id: unauth-java-message-broker-detect

info:
  name: Unauthenticated Java Message Broker - Detect
  author: matejsmycka
  severity: low
  description: |
    Detection of a Java Message Service (JMS) broker, typically used by Oracle GlassFish Message Queue and Payara Application Server. This port should remain closed to the internet, as it enables unauthenticated access to messaging services.
  metadata:
    verified: true
    shodan-query: product:"Java Message Service"
  tags: network,tcp,jms,openmq,unauth

tcp:
  - inputs:
      - data: "\n"

    host:
      - "{{Host}}:7676"

    matchers:
      - type: word
        words:
          - "101 imqbroker"
          - "cluster_discovery"
        condition: and

    extractors:
      - type: regex
        regex:
          - "imqbroker ([0-9.]+)"
# digest: 4b0a004830460221009afdbe980ae7b778c697ec35da9e2e5190c5a49922630e7454527632a6a1b239022100af56ab146dcb1b1404092e33133caa15ef7fa33ba94b900c2913c09d29f8c56b:922c64590222798bb761d5b6d8e72950