MQ Telemetry Transport (MQTT) is a lightweight protocol that is widely used by IoT devices to communicate with their brokers/servers situated on remote locations and clouds. The protocol is simple and consumes much less bandwidth and power than its peers, making it best for devices where network bandwidth and power are constrained. It is a two-way communication protocol. MQTT works in a subscribe-publish model. Brokers or servers play middleman for the publishers (producers e.g. sensors) and subscribers (consumers e.g. central monitoring system).
In this section, we will learn the basics of MQTT protocol, how to interact with MQTT brokers, perform enumeration and launch dictionary attacks, exploit known DoS vulnerabilities, and interact with a dummy ICS setup.
What will you learn?
How to fingerprint and interact with an MQTT server
Launch enumeration and dictionary attacks on MQTT servers
Interact and manipulate MQTT messages to disrupt systems
References:
MQTT (https://mqtt.org/)
Mosquitto server (https://mosquitto.org/)
RabbitMQ (https://www.rabbitmq.com/)
Node-RED (https://nodered.org/)
Labs:
Broker Recon and Fingerprinting
Scan, fingerprint and interact with an open MQTT server/broker service provided by Mosquitto.
Interact with an MQTT broker with a username-based ACL implemented on it. Also, figure out a user's permissions on various topics present on the servers.
Interact with an MQTT broker protected with user credentials. Also, launch a dictionary attack on it to figure out the correct password for a valid username.
Interact and launch dictionary attacks on two MQTT brokers that are configured in a broker-bridge configuration.
Controller-Broker-Sensor Setup
Analyze and interact with a dummy ICS (Industrial Control System) with multiple components (e.g. MQTT broker, sensor, monitoring dashboard). Then, launch a manipulation attack on the system to trigger false alarm/alert.
Interact and configure a Node-RED system. A sample flow is provided along with a MQTT sensor (to act as input).
Exploit the RAM overflow vulnerability to crash an MQTT broker.
Exploit an assert overflow vulnerability to crash an MQTT broker.
Scan, fingerprint and interact with an open MQTT server/broker service running on RabbitMQ server.
RabbitMQ: Controller-Broker-Sensor Setup
Analyze and interact with a dummy ICS (Industrial Control System) with multiple components (e.g. RabbitMQ MQTT broker, sensor, monitoring dashboard). Then, launch a manipulation attack on the system to trigger false alarm/alert.
RabbitMQ: MQTT Dictionary Attack
Perform a dictionary attack on an MQTT server/broker service running on a RabbitMQ server.