MQTT exploit and Pentesting guide for penetration tester
MQTT is a publish-subscribeb network protocol for the Internet of Things (IoT). Default ports are 1883, 8883 (TLS).
nmap --script mqtt-subscribe -p 1883,8883 <target-ip>
nmap -sC -sV -p1883,8883 <target-ip>
PORT STATE SERVICE REASON
1883/tcp open mosquitto version 1.4.8 syn-ack
mosquitto is a MQTT utilities that include a broker and publish/subscribe clients. We use the mosquitto to interact with MQTT.
If you don’t have mosquitto in Linux, install packages.
sudo apt install -y mosquitto mosquitto-clients
# -h: Host
# -t: Topic ('#' means "all topics")
# -d: Debug mode
mosquitto_sub -h example.com -t '#' -d
mosquitto_sub -h example.com -t '$SYS/#' -d
mosquitto_sub -h example.com -t path/to/topic
# local (without '-h' flag)
mosquitto_sub -t '#' -d
# -p: Port
mosquitto_sub -p 1883 -t sensors/temperature
# specify username/password
mosquitto_sub -u username -P password -t sensors/temperature
# -V: Specify protocol version (5, 31, 311 or mqttv5, mqttv31, mqttv311)
mosquitto_usb -h example.com -t 'example/topic' -V 31
mosquitto_sub -t '$SYS/broker/version'
mosquitto_sub -h example.com -t '$SYS/broker/version'
# Local
# -t: Topic, -p: Port, -m: Message
mosquitto_pub -t sensors/temperature -m "test message"
mosquitto_pub -p 1883 -t sensors/temperature -m "test message"
# specify username/password
mosquitto_pub -u username -P password -t sensors/temperature -m "test message"
# -d: Enable debug message
mosquitto_pub -t sensors/temperature -m "test message" -d
# Remote
mosquitto_pub -h example.com -t kitchen/sensor/thermostat -m "test message"
port:1883 MQTT
MQTT-PWN MQTT-PWN intends to be a one-stop-shop for IoT Broker penetration-testing and security assessment operations.