|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +Most any MQTT instance will work. Instructions for testing against a Dockerized endpoint are provided below. |
| 4 | + |
| 5 | +### Docker Install |
| 6 | + |
| 7 | +A dockerized version of [mosquitto](https://mosquitto.org/) is available |
| 8 | +[here](https://github.com/toke/docker-mosquitto). There are two basic |
| 9 | +scenarios worth discussing -- mosquitto with anonymous authentication allowed |
| 10 | +and disallowed. The method for running both is similar. |
| 11 | + |
| 12 | +#### Docker MQTT Server With Anonymous Authentication |
| 13 | + |
| 14 | +By default, mosquitto does not require credentials and allows anonymous authentication. To run in this way: |
| 15 | + |
| 16 | +``` |
| 17 | +$ docker run -i -p 1883:1883 toke/mosquitto |
| 18 | +1513822879: mosquitto version 1.4.14 (build date Mon, 10 Jul 2017 23:48:43 +0100) starting |
| 19 | +1513822879: Config loaded from /mqtt/config/mosquitto.conf. |
| 20 | +1513822879: Opening websockets listen socket on port 9001. |
| 21 | +1513822879: Opening ipv4 listen socket on port 1883. |
| 22 | +1513822879: Opening ipv6 listen socket on port 1883. |
| 23 | +``` |
| 24 | + |
| 25 | +#### Docker MQTT Server Without Anonymous Authenticaiton |
| 26 | + |
| 27 | +Msquitto can be configured to require credentials. To run in this way: |
| 28 | + |
| 29 | + 1. Create a simple configuration file: |
| 30 | + ```` |
| 31 | + $ mkdir -p config && cat > config/mosquitto.conf |
| 32 | + password_file /mqtt/config/passwd |
| 33 | + allow_anonymous false |
| 34 | + ``` |
| 35 | + 2. Create a password file for mosquitto (this example creates a user test_user with password test_pass) |
| 36 | + ``` |
| 37 | + $ touch config/passwd && mosquitto_passwd -b config/passwd test_user test_pass |
| 38 | + ``` |
| 39 | + 1. Now run the dockerized mosquitto instance, mounting the configuration files from above for use at runtime: |
| 40 | + ``` |
| 41 | + $ docker run -ti -p 1883:1883 -v `pwd`/config/:/mqtt/config:ro toke/mosquitto |
| 42 | + 1513823564: mosquitto version 1.4.14 (build date Mon, 10 Jul 2017 23:48:43 +0100) starting |
| 43 | + 1513823564: Config loaded from /mqtt/config/mosquitto.conf. |
| 44 | + 1513823564: Opening ipv4 listen socket on port 1883. |
| 45 | + 1513823564: Opening ipv6 listen socket on port 1883. |
| 46 | + ``` |
| 47 | +
|
| 48 | +## Verification Steps |
| 49 | +
|
| 50 | +
|
| 51 | + 1. Install the application without credentials |
| 52 | + 2. Start msfconsole |
| 53 | + 3. Do: ```use auxiliary/scanner/mqtt/connect``` |
| 54 | + 4. Do: ```set rhosts [IPs]``` |
| 55 | + 5. Do: ```run``` |
| 56 | + 6. Confirm that the default or non-default credentials are discovered as configured |
| 57 | +
|
| 58 | +## Options |
| 59 | +
|
| 60 | + **CLIENT_ID** |
| 61 | +
|
| 62 | + When specified, this will set the ID of the client when connecting to the MQTT endpoint. While |
| 63 | + not all MQTT implementation support this, some, like mosquitto, support filtering by client ID and |
| 64 | + this option can be used in those scenarios. By default, a random ID is selected. |
| 65 | +
|
| 66 | +## Scenarios |
| 67 | +
|
| 68 | +### Docker MQTT Server Without Credentials |
| 69 | +``` |
| 70 | +``` |
| 71 | +
|
| 72 | +### Docker MQTT Server With Credentials |
| 73 | +``` |
| 74 | +``` |
0 commit comments