MQTT Pentesting Tool by Red Alert Labs: RALMQTT

· Industry Applications and Use Cases,Technical and Security Deep Dives

In this new article we invite you to discover how easily to secure MQTT networks with RALMQTT—our pentesting tool designed for MQTT brokers—and take your knowledge further with our downloadable report (you can find at the end of this article), "MQTT: From Zero to Hero."

This report is the centerpiece of our exploration, offering a deep dive into MQTT protocol vulnerabilities and practical security measures. With detailed guidance and expert insights, it equips you to navigate the complexities of MQTT security like a pro.

But before that, in this article, you’ll also find:

  • An embedded video tutorial demonstrating the tool’s capabilities in real-world scenari
  • Step-by-step instructions for installing and using RALMQTT.

Installation process :

Getting started with our tool is fairly easy, takes a few commands and you are all set.

  1. First off let’s clone into the repository : git clone https://github.com/Red-Alert-Labs/ralmqtt/
  2. Second step is to create a virtual environment to manage the python packages versions and avoid any compatibility problems : python3 -m venv VENVMQTT
  3. Now that the virtual environment is created, just activate it : source VENVMQTT/bin/activate
  4. And finally install the required packages : pip install -r requirements.txt

And voilà ! You are all set :)

Overview of the tool :

  • Discovery: Gathers information about the broker (authentication, version, clients, uptime, etc.).
  • Bruteforce: Allows user-password bruteforce (default wordlist is based on mirai).
  • DoS: Implements the method described in this paper by Ivan Vaccari, Maurizio Aiello, and Enrico Cambiaso

These 3 modules can be used together to set up realistic attack scenario, for example :

  1. Discovery: Gather info on the broker, requiring user password authentication.
  2. Bruteforce: Try to bruteforce login credentials. If successful, launch Discovery mode again with the credentials.
  3. DoS: If bruteforce fails, sniff valid connect packets. One way is through a mitm attack (like ARP poisoning) between a client and the broker. Launch a DoS attack on the broker until keepalive messages fail forcing to stop every client-broker TCP connections. Once the attack is stopped, the client establishes a new connection and voilà ! Since a mitm is in place, we freely sniff valid credentials and clientId.

Usage and examples :

python3 ralmqtt.py -m -a [-P ] [-p ] [-u ]

Options:

  • -m, --mode Mode (choose from : discovery/dos/bruteforce)
  • -a, --addr Broker's address
  • -P, --port Broker's port (default value being 1883)
  • -p, --password Broker's password (optional)
  • -u, --user Broker's username (optional)
  • -w, --wordlist Password wordlist for bruteforce mode (default ./passwords.t

This command runs ralmqtt in discovery mode to find information about the MQTT broker at test.mosquitto.org.

python3 ralmqtt.py -a test.mosquitto.org -m discovery

broken image

Figure 1 : Discovery mode on test.mosquitto.org


Brute force mode

This command runs ralmqtt in bruteforce mode against the MQTT broker at 192.168.50.1, using the specified wordlist /usr/share/wordlists/rockyou.txt.
python3 ralmqtt.py -m bruteforce -a 192.168.50.1 -w /usr/share/wordlists/rockyou.txt

broken image

Figure 2 : Brute force mode on broker


DoS modee

This command runs ralmqtt in DoS mode to perform a Slow Denial of Service attack against the MQTT broker at 192.168.246.147.
python3 ralmqtt.py -m dos -a 192.168.246.147

broken image

Figure 3 : Dos Mode on broker

DoS Verification

You will also find a testdos.sh script in this repository. As its name suggests, the goal of this script is to test the DoS mode of the tool. Download the script, change execution permission and execute it.

broken image

Figure 4 and 5 : changing execution permission and executing the script

It will publish to the topic test/dos a message saying that the broker is still up. On a different terminal launch the following commmand : mosquitto_sub -h broker_addr -t 'test/dos


broken image

Figure 6 : listening for the messages

Final thoughts

In this short article we introduced our MQTT pentesting tool, how to install it and the different modules it includes. Stay tuned for more articles to learn more about IoT security and Red Alert Labs : your IoT Cybersecurity trusted partner.

And last but not least...

Paul Lemale


Subscribe
PreviousNext
Profile picture
Cancel
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save