AWS - MQ Enum
Reading time: 3 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Amazon MQ
Introduction to Message Brokers
Message brokers serve as intermediaries, facilitating communication between different software systems, which may be built on varied platforms and programmed in different languages. Amazon MQ simplifies the deployment, operation, and maintenance of message brokers on AWS. It provides managed services for Apache ActiveMQ and RabbitMQ, ensuring seamless provisioning and automatic software version updates.
AWS - RabbitMQ
RabbitMQ is a prominent message-queueing software, also known as a message broker or queue manager. It's fundamentally a system where queues are configured. Applications interface with these queues to send and receive messages. Messages in this context can carry a variety of information, ranging from commands to initiate processes on other applications (potentially on different servers) to simple text messages. The messages are held by the queue-manager software until they are retrieved and processed by a receiving application. AWS provides an easy-to-use solution for hosting and managing RabbitMQ servers.
AWS - ActiveMQ
Apache ActiveMQ® is a leading open-source, Java-based message broker known for its versatility. It supports multiple industry-standard protocols, offering extensive client compatibility across a wide array of languages and platforms. Users can:
- Connect with clients written in JavaScript, C, C++, Python, .Net, and more.
- Leverage the AMQP protocol to integrate applications from different platforms.
- Use STOMP over websockets for web application message exchanges.
- Manage IoT devices with MQTT.
- Maintain existing JMS infrastructure and extend its capabilities.
ActiveMQ's robustness and flexibility make it suitable for a multitude of messaging requirements.
Enumeration
# List brokers
aws mq list-brokers
# Get broker info
aws mq describe-broker --broker-id <broker-id>
## Find endpoints in .BrokerInstances
## Find if public accessible in .PubliclyAccessible
# List usernames (only for ActiveMQ)
aws mq list-users --broker-id <broker-id>
# Get user info (PASSWORD NOT INCLUDED)
aws mq describe-user --broker-id <broker-id> --username <username>
# Lits configurations (only for ActiveMQ)
aws mq list-configurations
## Here you can find if simple or LDAP authentication is used
# Creacte Active MQ user
aws mq create-user --broker-id <value> --password <value> --username <value> --console-access
warning
TODO: Indicate how to enumerate RabbitMQ and ActiveMQ internally and how to listen in all queues and send data (send PR if you know how to do this)
Privesc
Unauthenticated Access
Persistence
If you know the credentials to access the RabbitMQ web console, you can create a new user qith admin privileges.
References
- https://www.cloudamqp.com/blog/part1-rabbitmq-for-beginners-what-is-rabbitmq.html
- https://activemq.apache.org/
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.