hacktricks/pentesting/5671-5672-pentesting-amqp.md
2020-10-01 14:38:08 +00:00

69 lines
4.2 KiB
Markdown

# 5671,5672 - Pentesting AMQP
## Basic Information
**RabbitMQ** is a **message-queueing software** also known as a _message broker_ or _queue manager._ Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.
A **message can include any kind of information**. It could, for example, have information about a process or task that should start on another application \(which could even be on another server\), or it could be just a simple text message. The queue-manager software stores the messages until a receiving application connects and takes a message off the queue. The receiving application then processes the message.
Definition from [here](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html).
**Default port**: 5672,5671
```text
PORT STATE SERVICE VERSION
5672/tcp open amqp RabbitMQ 3.1.5 (0-9)
```
## Enumeration
### Manual
```python
import amqp
#By default it uses default credentials "guest":"guest"
conn = amqp.connection.Connection(host="<IP>", port=5672, virtual_host="/")
conn.connect()
for k, v in conn.server_properties.items():
print(k, v)
```
### Automatic
```bash
nmap -sV -Pn -n -T4 -p 5672 --script amqp-info <IP>
PORT STATE SERVICE VERSION
5672/tcp open amqp RabbitMQ 3.1.5 (0-9)
| amqp-info:
| capabilities:
| publisher_confirms: YES
| exchange_exchange_bindings: YES
| basic.nack: YES
| consumer_cancel_notify: YES
| copyright: Copyright (C) 2007-2013 GoPivotal, Inc.
| information: Licensed under the MPL. See http://www.rabbitmq.com/
| platform: Erlang/OTP
| product: RabbitMQ
| version: 3.1.5
| mechanisms: PLAIN AMQPLAIN
|_ locales: en_US
```
## Other RabbitMQ ports
From [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networking.html) you can find that **rabbitmq uses several ports**:
* **1883, 8883**: \([MQTT clients](http://mqtt.org/) without and with TLS, if the [MQTT plugin](https://www.rabbitmq.com/mqtt.html) is enabled. [**Learn more about how to pentest MQTT here**](1883-pentesting-mqtt-mosquitto.md).
* **4369: epmd**, a peer discovery service used by RabbitMQ nodes and CLI tools. [**Learn more about how to pentest this service here**](4369-pentesting-erlang-port-mapper-daemon-epmd.md).
* **5672, 5671**: used by AMQP 0-9-1 and 1.0 clients without and with TLS
* **15672**: [HTTP API](https://www.rabbitmq.com/management.html) clients, [management UI](https://www.rabbitmq.com/management.html) and [rabbitmqadmin](https://www.rabbitmq.com/management-cli.html) \(only if the [management plugin](https://www.rabbitmq.com/management.html) is enabled\). [**Learn more about how to pentest this service here**](15672-pentesting-rabbitmq-management.md).
* 15674: STOMP-over-WebSockets clients \(only if the [Web STOMP plugin](https://www.rabbitmq.com/web-stomp.html) is enabled\)
* 15675: MQTT-over-WebSockets clients \(only if the [Web MQTT plugin](https://www.rabbitmq.com/web-mqtt.html) is enabled\)
* 15692: Prometheus metrics \(only if the [Prometheus plugin](https://www.rabbitmq.com/prometheus.html) is enabled\)
* 25672: used for inter-node and CLI tools communication \(Erlang distribution server port\) and is allocated from a dynamic range \(limited to a single port by default, computed as AMQP port + 20000\). Unless external connections on these ports are really necessary \(e.g. the cluster uses [federation](https://www.rabbitmq.com/federation.html) or CLI tools are used on machines outside the subnet\), these ports should not be publicly exposed. See [networking guide](https://www.rabbitmq.com/networking.html) for details. **Only 9 of these ports opened on the internet**.
* 35672-35682: used by CLI tools \(Erlang distribution client ports\) for communication with nodes and is allocated from a dynamic range \(computed as server distribution port + 10000 through server distribution port + 10010\). See [networking guide](https://www.rabbitmq.com/networking.html) for details.
* 61613, 61614: [STOMP clients](https://stomp.github.io/stomp-specification-1.2.html) without and with TLS \(only if the [STOMP plugin](https://www.rabbitmq.com/stomp.html) is enabled\). Less than 10 devices with this port open and mostly UDP for DHT nodes.
## Shodan
* `AMQP`