hacktricks/network-services-pentesting/5671-5672-pentesting-amqp.md

5671,5672 - Pentesting AMQP

htARTE (HackTricks AWS Red Team Expert) !HackTricks AWS Red Team Expert!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

From cloudamqp:

RabbitMQ is a message-queueing software also known as a message broker or queue manager. Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.
A message can include any kind of information. It could, for example, have information about a process or task that should start on another application (which could even be on another server), or it could be just a simple text message. The queue-manager software stores the messages until a receiving application connects and takes a message off the queue. The receiving application then processes the message.
Definition from .

Default port: 5672,5671

PORT     STATE SERVICE VERSION
5672/tcp open  amqp    RabbitMQ 3.1.5 (0-9)

Enumeration

Manual

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

QapHa'ghach

import amqp
#By default it uses default credentials "guest":"guest"
conn = amqp.connection.Connection(host="<IP>", port=5672, virtual_host="/")
conn.connect()
for k, v in conn.server_properties.items():
print(k, v)

QapDI'

nmap -sV -Pn -n -T4 -p 5672 --script amqp-info <IP>

PORT     STATE SERVICE VERSION
5672/tcp open  amqp    RabbitMQ 3.1.5 (0-9)
| amqp-info:
|   capabilities:
|     publisher_confirms: YES
|     exchange_exchange_bindings: YES
|     basic.nack: YES
|     consumer_cancel_notify: YES
|   copyright: Copyright (C) 2007-2013 GoPivotal, Inc.
|   information: Licensed under the MPL.  See http://www.rabbitmq.com/
|   platform: Erlang/OTP
|   product: RabbitMQ
|   version: 3.1.5
|   mechanisms: PLAIN AMQPLAIN
|_  locales: en_US

Brute Force

• AMQP Protocol Brute-Force
• STOMP Protocol Brute-Force

Other RabbitMQ ports

In https://www.rabbitmq.com/networking.html you can find that rabbitmq uses several ports:

• 1883, 8883: (MQTT clients without and with TLS, if the MQTT plugin is enabled. Learn more about how to pentest MQTT here.
• 4369: epmd, a peer discovery service used by RabbitMQ nodes and CLI tools. Learn more about how to pentest this service here.
• 5672, 5671: used by AMQP 0-9-1 and 1.0 clients without and with TLS
• 15672: HTTP API clients, management UI and rabbitmqadmin (only if the management plugin is enabled). Learn more about how to pentest this service here.
• 15674: STOMP-over-WebSockets clients (only if the Web STOMP plugin is enabled)
• 15675: MQTT-over-WebSockets clients (only if the Web MQTT plugin is enabled)
• 15692: Prometheus metrics (only if the Prometheus plugin is enabled)
• 25672: used for inter-node and CLI tools communication (Erlang distribution server port) and is allocated from a dynamic range (limited to a single port by default, computed as AMQP port + 20000). Unless external connections on these ports are really necessary (e.g. the cluster uses federation or CLI tools are used on machines outside the subnet), these ports should not be publicly exposed. See networking guide for details. Only 9 of these ports opened on the internet.
• 35672-35682: used by CLI tools (Erlang distribution client ports) for communication with nodes and is allocated from a dynamic range (computed as server distribution port + 10000 through server distribution port + 10010). See networking guide for details.
• 61613, 61614: STOMP clients without and with TLS (only if the STOMP plugin is enabled). Less than 10 devices with this port open and mostly UDP for DHT nodes.

Shodan

• AMQP

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.