RabbitMQ / AMQP
aka amqp
Message broker — AMQP on 5672 and a management web UI on 15672. Default guest:guest often works; the UI and the Erlang cookie lead to queue data, stored creds and node RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
5672 | tcp | AMQP |
15672 | tcp | Management web UI |
25672 | tcp | Erlang distribution / clustering |
Fingerprint
- 'RabbitMQ Management' login on 15672
- nmap amqp-info script returns version + mechanisms
Key files
| Path | Holds | Sensitive |
|---|---|---|
/var/lib/rabbitmq/.erlang.cookie | Erlang cluster secret → node RCE | sensitive |
Default / weak creds
guest / guest (works from localhost by default; sometimes remotely)
Exploitation primitives
- guest:guest into the management UI (15672) → read queues, exchanges, users
- Messages in queues often carry credentials and internal data
- Erlang cookie → connect to the node distribution port for code execution
Overview
RabbitMQ brokers messages over AMQP (5672) with a management UI on 15672. Default guest:guest and message contents are the usual wins; the Erlang cookie escalates to node RCE.
Enumeration
AMQP info:
nmap -p5672 --script amqp-info <TARGET>Log into the management UI (try guest:guest):
http://<TARGET>:15672/List users/queues via the HTTP API:
curl -su guest:guest http://<TARGET>:15672/api/users | jqLoot queue messages
Drain a queue (messages often hold creds):
curl -su guest:guest -H "content-type:application/json" -d '{"count":10,"ackmode":"ack_requeue_true","encoding":"auto"}' http://<TARGET>:15672/api/queues/%2f/<queue>/getErlang cookie → RCE
With .erlang.cookie, connect to the node and run commands as the rabbitmq user via rabbitmqctl eval or an Erlang distribution client.
Hardening
Remove the guest account (or restrict to localhost), protect the Erlang cookie, and firewall 15672/25672.