MQTT Pentesting

MQTT is a publish-subscribeb network protocol for the Internet of Things (IoT). Default ports are 1883, 8883 (TLS).

Enumeration

nmap --script mqtt-subscribe -p 1883 <target-ip>

Interaction

mosquitto is a MQTT utilities that include a broker and publish/subscribe clients. We use the mosquitto to interact with MQTT.

If you don’t have mosquitto in Linux, install packages.

sudo apt install -y mosquitto mosquitto-clients

Subscribe to a Topic

# -h: Host
# -t: Topic ('#' means "all topics")
# -d: Debug mode
mosquitto_sub -h example.com -t '#' -d
mosquitto_sub -h example.com -t '$SYS/#' -d
mosquitto_sub -h example.com -t path/to/topic

# local (without '-h' flag)
mosquitto_sub -t '#' -d

# -p: Port
mosquitto_sub -p 1883 -t sensors/temperature

# specify username/password
mosquitto_sub -u username -P password -t sensors/temperature

# -V: Specify protocol version (5, 31, 311 or mqttv5, mqttv31, mqttv311)
mosquitto_usb -h example.com -t 'example/topic' -V 31

To get the mosquitto’s version, run the following.

mosquitto_sub -t '$SYS/broker/version'
mosquitto_sub -h example.com -t '$SYS/broker/version'

Publish to a Topic

# Local
# -t: Topic, -p: Port, -m: Message
mosquitto_pub -t sensors/temperature -m "test message"
mosquitto_pub -p 1883 -t sensors/temperature -m "test message"
# specify username/password
mosquitto_pub -u username -P password -t sensors/temperature -m "test message"
# -d: Enable debug message
mosquitto_pub -t sensors/temperature -m "test message" -d

# Remote
mosquitto_pub -h example.com -t kitchen/sensor/thermostat -m "test message"

Analyze with Wireshark

Wireshark sniffers traffics of the MQTT interactions. Enter “mqtt” in the filter field to focus on the MQTT packets.