InfoSec LAB

Broker_ApacheMQ

Created: 2 min read

ApacheMQ

Nmap discovered what appears to be Apache ActiveMQ services on the target ports 5672, 61613, and 61616 The initial Nmap scan result left an ambiguous impression as those ports all appear relevant to one another

┌──(kali㉿kali)-[~/archive/htb/labs/broker]
└─$ nmap -Pn -sV --script amqp-info -p5672,61613,61616 $IP                   
starting nmap 7.94 ( https://nmap.org ) at 2023-12-13 19:30 CET
Nmap scan report for 10.10.11.243
Host is up (0.13s latency).
 
PORT      STATE SERVICE  VERSION
5672/tcp  open  amqp?
|_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
| fingerprint-strings: 
|   dnsstatusrequesttcp, dnsversionbindreqtcp, getrequest, httpoptions, rpccheck, rtsprequest, sslsessionreq, terminalservercookie: 
|     AMQP
|     AMQP
|     amqp:decode-error
|_    7Connection from client using unsupported AMQP attempted
61613/tcp open  stomp    Apache ActiveMQ
| fingerprint-strings: 
|   help4stomp: 
|     ERROR
|     content-type:text/plain
|     message:Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.protocolexception: Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.protocolconverter.onstompcommand(protocolconverter.java:258)
|     org.apache.activemq.transport.stomp.stomptransportfilter.oncommand(stomptransportfilter.java:85)
|     org.apache.activemq.transport.transportsupport.doconsume(transportsupport.java:83)
|     org.apache.activemq.transport.tcp.tcptransport.dorun(tcptransport.java:233)
|     org.apache.activemq.transport.tcp.tcptransport.run(tcptransport.java:215)
|_    java.lang.thread.run(thread.java:750)
61616/tcp open  apachemq ActiveMQ OpenWire transport
| fingerprint-strings: 
|   null: 
|     ActiveMQ
|     TcpNoDelayEnabled
|     SizePrefixDisabled
|     CacheSize
|     ProviderName 
|     ActiveMQ
|     StackTraceEnabled
|     PlatformDetails 
|     Java
|     CacheEnabled
|     TightEncodingEnabled
|     MaxFrameSize
|     MaxInactivityDuration
|     MaxInactivityDurationInitalDelay
|     ProviderVersion 
|_    5.15.15
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 41.95 seconds

The target system has been identified to be hosting an instance of Apache ActiveMQ. The target ports 5672, 61613, and 61616 are all part of the tech stack of Apache ActiveMQ

Additionally, the ActiveMQ OpenWire transport service leaked the version information of the instance, 5.15.5, which has been identified to be vulnerable to [[Broker_CVE-2023-46604#[CVE-2023-46604](https //nvd.nist.gov/vuln/detail/CVE-2023-46604)|RCE]]

Interactive Graph View

Backlinks