Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

ActiveMQ

Default Ports: 61616 (OpenWire), 8161 (Web Console), 61613 (STOMP), 5672 (AMQP), 1883 (MQTT)

Apache ActiveMQ is a message broker used for queues, topics, and service-to-service messaging. In pentests, exposed consoles or weak broker credentials can reveal message contents, integration names, consumers, producers, and downstream workflows.

Connect

Using Web Console

Check the management console first because it often reveals the broker type, version, and authentication behavior.

http://target.com:8161/admin/
http://target.com:8161/console/
http://target.com:8161/hawtio/

Using curl

Use curl to validate console access and XML status endpoints.

curl -i http://target.com:8161/admin/
curl -u admin:password -i http://target.com:8161/admin/
curl -u admin:password http://target.com:8161/admin/xml/queues.jsp
curl -u admin:password http://target.com:8161/admin/xml/topics.jsp

Using Jolokia

Jolokia exposes Java MBeans over HTTP and can leak broker internals.

curl -u admin:password http://target.com:8161/api/jolokia/version
curl -u admin:password http://target.com:8161/api/jolokia/list
curl -u admin:password http://target.com:8161/api/jolokia/search/org.apache.activemq:*

Using STOMP

STOMP is useful for testing direct queue access through the text protocol.

import stomp

conn = stomp.Connection([('target.com', 61613)])
conn.connect('username', 'password', wait=True)
conn.subscribe(destination='/queue/test', id=1, ack='auto')
conn.send(destination='/queue/test', body='authorized test')
conn.disconnect()

Using MQTT

Some ActiveMQ deployments expose MQTT for IoT or lightweight clients.

mosquitto_sub -h target.com -p 1883 -u username -P password -t 'test/topic'
mosquitto_pub -h target.com -p 1883 -u username -P password -t 'test/topic' -m 'authorized test'

Using AMQP

AMQP testing helps compare permissions across broker protocols.

amqp-consume --url=amqp://username:password@target.com:5672/ --queue=test-queue cat
echo 'authorized test' | amqp-publish --url=amqp://username:password@target.com:5672/ --routing-key=test-queue

Recon

Service Detection with Nmap

Scan both management and broker protocol ports.

nmap -p 8161,61616,61617,61613,61614,5672,1883,1099 -sV target.com
nmap -p 8161 --script http-title,http-headers target.com
nmap -p 8161,61617 --script ssl-cert,ssl-enum-ciphers target.com

Web Fingerprinting

Check common paths for ActiveMQ Classic, Artemis, and Hawtio consoles.

curl -i http://target.com:8161/
curl -i http://target.com:8161/admin/
curl -i http://target.com:8161/console/
curl -i http://target.com:8161/hawtio/
httpx -u http://target.com:8161 -title -tech-detect -status-code -follow-redirects

Protocol Connector Discovery

Protocol connectors may have weaker controls than the web console.

nmap -p 61616,61617,61613,61614,5672,1883 --open -sV target.com
mosquitto_sub -h target.com -p 1883 -t '$SYS/#' -C 1 -W 3
printf 'CONNECT\naccept-version:1.2\nhost:target.com\n\n\x00' | nc target.com 61613

Jolokia Discovery

Jolokia paths vary between deployments.

curl -i http://target.com:8161/api/jolokia/version
curl -i http://target.com:8161/jolokia/version
curl -u admin:password http://target.com:8161/api/jolokia/version

Version Detection

Version clues help identify outdated broker, Jetty, Hawtio, or Java components.

curl -s http://target.com:8161/admin/ | grep -Ei 'activemq|artemis|hawtio|version'
curl -u admin:password http://target.com:8161/api/jolokia/version

Enumeration

Queue Enumeration

Queues expose application workflows and pending message counts.

curl -u admin:password http://target.com:8161/admin/xml/queues.jsp
curl -u admin:password http://target.com:8161/api/jolokia/search/org.apache.activemq:type=Broker,brokerName=*,destinationType=Queue,destinationName=*

Topic Enumeration

Topics may expose real-time telemetry, events, and notifications.

curl -u admin:password http://target.com:8161/admin/xml/topics.jsp
curl -u admin:password http://target.com:8161/api/jolokia/search/org.apache.activemq:type=Broker,brokerName=*,destinationType=Topic,destinationName=*

Consumer and Connection Enumeration

Connections identify clients, workers, and integration sources.

curl -u admin:password http://target.com:8161/admin/xml/subscribers.jsp
curl -u admin:password http://target.com:8161/api/jolokia/list/org.apache.activemq

Message Sampling

Sample only approved queues or test topics because broker messages may contain production data.

mosquitto_sub -h target.com -p 1883 -u username -P password -t 'test/topic' -C 1
python3 stomp-consume-test.py

Permission Enumeration

Compare read, write, and admin behavior across users and protocols.

curl -u readonly:password -i http://target.com:8161/admin/xml/queues.jsp
curl -u operator:password -i http://target.com:8161/admin/xml/queues.jsp
mosquitto_sub -h target.com -p 1883 -u readonly -P password -t 'test/#' -C 1 -W 3

Attack Vectors

Exposed Web Console

The console may allow broker administration or message browsing.

httpx -l targets.txt -ports 8161 -path /admin/ -title -status-code -follow-redirects
curl -i http://target.com:8161/admin/

Default Credentials

Check default credentials only when credential testing is in scope.

