A comprehensive penetration testing tool for Solace PubSub+ brokers that provides capabilities for connection validation, information gathering, message monitoring, and message replay for security testing purposes.
Garland Glessner gglessner@gmail.com
This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.
- Multiple Authentication Methods: Basic auth, OAuth tokens, and client certificates
- Connection Validation: Test broker connectivity with specified credentials
- TLS Support: Secure connections with optional certificate validation bypass
- Authorization Testing: Test access to administrative topics and queues
- Cross-VPN Testing: Validate VPN isolation and access controls
- Information Gathering: Collect broker connection details
- Queue Monitoring: Monitor queue messages (WARNING: Destructive - consumes messages)
- Topic Subscription: Subscribe to specific topics or wildcard patterns
- Message Logging: Save intercepted messages to timestamped files
- Message Replay: Send captured messages back to their original destinations
- Graceful Shutdown: Handle Ctrl+C interrupts cleanly
- SEMP API Testing: Comprehensive SEMP v2 REST API security assessment
- Configuration Enumeration: Discover brokers, VPNs, users, and ACL profiles
- Administrative Access Testing: Test access to management functions
- Authentication Support: Basic auth, OAuth, and client certificate authentication
- Security Reporting: Generate detailed JSON security assessment reports
- Production Safe: Non-destructive testing suitable for production environments
- VPN Discovery: Enumerate valid VPN names on Solace brokers
- Error Analysis: Determines VPN existence based on authentication error responses
- Batch Processing: Test multiple VPNs from a text file
- CSV Reporting: Export results to CSV format for analysis
- Production Safe: Uses anonymous authentication attempts, no valid credentials required
- Python 3.7 or higher
- pip package manager
- Access to a Solace PubSub+ broker for testing
# If using git
git clone <repository-url>
cd SolaceClient
# Or download and extract the files to a directorypip install -r requirements.txtTest the tool by viewing the help:
python SolaceClient.py --helpIf you have access to a Solace broker, test the connection:
python SolaceClient.py --server your-broker:55443 --username your-user --vpn your-vpn --validate- Use PowerShell or Command Prompt
- Python should be available as
pythonorpython3 - Ensure Python is in your PATH
- You may need to use
python3instead ofpython - Consider using a virtual environment:
python3 -m venv venv
source venv/bin/activate # Linux/macOS
# or
venv\Scripts\activate # Windows
pip install -r requirements.txtIf you get import errors for the solace module:
pip install --upgrade solace-pubsubplus- Verify the broker address and port
- Check if TLS is required (default) or use
--no-tlsfor unencrypted connections - Confirm your username and VPN name are correct
- Ensure your account has the necessary permissions
- Make sure you have permission to access the specified queues and topics
- Some operations may require administrative privileges on the broker
The tools support multiple certificate file formats:
- PEM files (
.pem,.crt,.key): Can contain certificate only, private key only, or both - PKCS12 files (
.p12,.pfx): Contain both certificate and private key in a single encrypted file
Java KeyStore (.jks) files are not supported by the Solace Python API. If you have a JKS file, convert it to PEM format:
# 1. Convert JKS to PKCS12
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12
# 2. Extract certificate
openssl pkcs12 -in keystore.p12 -clcerts -nokeys -out cert.pem
# 3. Extract private key
openssl pkcs12 -in keystore.p12 -nocerts -out key.pem
# 4. Use with the tool
python SolaceClient.py --server host:55443 --cert-file cert.pem --key-file key.pem --vpn default --validate# Single PEM file with both certificate and private key
python SolaceClient.py --server host:55443 --cert-file client.pem --vpn default --validate
# Separate PEM files (certificate and private key)
python SolaceClient.py --server host:55443 --cert-file cert.pem --key-file key.pem --vpn default --validate
# PKCS12 file (may prompt for password)
python SolaceClient.py --server host:55443 --cert-file client.p12 --vpn default --validate# Basic authentication
python SolaceClient.py --server hostname:55443 --username testuser --vpn default --validate
# OAuth authentication
python SolaceClient.py --server hostname:55443 --oauth-token "your-oauth-token" --vpn default --validate
# Client certificate authentication
python SolaceClient.py --server hostname:55443 --cert-file /path/to/client.pem --vpn default --validate
# Client certificate with separate key file (if PEM only contains certificate)
python SolaceClient.py --server hostname:55443 --cert-file /path/to/cert.pem --key-file /path/to/key.pem --vpn default --validate
# PKCS12 certificate file
python SolaceClient.py --server hostname:55443 --cert-file /path/to/client.p12 --vpn default --validatepython SolaceClient.py --server hostname:55443 --username testuser --vpn default \
--monitor-topics topic1 topic2 -dir ./captured_messagespython SolaceClient.py --server hostname:55443 --username testuser --vpn default \
--subscribe-wildcard "telemetry/" -dir ./telemetry_logspython SolaceClient.py --server hostname:55443 --username testuser --vpn default \
--monitor-queues queue1 queue2 -dir ./queue_messagesNote: The Solace Python API does not support non-destructive queue browsing. Messages will be permanently removed from the queue.
