infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add WIP documentation for auxiliary/scanner/mqtt/connect

MS-2855/keylogger-mettle-extension
Jon Hart 2017-12-20 18:45:10 -08:00
parent 298cb16b1a
commit 0f72ce1ee5
No known key found for this signature in database
GPG Key ID: 2FA9F0A3AFA8E9D3
1 changed files with 74 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
documentation/modules/auxiliary/scanner/mqtt/connect.md Normal file
View File

@ -0,0 +1,74 @@
## Vulnerable Application
Most any MQTT instance will work. Instructions for testing against a Dockerized endpoint are provided below.
### Docker Install
A dockerized version of [mosquitto](https://mosquitto.org/) is available
[here](https://github.com/toke/docker-mosquitto). There are two basic
scenarios worth discussing -- mosquitto with anonymous authentication allowed
and disallowed. The method for running both is similar.
#### Docker MQTT Server With Anonymous Authentication
By default, mosquitto does not require credentials and allows anonymous authentication. To run in this way:
```
$ docker run -i -p 1883:1883 toke/mosquitto
1513822879: mosquitto version 1.4.14 (build date Mon, 10 Jul 2017 23:48:43 +0100) starting
1513822879: Config loaded from /mqtt/config/mosquitto.conf.
1513822879: Opening websockets listen socket on port 9001.
1513822879: Opening ipv4 listen socket on port 1883.
1513822879: Opening ipv6 listen socket on port 1883.
```
#### Docker MQTT Server Without Anonymous Authenticaiton
Msquitto can be configured to require credentials. To run in this way:
1. Create a simple configuration file:
````
$ mkdir -p config && cat > config/mosquitto.conf
password_file /mqtt/config/passwd
allow_anonymous false
```
2. Create a password file for mosquitto (this example creates a user test_user with password test_pass)
```
$ touch config/passwd && mosquitto_passwd -b config/passwd test_user test_pass
```
1. Now run the dockerized mosquitto instance, mounting the configuration files from above for use at runtime:
```
$ docker run -ti -p 1883:1883 -v `pwd`/config/:/mqtt/config:ro toke/mosquitto
1513823564: mosquitto version 1.4.14 (build date Mon, 10 Jul 2017 23:48:43 +0100) starting
1513823564: Config loaded from /mqtt/config/mosquitto.conf.
1513823564: Opening ipv4 listen socket on port 1883.
1513823564: Opening ipv6 listen socket on port 1883.
```
## Verification Steps
1. Install the application without credentials
2. Start msfconsole
3. Do: ```use auxiliary/scanner/mqtt/connect```
4. Do: ```set rhosts [IPs]```
5. Do: ```run```
6. Confirm that the default or non-default credentials are discovered as configured
## Options
**CLIENT_ID**
When specified, this will set the ID of the client when connecting to the MQTT endpoint. While
not all MQTT implementation support this, some, like mosquitto, support filtering by client ID and
this option can be used in those scenarios. By default, a random ID is selected.
## Scenarios
### Docker MQTT Server Without Credentials
```
```
### Docker MQTT Server With Credentials
```
```