MQTT Pentesting

Last modified: 2023-03-09

IoT

MQTT is a publish-subscribeb network protocol for the Internet of Things (IoT). Default ports are 1883, 8883 (TLS).

Enumeration

nmap --script mqtt-subscribe -p 1883 <target-ip>

Interaction

mosquitto is a MQTT utilities that include a broker and publish/subscribe clients.
We use the mosquitto to interact with MQTT.

If you don’t have mosquitto in Linux, install packages.

sudo apt install -y mosquitto mosquitto-clients

# -h: Host
# -t: Topic ('#' means "all topics")
# -d: Debug mode
mosquitto_sub -h example.com -t '#' -d
mosquitto_sub -h example.com -t '$SYS/#' -d
mosquitto_sub -h example.com -t path/to/topic

# local (without '-h' flag)
mosquitto_sub -t '#' -d

# -p: Port
mosquitto_sub -p 1883 -t sensors/temperature

# specify username/password
mosquitto_sub -u username -P password -t sensors/temperature

# -V: Specify protocol version (5, 31, 311 or mqttv5, mqttv31, mqttv311)
mosquitto_usb -h example.com -t 'example/topic' -V 31

To get the mosquitto’s version, run the following.

mosquitto_sub -t '$SYS/broker/version'
mosquitto_sub -h example.com -t '$SYS/broker/version'

Publish to a Topic

# Local
# -t: Topic, -p: Port, -m: Message
mosquitto_pub -t sensors/temperature -m "test message"
mosquitto_pub -p 1883 -t sensors/temperature -m "test message"
# specify username/password
mosquitto_pub -u username -P password -t sensors/temperature -m "test message"
# -d: Enable debug message
mosquitto_pub -t sensors/temperature -m "test message" -d

# Remote
mosquitto_pub -h example.com -t kitchen/sensor/thermostat -m "test message"

Analyze with Wireshark

Wireshark sniffers traffics of the MQTT interactions.
Enter “mqtt” in the filter field to focus on the MQTT packets.

Exploits related to Hardware

Others

MQTT Pentesting

Enumeration

Interaction

Subscribe to a Topic

Publish to a Topic

Analyze with Wireshark

Tools by HDKS