Now that we have seen how to secure our message broker, we also need to test that our setup is indeed in place and really prevents attackers from bringing down the message broker or stealing messages. For this reason, you can build your own custom tool for penetration testing of the message broker, which performs the following functions:
It checks whether the guest/guest user is present and it can perform administrative activities.
It tries to brute-force passwords for an existing set of users, either based on a password generation policy or using a predefined password database.
It tries to access prohibited vhosts from a particular set of users.
It uses nmap to check whether the management console and RabbitMQ communication ports are visible; this step may include checks on ports that are exposed by RabbitMQ plugins.