MQTT

Message Queuing Telemetry Transport (MQTT) is a messaging protocol based on publish-subscribe mechanism and works over TCP/IP protocol stack. It is an ISO standard - ISO/IEC 20922:2016. You can also read the specification here. It is a very famous protocol in the IoT scene and is used in various domains from home to ICS.

mqtt.generic.crackauth

You should use this plugin if the broker requires authentication. You can perform a dictionary attack on the credentials.

Note

The client ID and user name are not the same.

Usage details:

ef> run mqtt.generic.crackauth -h

Examples

For a quick check of credentials use the -u for username and -w for the password.

ef> run mqtt.generic.crackauth -r 192.168.0.200 -p 1883 -u mqtt -w mqtt
[...]
[*] Attempting to authenticate with the MQTT Broker (192.168.0.200) on port (1883)
[+] FOUND - (user=mqtt)(passwd=mqtt)(return code=0:Connection Accepted.)
[+] Test mqtt.generic.crackauth passed

To perform a real directory attack, create a text file that contains the username/password combinations which you would like to test.

$ cat password-list.txt
123456
ha
mqtt

ef> run mqtt.generic.crackauth -r 192.168.0.20 -p 1883 -u mqtt -f password-list.txt -v
[...]
[*] Attempting to authenticate with the MQTT broker (192.168.0.20) on port (1883)
[*] Checking username mqtt with password 123456
[-] Auth failed - (user=mqtt)(passwd=123456)(return code=5:Connection Refused: not authorised.)
[*] Checking username mqtt with password ha
[-] Auth failed - (user=mqtt)(passwd=ha)(return code=5:Connection Refused: not authorised.)
[*] Checking username mqtt with password mqtt
[+] FOUND - (user=mqtt)(passwd=mqtt)(return code=0:Connection Accepted.)
[+] Test mqtt.generic.crackauth passed

In the Command line mode it would be possible to feed the username/password combinations to the input from a third-party tool.

$ expliot run mqtt.generic.crackauth -r 192.168.0.20 -p 1883 -u mqtt -f password-list.txt
[...]
[*] Attempting to authenticate with the MQTT broker (192.168.0.20) on port (1883)
[+] FOUND - (user=mqtt)(passwd=mqtt)(return code=0:Connection Accepted.)
[+] Test mqtt.generic.crackauth passed

mqtt.generic.pub

During your assessment, you may want to write malicious data to a specific topic, check if you are able to write to specific topics or corrupt $SYS topic’s data. This plugin can help you with that.

Usage details:

ef> run mqtt.generic.pub -h

Examples

Publishing a message with the payload running to the topic expliot of a MQTT broker, on the default port i.e. 1883, that requires authentication.

$ expliot run mqtt.generic.pub -r 192.168.0.200 -u admin -w 123456 -t expliot -m running
[...]
[*] Publishing message on topic (192.168.0.200) to MQTT Broker (expliot) on port (1883)
[?] Using authentication (username=admin)(password=123456)
[+] Done
[+] Test mqtt.generic.pub passed

mqtt.generic.sub

It is very common to check what topics we can subscribe to, what data do we receive for further analysis or get data from $SYS topics. If you are lucky you may end up reading sensitive data that can help you pwn the system. This simple plugin can help you in doing that.

The default is that the connection is kept open till a message arrive. This means that you have to press Ctrl + c if you want to stop listening.

Usage details:

ef> run mqtt.generic.sub -h

Examples

Subscribe to /merakimv/# topic on the MQTT broker test.mosquitto.org (on default port - 1883) and wait for 3 seconds to receive messages.

ef> run mqtt.generic.sub -r test.mosquitto.org -t "/merakimv/#" -o 3
[...]
[*] Susbcribing to topic (/merakimv/#) on MQTT Broker (test.mosquitto.org) on port (1883)
[+] (topic=/merakimv/Q2JV-J3QJ-T93R/light)(payload=b'{"lux": 11230.6}')
[+] (topic=/merakimv/Q2JV-WBT5-MM3J/raw_detections)(payload=b'{"ts":1564219717078,...}]}')
[+] Test mqtt.generic.sub passed

Subscribe to # topic (all topics) on the MQTT broker, on port 10883, that requires authentication and wait for 10 seconds to receive messages.

ef> run mqtt.generic.sub -r 192.168.0.200 -p 10883 -t # -u ha -w ha -o 10
[...]
[*] Susbcribing to topic (#) on MQTT Broker (192.168.0.200) on port (10883)
[?] Using authentication (username=ha)(password=ha)
[+] (topic=homeassistant/binary_sensor/e4f4/e4f4_status/config)(payload=b'{"device_class":"connectivity",...}}')
[+] Test mqtt.generic.sub passed

mqtt.aws.pub

If you are exploring or security testing an IoT eco-system that uses AWS IoT, you will need to use these (aws mqtt) plugins for interacting with the AWS IoT cloud (or AWS custom endpoint in AWS terminology). You will however, need the credentials from a device (or thing in AWS terminology) to communicate with AWS custom endpoint. There are two types of auth in AWS IoT - Certificate based and IAM based. During your assessment, you may want to write malicious data to a specific topic, check if you are able to write to specific topics. This plugin can help you with that.

Note

You will get access to topics that the thing is allowed to publish and subscribe to. Also, you can manipulate the thing shadow as well.

Usage details:

ef> run mqtt.aws.pub -h

Examples

Publishing a message with the payload {'temp':'25'} to the topic foo/temp of on the AWS MQTT broker (custom endpoint), on the default port i.e. 8883, using certificate based authentication.

ef> run mqtt.aws.pub -r xxxx.iot.xx.amazonaws.com -a /path/AmazonRootCA1.pem -k /path/xx-private.pem.key -c /path/xx-certificate.pem.crt -t "foo/temp" -m "{'temp':'25'}"
[...]
[*] Publishing message on topic (foo/temp) to AWS IoT endpoint (xxxx.iot.xx.amazonaws.com) on port (8883)
[+] Message ({'temp':'25'}) published on topic (foo/temp)
[+] Test mqtt.aws.pub passed

mqtt.aws.sub

Check mqtt.aws.pub intro for AWS specific comments. It is very common to check what topics we can subscribe to, what data do we receive for further analysis or get data from $aws topics. If you are lucky you may end up reading sensitive data that can help you pwn the eco-system. This simple plugin can help you in doing that.

Usage details:

ef> run mqtt.aws.sub -h

Examples

Subscribe to foo/tmp topic on the AWS MQTT broker (custom endpoint), on the default port i.e. 8883, using certificate based authentication and wait for 10 seconds to receive messages.

ef> run mqtt.aws.sub -r xxx.amazonaws.com -a /path/AmazonRootCA1.pem -k /path/xx-private.pem.key -c /path/xx-certificate.pem.crt -t "foo/temp" -o 10
[...]
[*] Subscribing to topic (foo/temp) on AWS IoT endpoint (xxx.amazonaws.com) on port (8883)
[+] (topic=foo/temp)(payload=b"{'temp':'25'}")
[+] (topic=foo/temp)(payload=b"{'temp':'26'}")
[+] (topic=foo/temp)(payload=b"{'temp':'0'}")
[+] Test mqtt.aws.sub passed