MQTT
aka mosquitto
Lightweight IoT pub/sub messaging on 1883 (8883 TLS). Brokers are frequently anonymous — subscribe to '#' and every message on the broker streams to you, often including sensor data, commands and credentials.
Ports
| Port | Proto | Notes |
|---|---|---|
1883 | tcp | MQTT |
8883 | tcp | MQTT over TLS |
Fingerprint
- nmap mqtt-subscribe returns published topics
- CONNACK accepted with no credentials
Exploitation primitives
- Anonymous connect → subscribe to the '#' wildcard and read every topic
- Messages leak device telemetry, commands and sometimes creds/tokens
- Publish to control topics to actuate devices (lights, locks, ICS)
Overview
MQTT on 1883 is the IoT message bus. Brokers default to no auth, so subscribing to the wildcard topic dumps everything flowing through.
Enumeration
nmap topic discovery:
nmap -p1883 --script mqtt-subscribe <TARGET>Subscribe to every topic (the big win):
mosquitto_sub -h <TARGET> -t '#' -vPublish (control devices)
mosquitto_pub -h <TARGET> -t 'home/door/cmd' -m 'unlock'Hardening
Require username/password (or client certs), disable anonymous access, and use TLS on 8883.