mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-19 01:24:50 +00:00
106 lines
6.7 KiB
Markdown
106 lines
6.7 KiB
Markdown
|
# 5671,5672 - Pentesting AMQP
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
## Basic Information
|
||
|
|
||
|
From [cloudamqp](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html):
|
||
|
|
||
|
> **RabbitMQ** is a **message-queueing software** also known as a _message broker_ or _queue manager._ Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.\
|
||
|
> A **message can include any kind of information**. It could, for example, have information about a process or task that should start on another application (which could even be on another server), or it could be just a simple text message. The queue-manager software stores the messages until a receiving application connects and takes a message off the queue. The receiving application then processes the message.\
|
||
|
Definition from .
|
||
|
|
||
|
**Default port**: 5672,5671
|
||
|
|
||
|
```
|
||
|
PORT STATE SERVICE VERSION
|
||
|
5672/tcp open amqp RabbitMQ 3.1.5 (0-9)
|
||
|
```
|
||
|
|
||
|
## Enumeration
|
||
|
|
||
|
### Manual
|
||
|
|
||
|
```python
|
||
|
import amqp
|
||
|
#By default it uses default credentials "guest":"guest"
|
||
|
conn = amqp.connection.Connection(host="<IP>", port=5672, virtual_host="/")
|
||
|
conn.connect()
|
||
|
for k, v in conn.server_properties.items():
|
||
|
print(k, v)
|
||
|
```
|
||
|
|
||
|
### Automatic
|
||
|
|
||
|
```bash
|
||
|
nmap -sV -Pn -n -T4 -p 5672 --script amqp-info <IP>
|
||
|
|
||
|
PORT STATE SERVICE VERSION
|
||
|
5672/tcp open amqp RabbitMQ 3.1.5 (0-9)
|
||
|
| amqp-info:
|
||
|
| capabilities:
|
||
|
| publisher_confirms: YES
|
||
|
| exchange_exchange_bindings: YES
|
||
|
| basic.nack: YES
|
||
|
| consumer_cancel_notify: YES
|
||
|
| copyright: Copyright (C) 2007-2013 GoPivotal, Inc.
|
||
|
| information: Licensed under the MPL. See http://www.rabbitmq.com/
|
||
|
| platform: Erlang/OTP
|
||
|
| product: RabbitMQ
|
||
|
| version: 3.1.5
|
||
|
| mechanisms: PLAIN AMQPLAIN
|
||
|
|_ locales: en_US
|
||
|
```
|
||
|
|
||
|
### Brute Force
|
||
|
|
||
|
* [**AMQP Protocol Brute-Force**](../generic-methodologies-and-resources/brute-force.md#amqp-activemq-rabbitmq-qpid-joram-and-solace)
|
||
|
* [**STOMP Protocol Brute-Force**](../generic-methodologies-and-resources/brute-force.md#stomp-activemq-rabbitmq-hornetq-and-openmq)
|
||
|
|
||
|
## Other RabbitMQ ports
|
||
|
|
||
|
In [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networking.html) you can find that **rabbitmq uses several ports**:
|
||
|
|
||
|
* **1883, 8883**: ([MQTT clients](http://mqtt.org) without and with TLS, if the [MQTT plugin](https://www.rabbitmq.com/mqtt.html) is enabled. [**Learn more about how to pentest MQTT here**](1883-pentesting-mqtt-mosquitto.md).
|
||
|
* **4369: epmd**, a peer discovery service used by RabbitMQ nodes and CLI tools. [**Learn more about how to pentest this service here**](4369-pentesting-erlang-port-mapper-daemon-epmd.md).
|
||
|
* **5672, 5671**: used by AMQP 0-9-1 and 1.0 clients without and with TLS
|
||
|
* **15672**: [HTTP API](https://www.rabbitmq.com/management.html) clients, [management UI](https://www.rabbitmq.com/management.html) and [rabbitmqadmin](https://www.rabbitmq.com/management-cli.html) (only if the [management plugin](https://www.rabbitmq.com/management.html) is enabled). [**Learn more about how to pentest this service here**](15672-pentesting-rabbitmq-management.md).
|
||
|
* 15674: STOMP-over-WebSockets clients (only if the [Web STOMP plugin](https://www.rabbitmq.com/web-stomp.html) is enabled)
|
||
|
* 15675: MQTT-over-WebSockets clients (only if the [Web MQTT plugin](https://www.rabbitmq.com/web-mqtt.html) is enabled)
|
||
|
* 15692: Prometheus metrics (only if the [Prometheus plugin](https://www.rabbitmq.com/prometheus.html) is enabled)
|
||
|
* 25672: used for inter-node and CLI tools communication (Erlang distribution server port) and is allocated from a dynamic range (limited to a single port by default, computed as AMQP port + 20000). Unless external connections on these ports are really necessary (e.g. the cluster uses [federation](https://www.rabbitmq.com/federation.html) or CLI tools are used on machines outside the subnet), these ports should not be publicly exposed. See [networking guide](https://www.rabbitmq.com/networking.html) for details. **Only 9 of these ports opened on the internet**.
|
||
|
* 35672-35682: used by CLI tools (Erlang distribution client ports) for communication with nodes and is allocated from a dynamic range (computed as server distribution port + 10000 through server distribution port + 10010). See [networking guide](https://www.rabbitmq.com/networking.html) for details.
|
||
|
* 61613, 61614: [STOMP clients](https://stomp.github.io/stomp-specification-1.2.html) without and with TLS (only if the [STOMP plugin](https://www.rabbitmq.com/stomp.html) is enabled). Less than 10 devices with this port open and mostly UDP for DHT nodes.
|
||
|
|
||
|
## Shodan
|
||
|
|
||
|
* `AMQP`
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|