqctl is the original CLI tool that ships with RabbitMQ. It supports a wide range of operations, mostly administrative (operational) in nature.
This includes
- Stopping node
- Access to node status, effective configuration, health checks
- Virtual host management
- User and permission management
- Policy management
- Listing queues, connections, channels, exchanges, consumers
- Cluster membership management
and more.
Other things we can do are:
- Verify if the web console is accessible
- Verify if default user “guest” is enabled
- With valid credentials in our hands, we can check if port 15672 is open and run http://domain.com:15672/api/connections
Conclusion
I spent a lot of time searching and understanding these topics and looking for tools.
I hope that summary helps everyone that needs to execute a penetration test at messaging broker environment or help everyone that needs to learn a little more about it.
So, feel free to contact me to solve any doubts or change experiences.
Twitter: @_jrcarreiro
Linkedin: https://t.co/M1eDyI0imX?amp=1
