MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol perfect for IoT (Internet of Things) devices. While it makes device communication efficient, securing it is crucial. This blog will guide you through setting up a vulnerable MQTT broker on Linux and exploiting it using the custom tool PentestMQTT for penetration testing.
Setting Up the Vulnerable MQTT Broker
Step 1 : Install Mosquitto
First, we need to install Mosquitto, a popular MQTT broker. Update your package lists and install Mosquitto along with its client tools:
sudo apt update
sudo apt install mosquitto mosquitto-clients
Step 2 : Install Necessary Build Tools
Next, install essential build tools and SSL development libraries:
sudo apt-get update
sudo apt-get install build-essential libssl-dev
Step 3: Clone and Set Up the Vulnerable MQTT Repository
Clone the repository containing the vulnerable MQTT broker setup and navigate to the directory:
git clone https://github.com/Nihal-Tiwari/Vulnerable-MQTT-Lab.git
cd Vulnerable-MQTT-Lab
Extract the Mosquitto source files:
tar -zxvf mosquitto-1.4.14.tar.gz
Compile and install Mosquitto:
cd mosquitto-1.4.14
make
sudo make install
Step 4: Set Up Authentication
Create a password for the MQTT broker. We'll use "admin" as both the username and password for simplicity:
sudo mosquitto_passwd -c /etc/mosquitto/passwd admin
Step 5 : Configure Mosquitto
Edit the Mosquitto configuration file to enable password-based authentication:
sudo nano /etc/mosquitto/mosquitto.conf
Add the following lines to the configuration file:
allow_anonymous false
password_file /etc/mosquitto/passwd
Step 6: Running the Vulnerable Environment
To set up a lab environment for MQTT penetration testing, navigate to the cloned repository and make the script executable. Execute the Vulnerable MQTT script as:
cd Vulnerable-MQTT-Lab
chmod +x *
bash vuln_mqtt.sh
This script will start the Mosquitto broker with password-based authentication in verbose mode and activate a publisher script to generate continuous MQTT traffic.
Exploiting the Vulnerable MQTT Broker with PentestMQTT
With our vulnerable MQTT broker environment set up, we can now move on to exploiting it using PentestMQTT, a custom tool designed for MQTT penetration testing. PentestMQTT helps in scanning, testing, and brute-forcing MQTT services to identify security weaknesses. While we are using PentestMQTT for assessment in this blog, there are several other tools available that can aid in penetration testing MQTT services.
Setting Up PentestMQTT
First, we need to install PentestMQTT. Follow these steps to clone the repository and make the script executable:
git clone https://github.com/Nihal-Tiwari/Pentest-MQTT.git
cd Pentest-MQTT
chmod +x PentestMQTT.sh
Using PentestMQTT Against the Vulnerable MQTT Lab
Here’s how to use PentestMQTT to exploit the vulnerable MQTT broker we set up earlier.
Checking MQTT Service:
Verify if the MQTT service is accessible on the specified IP address and port using the -c or --check option:
./PentestMQTT.sh -c 127.0.0.1 1883
Expected Outcome: PentestMQTT will check if the MQTT service is running on localhost (127.0.0.1) on the default MQTT port (1883).
Performing an Advanced Scan:
Perform an advanced scan using Nmap to gather detailed information about the MQTT service with the -s or --scan option:
./PentestMQTT.sh -s 127.0.0.1 1883
Expected Outcome: PentestMQTT will use Nmap to scan the MQTT service, providing information about open ports and service versions.
Conducting a Brute-Force Attack:
Attempt brute-forcing the authentication of the MQTT service using the -b or --bruteforce option. Ensure you have the required username and password wordlists (user.txt and pass.txt) in the PentestMQTT directory:
./PentestMQTT.sh -b 127.0.0.1 1883
Expected Outcome: PentestMQTT will attempt to crack the MQTT broker authentication using the provided wordlists. If successful, it will display the valid credentials.
Detailed Walkthrough of PentestMQTT Features
Service Check (-c, --check): This feature verifies if the MQTT service is running on the specified IP and port. It's a straightforward check to confirm the presence of the MQTT service before diving into more in-depth tests.
Advanced Scan (-s, --scan): The advanced scan uses Nmap to gather comprehensive details about the MQTT service, such as open ports and service versions. This scan helps in identifying the specifics of the service setup and potential weak points.
Brute-Force Attack (-b, --bruteforce): This feature attempts to crack the MQTT service authentication using specified username and password wordlists. It's an essential tool for testing the robustness of your MQTT authentication mechanism.
To observe the MQTT traffic and identify sensitive transactions, we can use the mosquitto_sub command to subscribe to all topics on the broker. Run the following command:
mosquitto_sub -t '#' -h 192.168.223.22 -u admin -P admin
Running this command will allow you to monitor all MQTT messages being transmitted, enabling you to identify any sensitive information being exchanged.
By utilizing PentestMQTT and other tools, you can perform thorough penetration testing on the vulnerable MQTT broker you set up. This hands-on approach helps you identify and address potential security vulnerabilities in MQTT-based IoT systems. For more information and to access the tool, visit the PentestMQTT GitHub repository. This way, you can ensure that your IoT infrastructure remains robust and secure against potential threats. Happy hacking!
