hacktricks/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md
Carlos Polop 10f210fafa update
2024-09-04 14:44:38 +02:00

7.7 KiB

1883 - Pentesting MQTT (Mosquitto)

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Basic Information

MQ Telemetry Transport (MQTT) is known as a publish/subscribe messaging protocol that stands out for its extreme simplicity and lightness. This protocol is specifically tailored for environments where devices have limited capabilities and operate over networks that are characterized by low bandwidth, high latency, or unreliable connections. The core objectives of MQTT include minimizing the usage of network bandwidth and reducing the demand on device resources. Additionally, it aims to maintain reliable communication and provide a certain level of delivery assurance. These goals make MQTT exceptionally suitable for the burgeoning field of machine-to-machine (M2M) communication and the Internet of Things (IoT), where it's essential to connect a myriad of devices efficiently. Moreover, MQTT is highly beneficial for mobile applications, where conserving bandwidth and battery life is crucial.

Default port: 1883

PORT     STATE SERVICE                 REASON
1883/tcp open  mosquitto version 1.4.8 syn-ack

Inspecting the traffic

When a CONNECT packet is received by MQTT brokers, a CONNACK packet is sent back. This packet contains a return code which is crucial for understanding the connection status. A return code of 0x00 means that the credentials have been accepted, signifying a successful connection. On the other hand, a return code of 0x05 signals that the credentials are invalid, thus preventing the connection.

For instance, if the broker rejects the connection due to invalid credentials, the scenario would look something like this:

{
  "returnCode": "0x05",
  "description": "Connection Refused, not authorized"
}

Brute-Force MQTT

Pentesting MQTT

Authentication is totally optional and even if authentication is being performed, encryption is not used by default (credentials are sent in clear text). MITM attacks can still be executed to steal passwords.

To connect to a MQTT service you can use: https://github.com/bapowell/python-mqtt-client-shell and subscribe yourself to all the topics doing:

> connect (NOTICE that you need to indicate before this the params of the connection, by default 127.0.0.1:1883)
> subscribe "#" 1
> subscribe "$SYS/#"

You could also use https://github.com/akamai-threat-research/mqtt-pwn

You can also use:

apt-get install mosquitto mosquitto-clients
mosquitto_sub -t 'test/topic' -v #Subscribe to 'test/topic'
mosquitto_sub -h <host-ip> -t "#" -v #Subscribe to ALL topics.

Or you could run this code to try to connect to a MQTT service without authentication, subscribe to every topic and listen them:

#This is a modified version of https://github.com/Warflop/IOT-MQTT-Exploit/blob/master/mqtt.py
import paho.mqtt.client as mqtt
import time
import os

HOST = "127.0.0.1"
PORT = 1883

def on_connect(client, userdata, flags, rc):
	client.subscribe('#', qos=1)
	client.subscribe('$SYS/#')

def on_message(client, userdata, message):
	print('Topic: %s | QOS: %s  | Message: %s' % (message.topic, message.qos, message.payload))

def main():
	client = mqtt.Client()
	client.on_connect = on_connect
	client.on_message = on_message
	client.connect(HOST, PORT)
	client.loop_start()
	#time.sleep(10)
	#client.loop_stop()

if __name__ == "__main__":
	main()

More information

from here: https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b

The Publish/Subscribe Pattern

The publish/subscribe model is composed of:

  • Publisher: publishes a message to one (or many) topic(s) in the broker.
  • Subscriber: subscribes to one (or many) topic(s) in the broker and receives all the messages sent from the publisher.
  • Broker: routes all the messages from the publishers to the subscribers.
  • Topic: consists of one or more levels that are separated by a a forward slash (e.g., /smartshouse/livingroom/temperature).

Packet Format

Every MQTT packet contains a fixed header (Figure 02).Figure 02: Fixed Header

https://miro.medium.com/max/838/1*k6RkAHEk0576geQGUcKSTA.png

Packet Types

  • CONNECT (1): Initiated by the client to request a connection to the server.
  • CONNACK (2): The server's acknowledgment of a successful connection.
  • PUBLISH (3): Used to send a message from the client to the server or vice versa.
  • PUBACK (4): Acknowledgment of a PUBLISH packet.
  • PUBREC (5): Part of a message delivery protocol ensuring the message is received.
  • PUBREL (6): Further assurance in message delivery, indicating a message release.
  • PUBCOMP (7): Final part of the message delivery protocol, indicating completion.
  • SUBSCRIBE (8): A client's request to listen for messages from a topic.
  • SUBACK (9): The server's acknowledgment of a SUBSCRIBE request.
  • UNSUBSCRIBE (10): A client's request to stop receiving messages from a topic.
  • UNSUBACK (11): The server's response to an UNSUBSCRIBE request.
  • PINGREQ (12): A heartbeat message sent by the client.
  • PINGRESP (13): Server's response to the heartbeat message.
  • DISCONNECT (14): Initiated by the client to terminate the connection.
  • Two values, 0 and 15, are marked as reserved and their use is forbidden.

Shodan

  • port:1883 MQTT

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}