**RabbitMQ** is a **message-queueing software** also known as a _message broker_ or _queue manager._ Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.
A **message can include any kind of information**. It could, for example, have information about a process or task that should start on another application \(which could even be on another server\), or it could be just a simple text message. The queue-manager software stores the messages until a receiving application connects and takes a message off the queue. The receiving application then processes the message.
Definition from [here](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html).
**Default port**: 5672,5671
```text
PORT STATE SERVICE VERSION
5672/tcp open amqp RabbitMQ 3.1.5 (0-9)
```
## Enumeration
### Manual
```python
import amqp
#By default it uses default credentials "guest":"guest"
| copyright: Copyright (C) 2007-2013 GoPivotal, Inc.
| information: Licensed under the MPL. See http://www.rabbitmq.com/
| platform: Erlang/OTP
| product: RabbitMQ
| version: 3.1.5
| mechanisms: PLAIN AMQPLAIN
|_ locales: en_US
```
## Other RabbitMQ ports
From [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networking.html) you can find that **rabbitmq uses several ports**:
* **1883, 8883**: \([MQTT clients](http://mqtt.org/) without and with TLS, if the [MQTT plugin](https://www.rabbitmq.com/mqtt.html) is enabled. [**Learn more about how to pentest MQTT here**](1883-pentesting-mqtt-mosquitto.md).
* **4369: epmd**, a peer discovery service used by RabbitMQ nodes and CLI tools. [**Learn more about how to pentest this service here**](4369-pentesting-erlang-port-mapper-daemon-epmd.md).
* **5672, 5671**: used by AMQP 0-9-1 and 1.0 clients without and with TLS
* **15672**: [HTTP API](https://www.rabbitmq.com/management.html) clients, [management UI](https://www.rabbitmq.com/management.html) and [rabbitmqadmin](https://www.rabbitmq.com/management-cli.html) \(only if the [management plugin](https://www.rabbitmq.com/management.html) is enabled\). [**Learn more about how to pentest this service here**](15672-pentesting-rabbitmq-management.md).
* 15674: STOMP-over-WebSockets clients \(only if the [Web STOMP plugin](https://www.rabbitmq.com/web-stomp.html) is enabled\)
* 15675: MQTT-over-WebSockets clients \(only if the [Web MQTT plugin](https://www.rabbitmq.com/web-mqtt.html) is enabled\)
* 15692: Prometheus metrics \(only if the [Prometheus plugin](https://www.rabbitmq.com/prometheus.html) is enabled\)
* 25672: used for inter-node and CLI tools communication \(Erlang distribution server port\) and is allocated from a dynamic range \(limited to a single port by default, computed as AMQP port + 20000\). Unless external connections on these ports are really necessary \(e.g. the cluster uses [federation](https://www.rabbitmq.com/federation.html) or CLI tools are used on machines outside the subnet\), these ports should not be publicly exposed. See [networking guide](https://www.rabbitmq.com/networking.html) for details. **Only 9 of these ports opened on the internet**.
* 35672-35682: used by CLI tools \(Erlang distribution client ports\) for communication with nodes and is allocated from a dynamic range \(computed as server distribution port + 10000 through server distribution port + 10010\). See [networking guide](https://www.rabbitmq.com/networking.html) for details.
* 61613, 61614: [STOMP clients](https://stomp.github.io/stomp-specification-1.2.html) without and with TLS \(only if the [STOMP plugin](https://www.rabbitmq.com/stomp.html) is enabled\). Less than 10 devices with this port open and mostly UDP for DHT nodes.