MQTT Pentesting

MQTT exploit and Pentesting guide for penetration tester

What is an MQTT ?

MQTT is a publish-subscribeb network protocol for the Internet of Things (IoT). Default ports are 1883, 8883 (TLS).

Enumeration

nmap --script mqtt-subscribe -p 1883,8883 <target-ip>
nmap -sC -sV -p1883,8883 <target-ip>

PORT     STATE SERVICE                 REASON
1883/tcp open  mosquitto version 1.4.8 syn-ack

Interaction

mosquitto is a MQTT utilities that include a broker and publish/subscribe clients. We use the mosquitto to interact with MQTT.

If you don’t have mosquitto in Linux, install packages.

sudo apt install -y mosquitto mosquitto-clients

Subscribe to a Topic

# -h: Host
# -t: Topic ('#' means "all topics")
# -d: Debug mode
mosquitto_sub -h example.com -t '#' -d
mosquitto_sub -h example.com -t '$SYS/#' -d
mosquitto_sub -h example.com -t path/to/topic

# local (without '-h' flag)
mosquitto_sub -t '#' -d

# -p: Port
mosquitto_sub -p 1883 -t sensors/temperature

# specify username/password
mosquitto_sub -u username -P password -t sensors/temperature

# -V: Specify protocol version (5, 31, 311 or mqttv5, mqttv31, mqttv311)
mosquitto_usb -h example.com -t 'example/topic' -V 31

To get the mosquitto’s version, run the following.

mosquitto_sub -t '$SYS/broker/version'
mosquitto_sub -h example.com -t '$SYS/broker/version'

Publish to a Topic

# Local
# -t: Topic, -p: Port, -m: Message
mosquitto_pub -t sensors/temperature -m "test message"
mosquitto_pub -p 1883 -t sensors/temperature -m "test message"
# specify username/password
mosquitto_pub -u username -P password -t sensors/temperature -m "test message"
# -d: Enable debug message
mosquitto_pub -t sensors/temperature -m "test message" -d

# Remote
mosquitto_pub -h example.com -t kitchen/sensor/thermostat -m "test message"

Shodan

port:1883 MQTT

Tools

MQTT-PWN MQTT-PWN intends to be a one-stop-shop for IoT Broker penetration-testing and security assessment operations.

references

• security cafe