# 1883 - Pentesting MQTT (Mosquitto)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


## Basic Information

**MQ Telemetry Transport (MQTT)** inajulikana kama **protokali ya ujumbe ya kuchapisha/kujiunga** ambayo inajitokeza kwa urahisi wake mkubwa na mwanga. Protokali hii imeandaliwa mahsusi kwa mazingira ambapo vifaa vina uwezo mdogo na vinatumika kwenye mitandao ambayo ina sifa za upana wa bendi ya chini, ucheleweshaji mkubwa, au muunganisho usio na uhakika. Malengo makuu ya MQTT ni pamoja na kupunguza matumizi ya upana wa bendi ya mtandao na kupunguza mahitaji kwenye rasilimali za kifaa. Aidha, inakusudia kudumisha mawasiliano ya kuaminika na kutoa kiwango fulani cha uhakikisho wa usambazaji. Malengo haya yanaufanya MQTT kuwa mzuri sana kwa uwanja unaokua wa **mawasiliano kati ya mashine (M2M)** na **Internet of Things (IoT)**, ambapo ni muhimu kuunganisha vifaa vingi kwa ufanisi. Zaidi ya hayo, MQTT ni faida kubwa kwa programu za simu, ambapo kuhifadhi upana wa bendi na maisha ya betri ni muhimu.

**Default port:** 1883
```
PORT     STATE SERVICE                 REASON
1883/tcp open  mosquitto version 1.4.8 syn-ack
```
## Kukagua trafiki

Wakati pakiti ya **CONNECT** inapokelewa na wakala wa MQTT, pakiti ya **CONNACK** inatumwa kurudi. Pakiti hii ina nambari ya kurudi ambayo ni muhimu kwa kuelewa hali ya muunganisho. Nambari ya kurudi ya **0x00** inamaanisha kwamba akreditivu zimekubaliwa, ikionyesha muunganisho uliofanikiwa. Kwa upande mwingine, nambari ya kurudi ya **0x05** inaashiria kwamba akreditivu si halali, hivyo kuzuia muunganisho.

Kwa mfano, ikiwa wakala atakataa muunganisho kutokana na akreditivu zisizo halali, hali hiyo itakuwa kama ifuatavyo:
```
{
"returnCode": "0x05",
"description": "Connection Refused, not authorized"
}
```
![](<../.gitbook/assets/image (976).png>)

### [**Brute-Force MQTT**](../generic-methodologies-and-resources/brute-force.md#mqtt)

## Pentesting MQTT

**Uthibitisho ni wa hiari kabisa** na hata kama uthibitisho unafanywa, **sifuri hazitumiki kwa chaguo-msingi** (taarifa za kuingia zinatumwa kwa maandiko wazi). Mashambulizi ya MITM bado yanaweza kufanywa kuiba nywila.

Ili kuungana na huduma ya MQTT unaweza kutumia: [https://github.com/bapowell/python-mqtt-client-shell](https://github.com/bapowell/python-mqtt-client-shell) na jiandikishe kwa mada zote kwa kufanya:
```
> connect (NOTICE that you need to indicate before this the params of the connection, by default 127.0.0.1:1883)
> subscribe "#" 1
> subscribe "$SYS/#"
```
Unaweza pia kutumia [**https://github.com/akamai-threat-research/mqtt-pwn**](https://github.com/akamai-threat-research/mqtt-pwn)

Unaweza pia kutumia:
```bash
apt-get install mosquitto mosquitto-clients
mosquitto_sub -t 'test/topic' -v #Subscribe to 'test/topic'
mosquitto_sub -h <host-ip> -t "#" -v #Subscribe to ALL topics.
```
Au unaweza **kufanya kazi hii kujaribu kuungana na huduma ya MQTT bila uthibitisho, jiandikishe kwa kila mada na usikilize**:
```python
#This is a modified version of https://github.com/Warflop/IOT-MQTT-Exploit/blob/master/mqtt.py
import paho.mqtt.client as mqtt
import time
import os

HOST = "127.0.0.1"
PORT = 1883

def on_connect(client, userdata, flags, rc):
client.subscribe('#', qos=1)
client.subscribe('$SYS/#')

def on_message(client, userdata, message):
print('Topic: %s | QOS: %s  | Message: %s' % (message.topic, message.qos, message.payload))

def main():
client = mqtt.Client()
client.on_connect = on_connect
client.on_message = on_message
client.connect(HOST, PORT)
client.loop_start()
#time.sleep(10)
#client.loop_stop()

if __name__ == "__main__":
main()
```
## More information

from here: [https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b](https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b)

### The Publish/Subscribe Pattern <a href="#b667" id="b667"></a>

Mfano wa kuchapisha/kusajili unajumuisha:

* **Publisher**: anachapisha ujumbe kwa mada moja (au nyingi) katika broker.
* **Subscriber**: anasajili kwa mada moja (au nyingi) katika broker na kupokea ujumbe wote wanaotumwa kutoka kwa publisher.
* **Broker**: inaratibu ujumbe wote kutoka kwa publishers hadi kwa subscribers.
* **Topic**: inajumuisha ngazi moja au zaidi ambazo zimegawanywa na slash ya mbele (mfano, /smartshouse/livingroom/temperature).

### Packet Format <a href="#f15a" id="f15a"></a>

Kila pakiti ya MQTT ina kichwa kisichobadilika (Mchoro 02). Mchoro 02: Kichwa Kisichobadilika

![https://miro.medium.com/max/838/1\*k6RkAHEk0576geQGUcKSTA.png](https://miro.medium.com/max/838/1\*k6RkAHEk0576geQGUcKSTA.png)

### Packet Types

* CONNECT (1): Imeanzishwa na mteja kuomba muunganisho na seva.
* CONNACK (2): Kuthibitisha kwa seva muunganisho uliofanikiwa.
* PUBLISH (3): Inatumika kutuma ujumbe kutoka kwa mteja hadi seva au kinyume chake.
* PUBACK (4): Kuthibitisha pakiti ya PUBLISH.
* PUBREC (5): Sehemu ya itifaki ya usambazaji wa ujumbe inahakikisha ujumbe umepokelewa.
* PUBREL (6): Uhakikisho zaidi katika usambazaji wa ujumbe, ikionyesha kutolewa kwa ujumbe.
* PUBCOMP (7): Sehemu ya mwisho ya itifaki ya usambazaji wa ujumbe, ikionyesha kukamilika.
* SUBSCRIBE (8): Ombi la mteja kusikiliza ujumbe kutoka kwa mada.
* SUBACK (9): Kuthibitisha kwa seva ombi la SUBSCRIBE.
* UNSUBSCRIBE (10): Ombi la mteja kusitisha kupokea ujumbe kutoka kwa mada.
* UNSUBACK (11): Jibu la seva kwa ombi la UNSUBSCRIBE.
* PINGREQ (12): Ujumbe wa moyo uliopelekwa na mteja.
* PINGRESP (13): Jibu la seva kwa ujumbe wa moyo.
* DISCONNECT (14): Imeanzishwa na mteja kumaliza muunganisho.
* Thamani mbili, 0 na 15, zimewekwa kama zilizohifadhiwa na matumizi yao yanakatazwa.

## Shodan

* `port:1883 MQTT`


{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}