MQTT (Message Queuing Telemetry Transport) - Port 1883

Basic info

MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol for IoT devices, using a publish-subscribe model over TCP/IP. The most popular open-source broker implementation is Mosquitto. Due to minimal configuration and often insecure deployments, MQTT services are frequently vulnerable to attack.

Key characteristics:

• Default port: TCP 1883 (unencrypted), 8883 (TLS)

• Stateless pub/sub model

• Authentication optional

• Wildcard topics and retained messages

Discovering MQTT Services via Network Scanning

Nmap Detection of MQTT Brokers

Scan for MQTT using service and version detection:

Useful Nmap NSE scripts:

• mqtt-subscribe.nse — connects and subscribes to common topics

• mqtt-connect.nse — attempts anonymous authentication

Manual Enumeration with Netcat or Telnet

A successful connection banner or acknowledgment byte from the broker confirms its presence.

Assessing Authentication and Authorization Mechanisms

Many MQTT brokers allow anonymous access by default. Check this using mosquitto_sub:

If the broker allows wildcard topic subscription without credentials, it is misconfigured and vulnerable.

Try authentication bypass:

Exploiting Publish and Subscribe for Information Disclosure

Read All Topics with Wildcards

This reveals:

• Sensor values

• Credentials sent by devices

• Internal control commands

• Presence of retained messages

Publishing Arbitrary Payloads

This could trigger real-world actions on connected devices if the topic is subscribed.

Brute Forcing MQTT Credentials

Use hydra for credential brute-force:

Persistent Attacks with Retained Messages

Retained messages persist even after the publisher disconnects, making them ideal for:

• Persistence payloads

• Credential harvesting

• Fake sensor data injection

Set retained payload:

When a new subscriber connects, it immediately receives the forged message.