# Common legacy default:
# admin:admin
curl -u admin:admin -i http://target.com:8161/admin/

Jolokia Exposure

Unauthenticated Jolokia can disclose MBeans and management operations.

curl -i http://target.com:8161/api/jolokia/list
curl -u admin:password http://target.com:8161/api/jolokia/search/org.apache.activemq:*

Anonymous Protocol Access

Anonymous protocol connectors can allow message read or write access.

mosquitto_sub -h target.com -p 1883 -t '$SYS/#' -C 1 -W 3
printf 'CONNECT\naccept-version:1.2\nhost:target.com\n\n\x00' | nc target.com 61613

Message Disclosure

Unauthorized queue or topic access can expose sensitive payloads.

grep -Ei 'password|secret|token|apikey|authorization|session|credential' message-sample.txt
grep -Eio 'https?://[^ ]+|[a-zA-Z0-9.-]+\.(local|internal|corp)' message-sample.txt

Message Injection

Publish only controlled test messages to approved destinations.

mosquitto_pub -h target.com -p 1883 -u username -P password -t 'test/topic' -m 'pentest-controlled-message'
echo 'pentest-controlled-message' | amqp-publish --url=amqp://username:password@target.com:5672/ --routing-key=test-queue

Cross-Protocol Authorization Bypass

A denied action in one protocol may still work through another connector.

mosquitto_sub -h target.com -p 1883 -u user -P password -t 'orders/#' -C 1 -W 3
printf 'CONNECT\nlogin:user\npasscode:password\naccept-version:1.2\nhost:target.com\n\n\x00' | nc target.com 61613

Advisory Topic Leakage

Advisory topics can reveal consumers, producers, and destination activity.

mosquitto_sub -h target.com -p 1883 -u username -P password -t 'ActiveMQ/Advisory/#' -C 5 -W 5
grep -Ei 'Advisory|Consumer|Producer|Connection' activemq-destinations.txt

Post-Exploitation

Broker Impact Review

Summarize reachable destinations, operations, and identities.

curl -u admin:password http://target.com:8161/admin/xml/queues.jsp > activemq-queues.xml
curl -u admin:password http://target.com:8161/admin/xml/topics.jsp > activemq-topics.xml
curl -u admin:password http://target.com:8161/api/jolokia/search/org.apache.activemq:* > activemq-mbeans.txt

Sensitive Data Review

Review small samples for secrets and integration clues.

grep -Ei 'password|passwd|secret|token|jwt|apikey|authorization|jdbc|ldap' message-sample.txt
grep -Eio 'https?://[^ ]+|amqp://[^ ]+|tcp://[^ ]+|jdbc:[^ ]+' message-sample.txt

Logging Check

Generate controlled failed events and confirm they are logged.

curl -u invalid:invalid -i http://target.com:8161/admin/
mosquitto_sub -h target.com -p 1883 -u invalid -P invalid -t 'test/#' -C 1 -W 3

Common Paths

Path	Purpose
`/admin/`	ActiveMQ Classic console
`/admin/xml/queues.jsp`	Queue XML listing
`/admin/xml/topics.jsp`	Topic XML listing
`/admin/xml/subscribers.jsp`	Subscriber XML listing
`/api/jolokia/`	Common Jolokia endpoint
`/jolokia/`	Alternate Jolokia endpoint
`/console/`	Common Artemis console
`/hawtio/`	Hawtio console

Useful Tools

Tool	Purpose
`nmap`	Port and service detection
`curl`	Console and Jolokia testing
`httpx`	Web interface fingerprinting
`mosquitto_sub` / `mosquitto_pub`	MQTT tests
`stomp.py`	STOMP tests
`amqp-tools`	AMQP tests
`tcpdump`	Controlled traffic capture

Security Misconfigurations

Misconfiguration	Risk
Exposed web console	Broker administration and metadata leakage
Default or weak credentials	Unauthorized management access
Jolokia exposed	MBean and management operation exposure
Anonymous broker connectors	Message read/write access
Inconsistent protocol ACLs	Authorization bypass between connectors
Broad queue or topic read access	Sensitive message disclosure
Broad publish access	Downstream workflow manipulation
Advisory topic exposure	Live broker topology leakage
Plaintext connectors	Credential and message capture
Insufficient logging	Broker abuse is harder to investigate

Want to Practice These Techniques?

ActiveMQ

Connect​

Using Web Console​

Using curl​

Using Jolokia​

Using STOMP​

Using MQTT​

Using AMQP​

Recon​

Service Detection with Nmap​

Web Fingerprinting​

Protocol Connector Discovery​

Jolokia Discovery​

Version Detection​

Enumeration​

Queue Enumeration​

Topic Enumeration​

Consumer and Connection Enumeration​

Message Sampling​

Permission Enumeration​

Attack Vectors​

Exposed Web Console​

Default Credentials​

Jolokia Exposure​

Anonymous Protocol Access​

Message Disclosure​

Message Injection​

Cross-Protocol Authorization Bypass​

Advisory Topic Leakage​

Post-Exploitation​

Broker Impact Review​

Sensitive Data Review​

Logging Check​

Common Paths​

Useful Tools​

Security Misconfigurations​