impacket-mqtt_check

View documentation for the original command

$ tldr mqtt_check.py

impacket-mqtt_check <target> [options]

<target>
    The IP address or hostname of the MQTT broker to check.

-p <port>
    Specify the TCP port to connect to. Default is 1883 for MQTT, or 8883 if --tls is used.

-u <username>
    Provide a username for authentication to the MQTT broker.

-P <password>
    Provide a password for authentication to the MQTT broker.

--tls
    Enable TLS/SSL encryption for the connection (often uses port 8883).

--ca-file <file>
    Specify a CA certificate file (PEM format) for verifying the server's TLS certificate.

-t <topic>
    Specify a specific topic to interact with (e.g., for subscribing or publishing).

--cid <client_id>
    Set a specific MQTT client ID to use for the connection.

--subscribe
    Subscribe to the specified topic (-t). If no topic is given, defaults to '#'.

--publish <message>
    Publish a message to the specified topic (-t).

--list-topics
    Attempt to enumerate and list accessible topics on the broker. This often relies on specific broker configurations or vulnerabilities.

--anonymous
    Attempt to connect to the broker without providing any credentials.

--client-id-prefix <prefix>
    Use a specified prefix when generating client IDs for certain checks (e.g., client ID enumeration).

--subscribe-wildcard <wildcard>
    Subscribe using a wildcard topic (e.g., 'sensors/#').

--dump-all-topics
    Subscribe to the '#' wildcard topic and dump all messages received.

--check-auth
    Perform various authentication-related checks, including common weak credentials or bypasses.

--check-anonymous
    Specifically check if anonymous access is permitted on the broker.

--check-topic-enum
    Check for vulnerabilities allowing unauthorized topic enumeration.

--check-qos-bypass
    Test for Quality of Service (QoS) bypass vulnerabilities.

--check-retained-messages
    Examine retained message functionality for potential issues.

--check-lwt
    Check Last Will and Testament (LWT) messages for security implications.

--help
    Show the program's help message and exit.

impacket-mqtt_check is a specialized command-line utility from the Impacket toolkit, designed for security auditing and penetration testing of MQTT (Message Queuing Telemetry Transport) brokers. It allows security professionals to interact with MQTT services, enumerate topics, check for anonymous access, test authentication mechanisms, and identify common misconfigurations or vulnerabilities.

This tool is particularly useful in environments where MQTT is used for IoT devices, industrial control systems (ICS), or general messaging, helping to ensure the integrity and confidentiality of communication channels by proactively identifying potential weaknesses in the MQTT broker's security posture. It supports both standard MQTT (port 1883) and MQTT over TLS/SSL (port 8883).

1. Ethical Use: This tool is intended for authorized security assessments. Never use it against systems you do not have explicit permission to test.
2. Network Connectivity: Requires direct network access to the target MQTT broker on the specified port.
3. Broker Variations: The effectiveness and results of checks can vary significantly depending on the MQTT broker software, version, and configuration.
4. Passive vs. Active: Some checks are active and may generate logs or trigger alerts on the target system.

impacket-mqtt_check is part of the Impacket library. It can typically be installed via pip:
pip install impacket
or by cloning the GitHub repository and installing manually.

• Anonymous Access Check: impacket-mqtt_check <target> --check-anonymous
• Dump All Topics: impacket-mqtt_check <target> --dump-all-topics (Warning: can generate significant output)
• Check Authentication: impacket-mqtt_check <target> --check-auth
• Subscribe to a Specific Topic with Credentials: impacket-mqtt_check <target> -u <user> -P <pass> -t my/sensor/data --subscribe

The Impacket library, developed by SecureAuth, is a renowned collection of Python classes for programmatic access to network protocols. mqtt_check was introduced as MQTT's prevalence grew, particularly in IoT and ICS environments, necessitating specialized tools for security assessments. It reflects the ongoing commitment of the Impacket project to address new protocol vulnerabilities and expand its capabilities for penetration testing and incident response.

nmap(1) - Network exploration tool and security / port scanner, mosquitto_pub(1) - Mosquitto command line publisher, mosquitto_sub(1) - Mosquitto command line subscriber, netcat(1) - arbitrary TCP and UDP connections and listens