工具
Nmap
探测订阅消息
```shell
nmap <主机> -p1883 --script=mqtt-subscribe.nse
```
如不存在未授权则结果为
PORT STATE SERVICE
1883/tcp open mqtt
|_mqtt-subscribe: Connection rejected: Not Authorized
存在未授权则会显示
PORT STATE SERVICE
1883/tcp open xxx version x.x.x
| mqtt-subscribe:
| Topics and their most recent payloads:
| ……
|_ ……
如:
mqtt-pwn
由于仓库太久没更新,很多依赖只能在Python 3.6下安装,并且还需要PostgreSQL数据库才能启动,所以使用Docker部署启动最快捷省事
安装
- 克隆仓库
git clone https://github.com/akamai-threat-research/mqtt-pwn.git - 修改
Dockerfile文件
因为jessie版本已经停止支持,所以需要修改源为archive.debian.org- 在 RUN apt-get update 前加入如下代码:
RUN mv /etc/apt/sources.list /etc/apt/sources.list.bak && echo "deb http://archive.debian.org/debian/ jessie main" >/etc/apt/sources.list && echo "deb-src http://archive.debian.org/debian/ jessie main" >>/etc/apt/sources.list && echo "deb http://archive.debian.org/debian-security jessie/updates main" >>/etc/apt/sources.list && echo "deb-src http://archive.debian.org/debian-security jessie/updates main" >>/etc/apt/sources.list - 在
apt-get install后添加--force-yes
修改后Dockerfile如下:
FROM python:3.6-jessie RUN mv /etc/apt/sources.list /etc/apt/sources.list.bak && echo "deb http://archive.debian.org/debian/ jessie main" >/etc/apt/sources.list && echo "deb-src http://archive.debian.org/debian/ jessie main" >>/etc/apt/sources.list && echo "deb http://archive.debian.org/debian-security jessie/updates main" >>/etc/apt/sources.list && echo "deb-src http://archive.debian.org/debian-security jessie/updates main" >>/etc/apt/sources.list RUN apt-get update RUN apt-get install --force-yes software-properties-common less vim -y ENV INSTALL_PATH /mqtt_pwn RUN mkdir -p $INSTALL_PATH WORKDIR $INSTALL_PATH COPY requirements.txt requirements.txt RUN pip install -r requirements.txt COPY . . - 在 RUN apt-get update 前加入如下代码:
- 构建mqtt-pwn
docker-compose up --build --detach - 运行mqtt-pwn
docker-compose run cli
爆破
bruteforce --host <主机> --port <端口>
参考文章
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 cnlnnn@qq.com