Exploit Notes

MQTT Pentesting

Last modified: 2023-03-09

IoT

MQTT is a publish-subscribeb network protocol for the Internet of Things (IoT). Default ports are 1883, 8883 (TLS).

Enumeration

nmap --script mqtt-subscribe -p 1883 <target-ip>

Interaction

mosquitto is a MQTT utilities that include a broker and publish/subscribe clients.
We use the mosquitto to interact with MQTT.

If you don’t have mosquitto in Linux, install packages.

sudo apt install -y mosquitto mosquitto-clients

Subscribe to a Topic

# -h: Host
# -t: Topic ('#' means "all topics")
# -d: Debug mode
mosquitto_sub -h example.com -t '#' -d
mosquitto_sub -h example.com -t '$SYS/#' -d
mosquitto_sub -h example.com -t path/to/topic

# local (without '-h' flag)
mosquitto_sub -t '#' -d

# -p: Port
mosquitto_sub -p 1883 -t sensors/temperature

# specify username/password
mosquitto_sub -u username -P password -t sensors/temperature

# -V: Specify protocol version (5, 31, 311 or mqttv5, mqttv31, mqttv311)
mosquitto_usb -h example.com -t 'example/topic' -V 31

To get the mosquitto’s version, run the following.

mosquitto_sub -t '$SYS/broker/version'
mosquitto_sub -h example.com -t '$SYS/broker/version'

Publish to a Topic

# Local
# -t: Topic, -p: Port, -m: Message
mosquitto_pub -t sensors/temperature -m "test message"
mosquitto_pub -p 1883 -t sensors/temperature -m "test message"
# specify username/password
mosquitto_pub -u username -P password -t sensors/temperature -m "test message"
# -d: Enable debug message
mosquitto_pub -t sensors/temperature -m "test message" -d

# Remote
mosquitto_pub -h example.com -t kitchen/sensor/thermostat -m "test message"

Analyze with Wireshark

Wireshark sniffers traffics of the MQTT interactions.
Enter “mqtt” in the filter field to focus on the MQTT packets.

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.