Posted by: Bamric Security Team
MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol designed for communication between applications and devices, especially in IoT (Internet of Things) systems. It supports a wide range of platforms, including web applications, desktop apps, mobile apps (Android and iOS), cloud services, and embedded systems.It operates on a publish/subscribe model, enabling devices to send and receive messages through a central server known as a broker. This means that with the protocol, you can exchange messages between devices to trigger actions and facilitate communication.
Suppose there is a robot and an application. With the help of the app, the robot can perform actions like move, stop, and more. The app sends commands like “move” or “stop” to the robot using MQTT. When the robot receives the message through the MQTT protocol, it executes the corresponding action.This is how MQTT is used for communication between IoT devices and applications, enabling devices to perform actions based on messages received.
robot/1/move to receive commands and that’s why when app sends command to move forward, robot receive this command and robot takes corresponding action.{ "command": "move_forward" }.MQTT (Message Queuing Telemetry Transport) is a lightweight, publish-subscribe messaging protocol widely used in IoT ecosystems — from smart home devices to industrial automation. This guide will walk you through setting up a lab environment for MQTT pentesting, including broker/client setup, traffic analysis, and solving Docker connectivity issues.
To perform MQTT pentesting, you’ll need the following:
mosquitto_pub and mosquitto_sub).We’ll run the broker inside a Docker container using the official Eclipse Mosquitto image.
docker pull eclipse-mosquitto
docker run -it -p 1883:1883 -p 9001:9001 eclipse-mosquitto
Install Mosquitto clients on your host machine (MacOS):
brew install mosquitto
Step 3: Subscribe & Publish to a Topic
Subscribe to a Topic (Terminal 1)
mosquitto_sub -h localhost -t robot/1/move
This command will stay in a waiting state until it receives a message from a publisher.
Publish a Topic (Terminal 2)
mosquitto_pub -h localhost -t robot/1/move -m “move_forward”
If you’re running Mosquitto inside Docker on macOS, you might notice that messages don’t appear in the subscriber terminal. Why?
By default, Docker isolates the container’s network. So your host’s MQTT client (running on localhost) cannot directly communicate with the broker inside Docker.
During pentesting or lab setup, it’s common to run into issues where the MQTT clients fail to connect to the broker or messages aren’t delivered. To debug these issues effectively, you’ll want to inspect the Mosquitto broker logs.
Since our broker is running inside a Docker container, we can use Docker’s built-in logging commands to view real-time output.
Docker assigns a random name to containers if you don’t specify one. For example, your container might be named agitated_fermi.
To view all log output from that container:
docker logs agitated_fermi
mosquitto.confWe need to provide a custom configuration file that:
1883Now run the container with this config mounted inside:
docker run -it \
— name mqtt-broker \
-p 1883:1883 \
-v /Users/vaishali/mosquitto.conf:/mosquitto/config/mosquitto.conf \
eclipse-mosquitto
Now if you publish a message it will work properly and displayed on sibscriber terminal.
Wireshark on macOS cannot directly capture Docker container traffic using its default interfaces.
We’ll use tcpdump inside the Docker network and then import the capture into Wireshark.
docker run -it — net container:mqtt-broker — name mqtt-sniffer ubuntu bash
2. Install tcpdump in the container:
apt update && apt install tcpdump -y
3. Capture MQTT traffic:
tcpdump -i any port 1883 -w /tmp/mqtt_traffic.pcap
4. In a new terminal, copy the capture file to your host:
docker cp mqtt-sniffer:/tmp/mqtt_traffic.pcap ./mqtt_traffic.pcap
5. Open it in Wireshark on your host:
Apply a filter to display only MQTT traffic in the capture.
In our lab environment, we’re using Docker to run the MQTT broker — which creates a bit of complexity when it comes to capturing network traffic. Since Docker on macOS uses a virtualized network interface, we can’t directly capture MQTT packets with Wireshark from the host system.
To work around this, we capture the traffic inside the Docker network using tcpdump, then export the capture file (.pcap) and analyze it with Wireshark.
However, in a real-world scenario, you typically don’t need this workaround.
In Real Attacks (or Live Environments)
If the MQTT broker is running on a physical device or VM connected to the same network (e.g., an IoT gateway, server, or router), then:
If the MQTT broker is hosted on a physical device or VM connected to a different network — such as when you’re controlling a smart device located in another city using a mobile app — the traffic typically won’t appear in Wireshark, since it doesn’t pass through your local network interface. However, if you’re using a browser or app based MQTT client and have configured Burp Suite as your proxy, you can still inspect the MQTT communication in Burp’s WebSocket tab, as it captures traffic directly from their.
This makes things faster and closer to how an attacker or pentester would operate in the field — monitoring live MQTT traffic as it flows between devices and the broker.
In this blog, we focused on setting up a practical MQTT pentesting lab using Docker, configuring the Mosquitto broker, and capturing MQTT traffic effectively — even dealing with challenges like Docker’s networking on macOS.
We demonstrated how to:
tcpdump inside Docker and analyze it in WiresharkIn the next blog, we’ll dive deeper into common MQTT attacks and vulnerabilities, exploring:
Stay tuned to learn how to turn your MQTT lab into a powerful pentesting playground and sharpen your IoT security skills!
Bamric Security Solutions, Believes in providing top-notch security. Let’s make cyberspace a safer place together.
