MQTT

Discovery

MQTT is a lightweight messaging protocol often used in IoT (Internet of Things) applications.

• 1883: Default port for MQTT.
• 8883: Default port for MQTT over TLS/SSL.

MQTT client:

• mqtt-spy
• MQTT CLI
• MQTT Lens
• MQTT.fx
• mosquitto_tools

mosquitto_sub -h sensors.domain.com -t '#'
mosquitto_sub -h sensors.domain.com -t '+'
mosquitto_sub -h sensors.domain.com -t "/sensor/"

Scan an MQTT with nmap :

nmap -p 1883 -vvv --script=mqtt-subscribe -d sensors.domain.com

Explore MQTT

Connect and subscribe to every topics using the # keyword.

import paho.mqtt.client as mqtt
def on_connect(client, userdata, flags, rc):
   print "[+] Connection successful"
   client.subscribe('#', qos = 1)        # Subscribe to all topics
   client.subscribe('$SYS/#')            # Broker Status (Mosquitto)
def on_message(client, userdata, msg):
   print '[+] Topic: %s - Message: %s' % (msg.topic, msg.payload)
client = mqtt.Client(client_id = "MqttClient")
client.on_connect = on_connect
client.on_message = on_message
client.connect('SERVER IP HERE', 1883, 60)
client.loop_forever()

Send MQTT requests

import paho.mqtt.client as mqtt
def on_connect(client, userdata, flags, rc):
   print "[+] Connection success"
client = mqtt.Client(client_id = "MqttClient")
client.on_connect = on_connect
client.connect('IP SERVER HERE', 1883, 60)
client.publish('smarthouse/garage/door', "{'open':'true'}")

MQTT Fuzzing

• MQTT-Fuzz

Share this content