Links

AWS - MQ Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

Amazon MQ

Introduction to Message Brokers

Message brokers serve as intermediaries, facilitating communication between different software systems, which may be built on varied platforms and programmed in different languages. Amazon MQ simplifies the deployment, operation, and maintenance of message brokers on AWS. It provides managed services for Apache ActiveMQ and RabbitMQ, ensuring seamless provisioning and automatic software version updates.

AWS - RabbitMQ

RabbitMQ is a prominent message-queueing software, also known as a message broker or queue manager. It's fundamentally a system where queues are configured. Applications interface with these queues to send and receive messages. Messages in this context can carry a variety of information, ranging from commands to initiate processes on other applications (potentially on different servers) to simple text messages. The messages are held by the queue-manager software until they are retrieved and processed by a receiving application. AWS provides an easy-to-use solution for hosting and managing RabbitMQ servers.

AWS - ActiveMQ

Apache ActiveMQ® is a leading open-source, Java-based message broker known for its versatility. It supports multiple industry-standard protocols, offering extensive client compatibility across a wide array of languages and platforms. Users can:
  • Connect with clients written in JavaScript, C, C++, Python, .Net, and more.
  • Leverage the AMQP protocol to integrate applications from different platforms.
  • Use STOMP over websockets for web application message exchanges.
  • Manage IoT devices with MQTT.
  • Maintain existing JMS infrastructure and extend its capabilities.
ActiveMQ's robustness and flexibility make it suitable for a multitude of messaging requirements.

Enumeration

# List brokers
aws mq list-brokers
# Get broker info
aws mq describe-broker --broker-id <broker-id>
## Find endpoints in .BrokerInstances
## Find if public accessible in .PubliclyAccessible
# List usernames (only for ActiveMQ)
aws mq list-users --broker-id <broker-id>
# Get user info (PASSWORD NOT INCLUDED)
aws mq describe-user --broker-id <broker-id> --username <username>
# Lits configurations (only for ActiveMQ)
aws mq list-configurations
## Here you can find if simple or LDAP authentication is used
# Creacte Active MQ user
aws mq create-user --broker-id <value> --password <value> --username <value> --console-access
TODO: Indicate how to enumerate RabbitMQ and ActiveMQ internally and how to listen in all queues and send data (send PR if you know how to do this)

Privesc

Unauthenticated Access

Persistence

If you know the credentials to access the RabbitMQ web console, you can create a new user qith admin privileges.

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: