MQTT
Theory
MQTT (Message Queuing Telemetry Transport) is a lightweight, publish-subscribe network protocol designed for IoT (Internet of Things) devices. It enables low-bandwidth, real-time communication between clients and a broker. MQTT is widely used in IoT applications, such as smart home systems, health monitors, and industrial automation.
Pentesters often target MQTT brokers to exploit weaknesses in authentication, authorization, encryption, and message integrity, as these systems may expose sensitive data or allow attackers to manipulate device behavior.
Requirements
Hardware
Laptop or PC to run pentesting tools.
Access to MQTT broker/IoT device network for testing.
Software
mosquitto_pub and mosquitto_sub (MQTT client utilities for publishing/subscribing messages).
MQTT-Explorer (GUI tool for analyzing MQTT topics and messages).
Wireshark (for network packet analysis).
Nmap (for discovering MQTT services).
Burp Suite (for traffic manipulation, useful if MQTT uses web interfaces or APIs).
Cheat Sheet
Common Attacks
Discovering MQTT Broker
MQTT brokers typically listen on TCP port 1883 (unencrypted) or 8883 (TLS/SSL). The first step in pentesting an MQTT environment is identifying the broker and verifying if it is publicly
Command Example (Discovering MQTT Broker via Nmap):
This scans for open MQTT ports on the target IP and reports service details.
Subscribing to MQTT Topics
Once the broker is identified, you can subscribe to topics and listen for messages. If the broker allows anonymous access or lacks proper authentication, an attacker can monitor sensitive data being transmitted between IoT devices.
Command Example (Subscribing to All Topics):
This subscribes to all topics (
#
is a wildcard) on the broker, displaying message content in real time.Publishing Malicious Messages
Attackers can publish malicious commands to control IoT devices if the broker has weak or no authorization mechanisms. For example, you could control a smart home device by publishing messages on its control topics.
Command Example (Publishing a Message to a Topic):
This command publishes the message
off
to thehome/lights
topic, potentially turning off the smart lights.Brute-Forcing MQTT Credentials
Some MQTT brokers require authentication, but weak credentials can often be brute-forced. By using common username/password combinations, an attacker might gain access to the broker.
Command Example (Brute-Forcing MQTT Credentials with Hydra):
Exploiting Insecure MQTT Connections (Man-in-the-Middle Attack)
If the broker uses unencrypted connections (on port 1883), you can perform a man-in-the-middle (MITM) attack by capturing MQTT traffic and injecting commands or stealing data.
Command Example (Wireshark Capture Filter for MQTT Traffic):
This captures unencrypted MQTT traffic, allowing you to inspect and manipulate messages.
Denial of Service (DoS) Attack on MQTT Broker
Flooding the broker with excessive publish/subscribe requests can overwhelm it, causing a denial-of-service (DoS) and preventing legitimate devices from communicating.
Command Example (Flooding MQTT Topics with Junk Data):
This loop repeatedly publishes junk data to overwhelm the broker.
Resources
https://book.hacktricks.xyz/network-services-pentesting/1883-pentesting-mqtt-mosquittohttps://mqtt-pwn.readthedocs.io/en/latest/plugins/brute.html https://securitycafe.ro/2022/04/08/iot-pentesting-101-how-to-hack-mqtt-the-standard-for-iot-messaging/
Last updated