python SolaceClient.py --server hostname:55443 --username testuser --vpn default \
--send-from-files ./captured_messagespython SolaceClient.py --server hostname:55555 --username testuser --vpn default \
--no-tls --validate# Test access to administrative resources
python SolaceClient.py --server hostname:55443 --username testuser --vpn default --check-auth# Test SEMP API connection with basic auth
python SolaceSEMP.py --server hostname:8080 --username admin --test-connection
# Test SEMP API connection with client certificate
python SolaceSEMP.py --server hostname:8080 --cert-file client.pem --test-connection
# Test SEMP API connection with separate cert and key files
python SolaceSEMP.py --server hostname:8080 --cert-file cert.pem --key-file key.pem --test-connection
# Comprehensive enumeration
python SolaceSEMP.py --server hostname:8080 --username admin --enumerate-all --output security_report.json
# Test administrative access
python SolaceSEMP.py --server hostname:8080 --username admin --test-admin-access# Basic VPN enumeration
python SolaceVPNscan.py --server hostname:55443 --vpn-list vpn_names.txt
# VPN enumeration with CSV output
python SolaceVPNscan.py --server hostname:55443 --vpn-list vpn_names.txt --csv vpn_results.csv
# VPN enumeration without TLS
python SolaceVPNscan.py --server hostname:55555 --no-tls --vpn-list vpn_names.txt --csv results.csv--server HOST:PORT- Solace broker address (required)--username USERNAME- Username for basic authentication--vpn VPN_NAME- VPN name on the broker (required)--no-tls- Disable TLS encryption (optional)
--oauth-token TOKEN- OAuth token for authentication--cert-file PATH- Client certificate file (PEM/PKCS12 format)--key-file PATH- Private key file (required for PEM certificates that don't contain private key)
--validate- Test connection and exit--info- Gather and display broker information--check-auth- Test authorization against administrative resources--monitor-queues QUEUE [QUEUE ...]- Monitor specified queues (WARNING: Destructive - consumes messages)--monitor-topics TOPIC [TOPIC ...]- Monitor specified topics--subscribe-wildcard PREFIX- Subscribe to topics starting with prefix--send-from-files DIRECTORY- Replay messages from logged files
-dir, --output-dir DIRECTORY- Save captured messages to directory
--server HOST:PORT- SEMP API server address (required)--username USERNAME- Username for basic authentication--no-tls- Use HTTP instead of HTTPS
--oauth-token TOKEN- OAuth token for authentication--cert-file PATH- Client certificate file (PEM/PKCS12 format)--key-file PATH- Private key file (required for PEM certificates that don't contain private key)
--test-connection- Test SEMP API connection and exit--enumerate-all- Perform comprehensive enumeration--enumerate-brokers- Enumerate broker information--enumerate-vpns- Enumerate Message VPNs--enumerate-users VPN|all- Enumerate users for VPN or all VPNs--enumerate-acls VPN- Enumerate ACL profiles for specified VPN--test-admin-access- Test administrative access
--output, -o FILE- Output file for security report (JSON format)
--server HOST:PORT- Solace server address (required)--no-tls- Use unencrypted connection
--vpn-list FILE- Text file containing VPN names, one per line (required)--case-variations- Generate lowercase, uppercase, and title case variations of each VPN name--csv FILE- Save results to CSV file
- VPN names are case-sensitive in Solace (e.g., "default" ≠ "Default" ≠ "DEFAULT")
- Use
--case-variationsto automatically test common case variations - Consider testing both common naming patterns and case variations for thorough enumeration
This tool is designed for authorized penetration testing and security assessments. Users must:
- Have explicit permission to test the target Solace broker
- Comply with all applicable laws and regulations
- Use responsibly in production environments
- Understand that message monitoring may capture sensitive data
Captured messages are saved as JSON files with the following structure:
{
"source_type": "topic|queue",
"source_name": "topic_or_queue_name",
"timestamp": 1634567890123,
"datetime": "2021-10-18T10:31:30.123456",
"payload": "message content",
"properties": {}
}- Queue monitoring is DESTRUCTIVE - messages are consumed/removed from queues (Solace Python API limitation)
- Queue monitoring requires appropriate permissions on the target broker
- Some broker information gathering features require administrative access
- Wildcard subscriptions follow Solace topic syntax rules
- Message replay preserves original content but may not preserve all message properties
- For non-destructive queue browsing, use alternative tools like Solace's PrettyDump or Java-based solutions
- Review examples.sh for common scenarios and command examples
- Ensure you have proper authorization before testing any broker
- Check the troubleshooting section above for common issues
This project is open source under the GNU GPL v3.0 license. Contributions are welcome via pull requests.
This tool is provided for educational and authorized testing purposes only. The authors are not responsible for any misuse or damage caused by this software. Always ensure you have proper authorization before testing any systems.