Return to site

MQTT Pentesting Tool by Red Alert Labs: RALMQTT

June 30, 2024

In this new article we invite you to discover how easily to secure MQTT networks with RALMQTT—our pentesting tool designed for MQTT brokers—and take your knowledge further with our downloadable report (you can find at the end of this article), "MQTT: From Zero to Hero."

This report is the centerpiece of our exploration, offering a deep dive into MQTT protocol vulnerabilities and practical security measures. With detailed guidance and expert insights, it equips you to navigate the complexities of MQTT security like a pro.

But before that, in this article, you’ll also find:

  • An embedded video tutorial demonstrating the tool’s capabilities in real-world scenari
  • Step-by-step instructions for installing and using RALMQTT.

Installation process :

Getting started with our tool is fairly easy, takes a few commands and you are all set.

  1. First off let’s clone into the repository : git clone https://github.com/Red-Alert-Labs/ralmqtt/
  2. Second step is to create a virtual environment to manage the python packages versions and avoid any compatibility problems : python3 -m venv VENVMQTT
  3. Now that the virtual environment is created, just activate it : source VENVMQTT/bin/activate
  4. And finally install the required packages : pip install -r requirements.txt

And voilà ! You are all set :)

Overview of the tool :

  • Discovery: Gathers information about the broker (authentication, version, clients, uptime, etc.).
  • Bruteforce: Allows user-password bruteforce (default wordlist is based on mirai).
  • DoS: Implements the method described in this paper by Ivan Vaccari, Maurizio Aiello, and Enrico Cambiaso

These 3 modules can be used together to set up realistic attack scenario, for example :

  1. Discovery: Gather info on the broker, requiring user password authentication.
  2. Bruteforce: Try to bruteforce login credentials. If successful, launch Discovery mode again with the credentials.
  3. DoS: If bruteforce fails, sniff valid connect packets. One way is through a mitm attack (like ARP poisoning) between a client and the broker. Launch a DoS attack on the broker until keepalive messages fail forcing to stop every client-broker TCP connections. Once the attack is stopped, the client establishes a new connection and voilà ! Since a mitm is in place, we freely sniff valid credentials and clientId.

Usage and examples :

python3 ralmqtt.py -m -a [-P ] [-p ] [-u ]

Options:

  • -m, --mode Mode (choose from : discovery/dos/bruteforce)
  • -a, --addr Broker's address
  • -P, --port Broker's port (default value being 1883)
  • -p, --password Broker's password (optional)
  • -u, --user Broker's username (optional)
  • -w, --wordlist Password wordlist for bruteforce mode (default ./passwords.t

This command runs ralmqtt in discovery mode to find information about the MQTT broker at test.mosquitto.org.

python3 ralmqtt.py -a test.mosquitto.org -m discovery

Figure 1 : Discovery mode on test.mosquitto.org


Brute force mode

This command runs ralmqtt in bruteforce mode against the MQTT broker at 192.168.50.1, using the specified wordlist /usr/share/wordlists/rockyou.txt.
python3 ralmqtt.py -m bruteforce -a 192.168.50.1 -w /usr/share/wordlists/rockyou.txt

Figure 2 : Brute force mode on broker


DoS modee

This command runs ralmqtt in DoS mode to perform a Slow Denial of Service attack against the MQTT broker at 192.168.246.147.
python3 ralmqtt.py -m dos -a 192.168.246.147

Figure 3 : Dos Mode on broker

DoS Verification

You will also find a testdos.sh script in this repository. As its name suggests, the goal of this script is to test the DoS mode of the tool. Download the script, change execution permission and execute it.

Figure 4 and 5 : changing execution permission and executing the script

It will publish to the topic test/dos a message saying that the broker is still up. On a different terminal launch the following commmand : mosquitto_sub -h broker_addr -t 'test/dos


Figure 6 : listening for the messages

Final thoughts

In this short article we introduced our MQTT pentesting tool, how to install it and the different modules it includes. Stay tuned for more articles to learn more about IoT security and Red Alert Labs : your IoT Cybersecurity trusted partner.

And last but not least...


Subscribe
PreviousNext
 Return to site
Leave a Comment