hacktricks/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md

156 lines
7.7 KiB
Markdown
Raw Normal View History

2024-12-12 10:39:29 +00:00
# 1883 - Pentesting MQTT (Mosquitto)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
**MQ Telemetry Transport (MQTT)** is known as a **publish/subscribe messaging protocol** that stands out for its extreme simplicity and lightness. This protocol is specifically tailored for environments where devices have limited capabilities and operate over networks that are characterized by low bandwidth, high latency, or unreliable connections. The core objectives of MQTT include minimizing the usage of network bandwidth and reducing the demand on device resources. Additionally, it aims to maintain reliable communication and provide a certain level of delivery assurance. These goals make MQTT exceptionally suitable for the burgeoning field of **machine-to-machine (M2M) communication** and the **Internet of Things (IoT)**, where it's essential to connect a myriad of devices efficiently. Moreover, MQTT is highly beneficial for mobile applications, where conserving bandwidth and battery life is crucial.
**Default port:** 1883
```
PORT STATE SERVICE REASON
1883/tcp open mosquitto version 1.4.8 syn-ack
```
## Inspecting the traffic
When a **CONNECT** packet is received by MQTT brokers, a **CONNACK** packet is sent back. This packet contains a return code which is crucial for understanding the connection status. A return code of **0x00** means that the credentials have been accepted, signifying a successful connection. On the other hand, a return code of **0x05** signals that the credentials are invalid, thus preventing the connection.
For instance, if the broker rejects the connection due to invalid credentials, the scenario would look something like this:
```
{
"returnCode": "0x05",
"description": "Connection Refused, not authorized"
}
```
![](<../.gitbook/assets/image (976).png>)
### [**Brute-Force MQTT**](../generic-methodologies-and-resources/brute-force.md#mqtt)
## Pentesting MQTT
**Authentication is totally optional** and even if authentication is being performed, **encryption is not used by default** (credentials are sent in clear text). MITM attacks can still be executed to steal passwords.
To connect to a MQTT service you can use: [https://github.com/bapowell/python-mqtt-client-shell](https://github.com/bapowell/python-mqtt-client-shell) and subscribe yourself to all the topics doing:
```
> connect (NOTICE that you need to indicate before this the params of the connection, by default 127.0.0.1:1883)
> subscribe "#" 1
> subscribe "$SYS/#"
```
You could also use [**https://github.com/akamai-threat-research/mqtt-pwn**](https://github.com/akamai-threat-research/mqtt-pwn)
You can also use:
```bash
apt-get install mosquitto mosquitto-clients
mosquitto_sub -t 'test/topic' -v #Subscribe to 'test/topic'
mosquitto_sub -h <host-ip> -t "#" -v #Subscribe to ALL topics.
```
Or you could **run this code to try to connect to a MQTT service without authentication, subscribe to every topic and listen them**:
```python
#This is a modified version of https://github.com/Warflop/IOT-MQTT-Exploit/blob/master/mqtt.py
import paho.mqtt.client as mqtt
import time
import os
HOST = "127.0.0.1"
PORT = 1883
def on_connect(client, userdata, flags, rc):
client.subscribe('#', qos=1)
client.subscribe('$SYS/#')
def on_message(client, userdata, message):
print('Topic: %s | QOS: %s | Message: %s' % (message.topic, message.qos, message.payload))
def main():
client = mqtt.Client()
client.on_connect = on_connect
client.on_message = on_message
client.connect(HOST, PORT)
client.loop_start()
#time.sleep(10)
#client.loop_stop()
if __name__ == "__main__":
main()
```
## More information
from here: [https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b](https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b)
### The Publish/Subscribe Pattern <a href="#b667" id="b667"></a>
The publish/subscribe model is composed of:
* **Publisher**: publishes a message to one (or many) topic(s) in the broker.
* **Subscriber**: subscribes to one (or many) topic(s) in the broker and receives all the messages sent from the publisher.
* **Broker**: routes all the messages from the publishers to the subscribers.
* **Topic**: consists of one or more levels that are separated by a a forward slash (e.g., /smartshouse/livingroom/temperature).
### Packet Format <a href="#f15a" id="f15a"></a>
Every MQTT packet contains a fixed header (Figure 02).Figure 02: Fixed Header
![https://miro.medium.com/max/838/1\*k6RkAHEk0576geQGUcKSTA.png](https://miro.medium.com/max/838/1\*k6RkAHEk0576geQGUcKSTA.png)
### Packet Types
* CONNECT (1): Initiated by the client to request a connection to the server.
* CONNACK (2): The server's acknowledgment of a successful connection.
* PUBLISH (3): Used to send a message from the client to the server or vice versa.
* PUBACK (4): Acknowledgment of a PUBLISH packet.
* PUBREC (5): Part of a message delivery protocol ensuring the message is received.
* PUBREL (6): Further assurance in message delivery, indicating a message release.
* PUBCOMP (7): Final part of the message delivery protocol, indicating completion.
* SUBSCRIBE (8): A client's request to listen for messages from a topic.
* SUBACK (9): The server's acknowledgment of a SUBSCRIBE request.
* UNSUBSCRIBE (10): A client's request to stop receiving messages from a topic.
* UNSUBACK (11): The server's response to an UNSUBSCRIBE request.
* PINGREQ (12): A heartbeat message sent by the client.
* PINGRESP (13): Server's response to the heartbeat message.
* DISCONNECT (14): Initiated by the client to terminate the connection.
* Two values, 0 and 15, are marked as reserved and their use is forbidden.
## Shodan
* `port:1883 MQTT`
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}