LinuxCommandLibrary

impacket-mqtt_check

Check MQTT broker anonymous access or credentials

TLDR

View documentation for the original command

$ tldr mqtt_check.py
copy

SYNOPSIS

impacket-mqtt_check <target> [-p PORT] [-u USER] [-P PASS] [--timeout TIMEOUT]

PARAMETERS

-h, --help
    Show help message and exit


-p PORT, --port PORT
    MQTT TCP port (default: 1883)


-u USER, --user USER
    Username for authentication (anonymous if omitted)


-P PASS, --password PASS
    Password for authentication


--timeout TIMEOUT
    Connection/subscribe timeout in seconds (default: 10)


target
    Target hostname or IP address (e.g., mqtt.example.com or 192.168.1.100)


DESCRIPTION

impacket-mqtt_check is a specialized tool from the Impacket suite for assessing MQTT (Message Queuing Telemetry Transport) broker security. Primarily used in penetration testing, it targets IoT and industrial systems by attempting connections to MQTT servers on TCP port 1883 (default) or specified ports. The tool checks for anonymous access permissions, attempts topic enumeration via subscriptions to wildcards like # or $SYS/#, and tests publish capabilities. If credentials are provided, it authenticates and probes further for misconfigurations. Output includes broker details, supported protocols (MQTT v3.1, v3.1.1, v5), retained messages, and potential vulnerabilities like open subscriptions. Ideal for auditing SCADA/ICS environments where MQTT is common. Requires Impacket library and Python 3. It logs connection status, QoS levels tested, and any errors, helping identify weak auth or over-permissive topics.

CAVEATS

May generate logs or alerts on monitored brokers; requires outbound TCP access; limited to basic checks, not full exploit; Python Impacket dependencies needed.

USAGE EXAMPLE

impacket-mqtt_check mqtt.example.com – checks anonymous access.
impacket-mqtt_check -u guest -P pass123 192.168.1.100 -p 8883 – authenticated check on TLS port.

OUTPUT SAMPLE

[+] MQTT Broker: test.mosquitto.org:1883 (v3.1.1)
[+] Anonymous subscribe to '#' allowed: 10 topics found.
[+] Retained messages present on 'sensor/temp'.

HISTORY

Developed as part of the Impacket project by SecureAuth Corporation (circa 2016+), with MQTT support added in community forks around 2020 for IoT pentesting. Evolved from protocol dissection scripts; actively maintained in GitHub forks post-original repo.

SEE ALSO

mosquitto_sub(1), mosquitto_pub(1), nmap(1), netcat(1)

Copied to clipboard