# 5671,5672 - Pentesting AMQP
{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## Basic Information
From [cloudamqp](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html):
> **RabbitMQ**λ _λ©μμ§ λΈλ‘컀_ λλ _ν κ΄λ¦¬μ_λ‘ μλ €μ§ **λ©μμ§ νμ μννΈμ¨μ΄**μ
λλ€. κ°λ¨ν λ§ν΄, λ©μμ§λ₯Ό μ μ‘νκΈ° μν΄ μ ν리μΌμ΄μ
μ΄ μ°κ²°λλ νκ° μ μλ μννΈμ¨μ΄μ
λλ€.\
> **λ©μμ§λ μ΄λ€ μ’
λ₯μ μ 보λ ν¬ν¨ν μ μμ΅λλ€**. μλ₯Ό λ€μ΄, λ€λ₯Έ μ ν리μΌμ΄μ
(λ€λ₯Έ μλ²μ μμ μλ μμ)μμ μμν΄μΌ νλ νλ‘μΈμ€λ μμ
μ λν μ λ³΄κ° ν¬ν¨λ μ μμΌλ©°, λ¨μν ν
μ€νΈ λ©μμ§μΌ μλ μμ΅λλ€. ν κ΄λ¦¬μ μννΈμ¨μ΄λ μμ μ ν리μΌμ΄μ
μ΄ μ°κ²°λμ΄ νμμ λ©μμ§λ₯Ό κ°μ Έκ° λκΉμ§ λ©μμ§λ₯Ό μ μ₯ν©λλ€. μμ μ ν리μΌμ΄μ
μ κ·Έ ν λ©μμ§λ₯Ό μ²λ¦¬ν©λλ€.\
Definition from .
**Default port**: 5672,5671
```
PORT STATE SERVICE VERSION
5672/tcp open amqp RabbitMQ 3.1.5 (0-9)
```
## μ΄κ±°
### μλ
```python
import amqp
#By default it uses default credentials "guest":"guest"
conn = amqp.connection.Connection(host="", port=5672, virtual_host="/")
conn.connect()
for k, v in conn.server_properties.items():
print(k, v)
```
### μλ
```bash
nmap -sV -Pn -n -T4 -p 5672 --script amqp-info
PORT STATE SERVICE VERSION
5672/tcp open amqp RabbitMQ 3.1.5 (0-9)
| amqp-info:
| capabilities:
| publisher_confirms: YES
| exchange_exchange_bindings: YES
| basic.nack: YES
| consumer_cancel_notify: YES
| copyright: Copyright (C) 2007-2013 GoPivotal, Inc.
| information: Licensed under the MPL. See http://www.rabbitmq.com/
| platform: Erlang/OTP
| product: RabbitMQ
| version: 3.1.5
| mechanisms: PLAIN AMQPLAIN
|_ locales: en_US
```
### Brute Force
* [**AMQP Protocol Brute-Force**](../generic-methodologies-and-resources/brute-force.md#amqp-activemq-rabbitmq-qpid-joram-and-solace)
* [**STOMP Protocol Brute-Force**](../generic-methodologies-and-resources/brute-force.md#stomp-activemq-rabbitmq-hornetq-and-openmq)
## Other RabbitMQ ports
In [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networking.html) you can find that **rabbitmqλ μ¬λ¬ ν¬νΈλ₯Ό μ¬μ©ν©λλ€**:
* **1883, 8883**: ([MQTT ν΄λΌμ΄μΈνΈ](http://mqtt.org) TLS μμ΄ λ° TLSμ ν¨κ», [MQTT νλ¬κ·ΈμΈ](https://www.rabbitmq.com/mqtt.html)μ΄ νμ±νλ κ²½μ°. [**μ¬κΈ°μμ MQTTλ₯Ό νν
μ€νΈνλ λ°©λ²μ λν΄ λ μμ보μΈμ**](1883-pentesting-mqtt-mosquitto.md).
* **4369: epmd**, RabbitMQ λ
Έλμ CLI λꡬμμ μ¬μ©νλ νΌμ΄ κ²μ μλΉμ€. [**μ¬κΈ°μμ μ΄ μλΉμ€λ₯Ό νν
μ€νΈνλ λ°©λ²μ λν΄ λ μμ보μΈμ**](4369-pentesting-erlang-port-mapper-daemon-epmd.md).
