davehardy20 · September 26, 2023 11:04 · Apr 13, 2023 · Apr 13, 2023 · Apr 13, 2023
diff --git a/README.md b/README.md
@@ -0,0 +1,31 @@
+MSMQ Nmap service probe
+=======================
+
+⚠️ Disclaimer: testing of this probe is limited and the MSMQ protocol is proprietary and undocumented. Use this probe at your own risk. ⚠️
+
+Nmap currently has no way to detect whether the service running on TCP port 1801 is [Microsoft Message Queuing (MSMQ)][wikipedia_msmq]. The file `msmq-service-probe` here has been developed to give Nmap the capability to detect MSMQ. The objective is to help identify assets with MSMQ exposed, that may be vulnerable to [CVE-2023-21554][nist_cve_2023_21554], aka QueueJumper.
+
+This works by sending a MSMQ packet to port 1801 and checking if the response matches an expected fingerprint.
+
+You can run this probe as follows:
+
+```
+nmap -Pn -n -v -p1801 -sV --versiondb msmq-service-probe 127.0.0.1
+```
+
+If the service running on the port is MSMQ, Nmap will output the following:
+
+```
+PORT     STATE SERVICE VERSION
+1801/tcp open  msmq    Microsoft MQ
+```
+
+If the server is not MSMQ this is printed instead:
+
+```
+PORT     STATE SERVICE VERSION
+1801/tcp open  msmq?
+```
+
+[wikipedia_msmq]: https://en.wikipedia.org/wiki/Microsoft_Message_Queuing
+[nist_cve_2023_21554]: https://nvd.nist.gov/vuln/detail/CVE-2023-21554
diff --git a/msmq-service-probe b/msmq-service-probe
@@ -0,0 +1,26 @@
+# Nmap service detection probe list -*- mode: fundamental; -*-
+#
+# This is a database of custom probes and expected responses that the
+# Nmap Security Scanner ( https://nmap.org ) uses to
+# identify what services (eg http, smtp, dns, etc.) are listening on
+# open ports.  Contributions to this database are welcome.
+# Instructions for obtaining and submitting service detection fingerprints can
+# be found in the Nmap Network Scanning book and online at
+# https://nmap.org/book/vscan-community.html
+#
+# For details on how Nmap version detection works, why it was added,
+# the grammar of this file, and how to detect and contribute new
+# services, see https://nmap.org/book/vscan.html.
+
+Exclude T:9100-9107
+
+##############################NEXT PROBE##############################
+# Microsoft MQ probe
+Probe TCP NULL q|\x10\0\x0b\0\x4c\x49\x4f\x52\x3c\x02\0\0\xff\xff\xff\xff\0\0\x02\0\x06\x55\x3d\x51\x36\xdf\xc7\x40\x96\x43\x17\x5c\x3c\xe7\x6c\xaa\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xd2\x29\x1d\x06\x10\x03\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|
+
+ports 1801
+
+match msmq m|^\x10\x5a\x0b\0\x4c\x49\x4f\x52\x3c\x02\0\0\xff\xff\xff\xff\0\0\x02\0\x06\x55\x3d\x51\x36\xdf\xc7\x40\x96\x43\x17\x5c\x3c\xe7\x6c\xaa| p/Microsoft MQ/
+# .*ZZZ$ should end the regex, but detection fails in some cases with this. Unsure why
+
+totalwaitms 6000
No results found