This article is reproduced in: https://blog.csdn.net/We8__/article/details/128441857
About MQTT
MQTT is a client-server based message publish/subscribe transport protocol. The MQTT protocol is lightweight, simple, open and easy to implement. These characteristics make it widely applicable. In many cases, including constrained environments such as machine-to-machine (M2M) communication and the Internet of Things ( IoT ). It is used extensively in sensors communicating via satellite links, medical devices that occasionally dial, smart homes, and some miniaturized devices.
Introduction to MQTT
Several elements of MQTT:
1. 客户端(Client):使用MQTT的程序或设备,一般分为发布者和订阅者
2. 服务端(Server):发布者和订阅者之间的Broker
3. 主题(Topic):附加在消息上的一个标签,Broker会将该消息发送给所有订阅该主题的订阅者
4. 主题过滤器(Topic Filter):订阅者订阅时可使用通配符同时订阅一个或多个主题
MQTT is based on the publish and subscribe model. The subscription and publication of the MQTT protocol is based on topics (Topic). MQTT works on the TCP/IP protocol family. A typical MQTT message sending and receiving process is as follows:
1. Publisher 连接 Broker;
2. Suscriber连接 Broker,并订阅主题 Topic;
3. Publisher 发送一条消息给 Broker,主题为 Topic;
4. Broker 收到 Publisher 的消息,查出 Suscriber 订阅了 Topic,然后将消息转发到 Suscriber;
We can simply understand that MQTT is understood as the working mode of Weibo. When you (Suscriber) click to follow a blogger (Publisher), you subscribe to the blogger (connected to the Broker). When the blogger sends a Weibo message ( Publish message), the Weibo server (Broker) will forward the Weibo message you subscribed to the blogger to you (Subscribe message), thus completing the message delivery.
MQTT server setup
Eclipse Mosquitto is an open source message broker that implements MQTT protocol versions 3.1 and 3.1.1. Mosquitto is lightweight and suitable for everything from low-power single-board computers to full servers. The Mosquitto project also provides a C library for implementing MQTT clients, as well as the very popular mosquitto_pub and mosquitto_sub command-line MQTT clients (from translation).
The process of installing Mosquitto, first add the ppa source of mosquitto:
sudo apt-add-repository ppa:mosquitto-dev/mosquitto-ppa
Install mosquitto program and mosquitto-clients client program
sudo apt install mosquitto
sudo apt install mosquitto-clients
Next, we can start the mosquitto service. You can check whether the mosquitto process is started. Here you can see the path to run the configuration file after the mosquitto -c parameter
sudo service mosquitto start
ps -aux | grep mosquitto
或者
sudo service mosquitto status
Next, we can test the workflow of the mqtt protocol, first start a terminal
mosquitto_sub -t "topic_name"
Then start another terminal and use
mosquitto_pub -t "topic_name" -m "this is a test"
At this time, the client will receive the subscription message, and after the server sends it again, the client will receive the subscription message again
We can add a user, here I created an example user with password example
sudo mosquitto_password -c /etc/mosquitto/example example
Enter the "/etc/mosquitto" directory, you can see the configuration file just created example username and password
Next we can add a user's configuration file and use the user's configuration file to run. We first stop the "mosquitto" service, and then create a default.conf in the "/etc/mosquitto/conf.d" directory (here you can also Copy the "/usr/share/doc/mosquitto/example/mosquitto.conf" file and modify it according to requirements), then restart the mosquitto service to check whether the service is started.
At this time, repeat the above information sending process, use the -u parameter to specify the user name, and the -P parameter to enter the password
The above operations are all run under the linux terminal, and the MQTT X tool can be used on Windows. MQTTX is a cross-platform MQTT 5.0 desktop client open sourced by EMQ, which can run on macOS, Linux, and Windows. The user interface of MQTT X simplifies the operation logic of the page in the form of chat software. Users can quickly create and save connections and establish multiple connection clients at the same time, which is convenient for users to quickly test the connection and publish/subscribe functions of MQTT/TCP and MQTT/TLS and other features.
After opening the MQTT X official website and downloading it, we can use wireshark to capture packets and analyze the entire process. First start wireshark to monitor, and then open the MQTTX software to create a new link, as shown in the figure below, the name here is "mqtt_test", the Client ID is assigned by default, and the server address protocol is "mqtt://", followed by "broker. emqx.io". The public MQTT server provided by EMQ X Cloud here is free for us to use. The port number below is 1883, which can be modified, and the account and password can be set at will. After setting, you can click connect.
Modify the value of msg below to the content we want to send, click on the small plane to send. You can see the publishing and subscribing process of the message.
After the whole process is completed, click the close connection button on MQTTX. Then wireshark enters "mqtt" to filter. Sorted by time, you can see that the MQTT protocol sent a Connect login request to the Broker, and then the server responded with an ACK, indicating that the login was successful. Double-click the data packet of Connect Command again, and we can see the detailed hexadecimal byte content of the data packet from the window below.
