hacktricks/pentesting/5671-5672-pentesting-amqp.md

4.2 KiB

5671,5672 - Pentesting AMQP

Basic Information

RabbitMQ is a message-queueing software also known as a message broker or queue manager. Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.
A message can include any kind of information. It could, for example, have information about a process or task that should start on another application which could even be on another server, or it could be just a simple text message. The queue-manager software stores the messages until a receiving application connects and takes a message off the queue. The receiving application then processes the message.
Definition from here.

Default port: 5672,5671

PORT     STATE SERVICE VERSION
5672/tcp open  amqp    RabbitMQ 3.1.5 (0-9)

Enumeration

Manual

import amqp
#By default it uses default credentials "guest":"guest"
conn = amqp.connection.Connection(host="<IP>", port=5672, virtual_host="/")
conn.connect()
for k, v in conn.server_properties.items():
    print(k, v)

Automatic

nmap -sV -Pn -n -T4 -p 5672 --script amqp-info <IP>

PORT     STATE SERVICE VERSION
5672/tcp open  amqp    RabbitMQ 3.1.5 (0-9)
| amqp-info: 
|   capabilities: 
|     publisher_confirms: YES
|     exchange_exchange_bindings: YES
|     basic.nack: YES
|     consumer_cancel_notify: YES
|   copyright: Copyright (C) 2007-2013 GoPivotal, Inc.
|   information: Licensed under the MPL.  See http://www.rabbitmq.com/
|   platform: Erlang/OTP
|   product: RabbitMQ
|   version: 3.1.5
|   mechanisms: PLAIN AMQPLAIN
|_  locales: en_US

Other RabbitMQ ports

From https://www.rabbitmq.com/networking.html you can find that rabbitmq uses several ports:

  • 1883, 8883: (MQTT clients without and with TLS, if the MQTT plugin is enabled. Learn more about how to pentest MQTT here.
  • 4369: epmd, a peer discovery service used by RabbitMQ nodes and CLI tools. Learn more about how to pentest this service here.
  • 5672, 5671: used by AMQP 0-9-1 and 1.0 clients without and with TLS
  • 15672: HTTP API clients, management UI and rabbitmqadmin only if the [management plugin](https://www.rabbitmq.com/management.html) is enabled. Learn more about how to pentest this service here.
  • 15674: STOMP-over-WebSockets clients only if the [Web STOMP plugin](https://www.rabbitmq.com/web-stomp.html) is enabled
  • 15675: MQTT-over-WebSockets clients only if the [Web MQTT plugin](https://www.rabbitmq.com/web-mqtt.html) is enabled
  • 15692: Prometheus metrics only if the [Prometheus plugin](https://www.rabbitmq.com/prometheus.html) is enabled
  • 25672: used for inter-node and CLI tools communication Erlang distribution server port and is allocated from a dynamic range limited to a single port by default, computed as AMQP port + 20000. Unless external connections on these ports are really necessary e.g. the cluster uses [federation](https://www.rabbitmq.com/federation.html) or CLI tools are used on machines outside the subnet, these ports should not be publicly exposed. See networking guide for details. Only 9 of these ports opened on the internet.
  • 35672-35682: used by CLI tools Erlang distribution client ports for communication with nodes and is allocated from a dynamic range computed as server distribution port + 10000 through server distribution port + 10010. See networking guide for details.
  • 61613, 61614: STOMP clients without and with TLS only if the [STOMP plugin](https://www.rabbitmq.com/stomp.html) is enabled. Less than 10 devices with this port open and mostly UDP for DHT nodes.