* **5672, 5671**: TLS μμ΄ λ° TLSμ ν¨κ» AMQP 0-9-1 λ° 1.0 ν΄λΌμ΄μΈνΈμμ μ¬μ©
* **15672**: [HTTP API](https://www.rabbitmq.com/management.html) ν΄λΌμ΄μΈνΈ, [κ΄λ¦¬ UI](https://www.rabbitmq.com/management.html) λ° [rabbitmqadmin](https://www.rabbitmq.com/management-cli.html) (λ¨, [κ΄λ¦¬ νλ¬κ·ΈμΈ](https://www.rabbitmq.com/management.html)μ΄ νμ±νλ κ²½μ°). [**μ¬κΈ°μμ μ΄ μλΉμ€λ₯Ό νν
μ€νΈνλ λ°©λ²μ λν΄ λ μμ보μΈμ**](15672-pentesting-rabbitmq-management.md).
* 15674: STOMP-over-WebSockets ν΄λΌμ΄μΈνΈ (λ¨, [Web STOMP νλ¬κ·ΈμΈ](https://www.rabbitmq.com/web-stomp.html)μ΄ νμ±νλ κ²½μ°)
* 15675: MQTT-over-WebSockets ν΄λΌμ΄μΈνΈ (λ¨, [Web MQTT νλ¬κ·ΈμΈ](https://www.rabbitmq.com/web-mqtt.html)μ΄ νμ±νλ κ²½μ°)
* 15692: Prometheus λ©νΈλ¦ (λ¨, [Prometheus νλ¬κ·ΈμΈ](https://www.rabbitmq.com/prometheus.html)μ΄ νμ±νλ κ²½μ°)
* 25672: λ
Έλ κ° λ° CLI λꡬ ν΅μ μ μ¬μ© (Erlang λ°°ν¬ μλ² ν¬νΈ)μ΄λ©° λμ λ²μμμ ν λΉλ¨ (κΈ°λ³Έμ μΌλ‘ AMQP ν¬νΈ + 20000μΌλ‘ κ³μ°λ λ¨μΌ ν¬νΈλ‘ μ νλ¨). μ΄λ¬ν ν¬νΈμμ μΈλΆ μ°κ²°μ΄ μ λ§ νμν κ²½μ°κ° μλλΌλ©΄ (μ: ν΄λ¬μ€ν°κ° [μ°ν©](https://www.rabbitmq.com/federation.html)μ μ¬μ©νλ κ²½μ° λλ CLI λκ΅¬κ° μλΈλ· μΈλΆμ λ¨Έμ μμ μ¬μ©λλ κ²½μ°), μ΄λ¬ν ν¬νΈλ 곡κ°μ μΌλ‘ λ
ΈμΆλμ΄μλ μ λ©λλ€. μμΈν λ΄μ©μ [λ€νΈμνΉ κ°μ΄λ](https://www.rabbitmq.com/networking.html)λ₯Ό μ°Έμ‘°νμΈμ. **μ΄ ν¬νΈ μ€ 9κ°λ§ μΈν°λ·μ μ΄λ € μμ΅λλ€**.
* 35672-35682: λ
Έλμμ ν΅μ μ μν CLI λꡬ (Erlang λ°°ν¬ ν΄λΌμ΄μΈνΈ ν¬νΈ)μμ μ¬μ©λλ©° λμ λ²μμμ ν λΉλ¨ (μλ² λ°°ν¬ ν¬νΈ + 10000μμ μλ² λ°°ν¬ ν¬νΈ + 10010μΌλ‘ κ³μ°λ¨). μμΈν λ΄μ©μ [λ€νΈμνΉ κ°μ΄λ](https://www.rabbitmq.com/networking.html)λ₯Ό μ°Έμ‘°νμΈμ.
* 61613, 61614: [STOMP ν΄λΌμ΄μΈνΈ](https://stomp.github.io/stomp-specification-1.2.html) TLS μμ΄ λ° TLSμ ν¨κ» (λ¨, [STOMP νλ¬κ·ΈμΈ](https://www.rabbitmq.com/stomp.html)μ΄ νμ±νλ κ²½μ°). μ΄ ν¬νΈκ° μ΄λ € μλ μ₯μΉλ 10λ λ―Έλ§μ΄λ©° λλΆλΆ DHT λ
Έλμ λν΄ UDPμ
λλ€.
## Shodan
* `AMQP`
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}