MQTT Pentesting
Last modified: 2023-03-09
MQTT is a publish-subscribeb network protocol for the Internet of Things (IoT). Default ports are 1883, 8883 (TLS).
Enumeration
nmap --script mqtt-subscribe -p 1883 <target-ip>
Interaction
mosquitto is a MQTT utilities that include a broker and publish/subscribe clients.
We use the mosquitto to interact with MQTT.
If you don’t have mosquitto in Linux, install packages.
sudo apt install -y mosquitto mosquitto-clients
Subscribe to a Topic
# -h: Host
# -t: Topic ('#' means "all topics")
# -d: Debug mode
mosquitto_sub -h example.com -t '#' -d
mosquitto_sub -h example.com -t '$SYS/#' -d
mosquitto_sub -h example.com -t path/to/topic
# local (without '-h' flag)
mosquitto_sub -t '#' -d
# -p: Port
mosquitto_sub -p 1883 -t sensors/temperature
# specify username/password
mosquitto_sub -u username -P password -t sensors/temperature
# -V: Specify protocol version (5, 31, 311 or mqttv5, mqttv31, mqttv311)
mosquitto_usb -h example.com -t 'example/topic' -V 31
To get the mosquitto’s version, run the following.
mosquitto_sub -t '$SYS/broker/version'
mosquitto_sub -h example.com -t '$SYS/broker/version'
Publish to a Topic
# Local
# -t: Topic, -p: Port, -m: Message
mosquitto_pub -t sensors/temperature -m "test message"
mosquitto_pub -p 1883 -t sensors/temperature -m "test message"
# specify username/password
mosquitto_pub -u username -P password -t sensors/temperature -m "test message"
# -d: Enable debug message
mosquitto_pub -t sensors/temperature -m "test message" -d
# Remote
mosquitto_pub -h example.com -t kitchen/sensor/thermostat -m "test message"
Analyze with Wireshark
Wireshark sniffers traffics of the MQTT interactions.
Enter “mqtt” in the filter field to focus on the MQTT packets.