Next, check the Connect Ack packet and you can see that the server responded with "20 02 00 00", which means the login is successful.
Next, look at the Subscribe and Publish packets of the MQTT protocol. You can see that the client Subscribe a topic("test_topic/1111")
Broker returned "90 03 99 47 00", where "90" is the fixed header of the Subscribe ACK message, "03" is the remaining length, the next two bytes are the id number, and "00" ends.
When the Publisher pushes the Payload to this topic, the Broker will forward the Payload to the Subscriber who subscribes to this topic. This completes the process.
MQTT related vulnerabilities
Authorization and Authentication Vulnerabilities
MQTT is a machine-to-machine connectivity protocol designed as an extremely lightweight publish/subscribe messaging transport and is widely used by millions of IoT devices around the world. MQTT-PWN aims to be a one-stop shop for IoT Broker penetration testing and security assessment operations, as it combines enumeration, support functions and development modules, while packaging it all in a command line interface, and is easy to use and extensible A shell-like environment (from translation).
Next, we use mqtt-pwn to demonstrate some mqtt authorization and authentication vulnerabilities, first install mqtt-pwn
git clone https://github.com/akamai-threat-research/mqtt-pwn.git
cd mqtt-pwn
sudo docker-compose up --build --detach
Then you can start MQTT-PWN
sudo docker-compose ps
sudo docker-compose run cli
The following figure shows the MQTT-PWN runtime status
Some open MQTT server software on the public network enables anonymous access by default. We can search for MQTT in shodan, fofa, zoomeye, etc., and we can see "MQTT Connection Code: 0". Here, if you connect to a Broker, if the "MQTT Connection Code" in the returned result is 0, it means a successful connection. If the returned value is 4, it means that the account password is wrong. If the returned value is 5, it means that the Broker does not support user password login.
Next, we use mqtt-pwn to connect, help displays help information, and you can use the connect command to connect. For the server with anonymous login enabled, you can directly use the "connect -o host" command to connect. If no error is reported, the connection is successful. After the connection is successful, you can use system_info to view system information. Next, use discovery to create a scan, and wait for Scans to complete before proceeding to the next step, otherwise an error will be reported.
Use "scans -i id", where id is the thread id for creating discovery. Then you can use "topics" to view all topics.
You can enter `messages` to view the content of the topic
We can use MQTT-PWN to blast an MQTT Broker with a weak password, get its account password, and then access the Broker.
bruteforce --host host --port port
The brute force cracking here mainly depends on whether the dictionary in your collection is strong, and on the other hand, the speed of the network. We can use the following command to blast, and the user name and password will be displayed after the blast is successful. The "mqtt-pwn/resources/wordlists" directory stores the mqtt-pwn blasting user name and password dictionaries, where we can add our own favorite dictionaries.
transmission vulnerability
MQTT can cause XSS attacks. The CVE-2020-13821 vulnerability is tested here. The version built for this test is hivemq 4.3.2. We use docker to build the environment for reproduction, which is more convenient.
sudo docker pull hivemq/hivemq4:4.3.2
sudo docker run -p 8080:8080 -p 1883:1883 hivemq/hivemq4:4.3.2
After the environment is set up, use the browser to access the ip address and find that it is running normally.
Use the MQTTX tool mentioned above to connect. Create a new connection, fill in the name freely, the Client ID is the vulnerability point, the payload is "<img/src=x οnerrοr=alert(1)>", and the port is filled with the relative port mapped by docker. After setting, click connect to connect and send.
After the connection is successful, go to the browser to verify.
Click Clients, then click "Refresh Snaphot" to trigger the execution of the payload
application vulnerability
Taking EMQX as an example, EMQX is a large-scale elastically scalable cloud-native distributed IoT MQTT message server. As the world's most scalable MQTT message server, EMQX provides efficient and reliable massive IoT device connections, capable of high-performance real-time movement and processing of message and event stream data, and helps you quickly build business-critical IoT platforms and applications.
We can search for relevant document information of EMQX to obtain useful information.
Taking the default username and password as an example, we search for port 18083 in fofa or shodan, and if the title has a dashboard, we can search for related sites of EMQX. We can log in and view it with the default username and password.
other vulnerabilities
For clients that cannot obtain account passwords through ordinary means, we can extract the firmware of the device, reverse analyze it, and then extract the certificate or account password in the file system. Or MQTT uses encrypted communication, extracts firmware to analyze its encryption process to decrypt, and conduct subsequent attack operations.
Summarize
In this section, we briefly introduce MQTT security-related content, use mosquito and mqttx to complete the entire mqtt information transmission process, and then reproduce common MQTT vulnerabilities in several categories. Finally, I would like to remind everyone that it is best to build the service for testing by yourself during the learning process, and do not test and destroy the machine targets on the network.