4.2 KiB
5671,5672 - Pentesting AMQP
Basic Information
RabbitMQ is a message-queueing software also known as a message broker or queue manager. Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.
A message can include any kind of information. It could, for example, have information about a process or task that should start on another application which could even be on another server
, or it could be just a simple text message. The queue-manager software stores the messages until a receiving application connects and takes a message off the queue. The receiving application then processes the message.
Definition from here.
Default port: 5672,5671
PORT STATE SERVICE VERSION
5672/tcp open amqp RabbitMQ 3.1.5 (0-9)
Enumeration
Manual
import amqp
#By default it uses default credentials "guest":"guest"
conn = amqp.connection.Connection(host="<IP>", port=5672, virtual_host="/")
conn.connect()
for k, v in conn.server_properties.items():
print(k, v)
Automatic
nmap -sV -Pn -n -T4 -p 5672 --script amqp-info <IP>
PORT STATE SERVICE VERSION
5672/tcp open amqp RabbitMQ 3.1.5 (0-9)
| amqp-info:
| capabilities:
| publisher_confirms: YES
| exchange_exchange_bindings: YES
| basic.nack: YES
| consumer_cancel_notify: YES
| copyright: Copyright (C) 2007-2013 GoPivotal, Inc.
| information: Licensed under the MPL. See http://www.rabbitmq.com/
| platform: Erlang/OTP
| product: RabbitMQ
| version: 3.1.5
| mechanisms: PLAIN AMQPLAIN
|_ locales: en_US
Other RabbitMQ ports
From https://www.rabbitmq.com/networking.html you can find that rabbitmq uses several ports:
- 1883, 8883: (MQTT clients without and with TLS, if the MQTT plugin is enabled. Learn more about how to pentest MQTT here.
- 4369: epmd, a peer discovery service used by RabbitMQ nodes and CLI tools. Learn more about how to pentest this service here.
- 5672, 5671: used by AMQP 0-9-1 and 1.0 clients without and with TLS
- 15672: HTTP API clients, management UI and rabbitmqadmin
only if the [management plugin](https://www.rabbitmq.com/management.html) is enabled
. Learn more about how to pentest this service here. - 15674: STOMP-over-WebSockets clients
only if the [Web STOMP plugin](https://www.rabbitmq.com/web-stomp.html) is enabled
- 15675: MQTT-over-WebSockets clients
only if the [Web MQTT plugin](https://www.rabbitmq.com/web-mqtt.html) is enabled
- 15692: Prometheus metrics
only if the [Prometheus plugin](https://www.rabbitmq.com/prometheus.html) is enabled
- 25672: used for inter-node and CLI tools communication
Erlang distribution server port
and is allocated from a dynamic rangelimited to a single port by default, computed as AMQP port + 20000
. Unless external connections on these ports are really necessarye.g. the cluster uses [federation](https://www.rabbitmq.com/federation.html) or CLI tools are used on machines outside the subnet
, these ports should not be publicly exposed. See networking guide for details. Only 9 of these ports opened on the internet. - 35672-35682: used by CLI tools
Erlang distribution client ports
for communication with nodes and is allocated from a dynamic rangecomputed as server distribution port + 10000 through server distribution port + 10010
. See networking guide for details. - 61613, 61614: STOMP clients without and with TLS
only if the [STOMP plugin](https://www.rabbitmq.com/stomp.html) is enabled
. Less than 10 devices with this port open and mostly UDP for DHT nodes.