{"id":36027592,"url":"https://github.com/stfbk/mqttsa","last_synced_at":"2026-01-17T02:00:46.050Z","repository":{"id":45521425,"uuid":"191325692","full_name":"stfbk/mqttsa","owner":"stfbk","description":"A tool to assist IoT developers in securing MQTT-based IoT deployments","archived":false,"fork":false,"pushed_at":"2024-03-26T09:32:28.000Z","size":10456,"stargazers_count":34,"open_issues_count":0,"forks_count":8,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-03-26T10:46:50.354Z","etag":null,"topics":["mqtt","security"],"latest_commit_sha":null,"homepage":"https://sites.google.com/fbk.eu/mqttsa/home","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stfbk.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2019-06-11T08:16:54.000Z","updated_at":"2024-02-16T00:21:15.000Z","dependencies_parsed_at":"2024-03-26T10:54:55.516Z","dependency_job_id":null,"html_url":"https://github.com/stfbk/mqttsa","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/stfbk/mqttsa","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stfbk%2Fmqttsa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stfbk%2Fmqttsa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stfbk%2Fmqttsa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stfbk%2Fmqttsa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stfbk","download_url":"https://codeload.github.com/stfbk/mqttsa/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stfbk%2Fmqttsa/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28492047,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T00:50:05.742Z","status":"online","status_checked_at":"2026-01-17T02:00:07.808Z","response_time":85,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["mqtt","security"],"created_at":"2026-01-10T15:00:40.727Z","updated_at":"2026-01-17T02:00:46.019Z","avatar_url":"https://github.com/stfbk.png","language":"Python","funding_links":[],"categories":["Security, Encryption"],"sub_categories":["Misc"],"readme":"# MQTTSA\n\nThe goal of MQTTSA is to automatically detect misconfigurations in MQTT brokers, to provide a report (in a pdf format) of the potential vulnerabilities, and a list of (high level) mitigation measures to deploy. \n\n## Install\n\n**MQTTSA** requires (e.g., via `apt`) the following packets: `python3-pip tshark` -- to allow the execution as non-root user, select yes when prompted. Run `make` to install the additional requirements with `pip3` (from `requirements.txt` - please remove `fpdf` if already installed). If necessary, add the user to the `wireshark` group via `sudo adduser $USER wireshark`.\n\n## Usage\n\nRun the tool by specifying the broker address (IP/hostname): \n`python3 mqttsa.py [ARGUMENTS] {IP_OF_THE_BROKER}` \nThe following arguments allow to enable different attacks and customize the analysis: \n\n```\n-h, --help show this help message and exit\n-p PORT Specify the port (defaults to 1883)\n-t LISTENING_TIME Specify the amount of seconds the tool should intercept messages on wildcard topics (defaults to 60)\n-m TEXT_MESSAGE Specify the text message to publish in intercepted topics (defaults to \"testtesttest\")\n-fc DOS_FOODING_CONN Specify the amount of connections for the flooding-based DoS (mandatory for flooding-based DoS)\n-fcsize DOS_SIZE Specify the payload size in MB for the flooding-based DoS (defaults to 10)\n-sc DOS_SLOW_CONN Specify the max amount of connections for the slow DoS - 12000 suggested (mandatory for slow DoS)\n-mq MAX_QUEUE Specify the number of messages to test the max number of messages queued by the browser - 1000 suggested (mandatory to perform the test)\n-mp MAX_PAYLOAD Specify the payload size to test the max supported payload - 255 suggested (mandatory to perform the test)\n-u USERNAME Specify the username (mandatory for Brute-forcing)\n-w WORDLIST_PATH Specify the path to the password wordlist\n-i INTERFACE Specify the interface on which to listen for MQTT packets (mandatory for Sniffing)\n-ca CA_CERT Specify the CA certificate path (mandatory for connecting with TLS)\n-cert CLIENT_CERT Specify the client certificate path\n-key CLIENT_KEY Specify the client key path\n--md Add flag --md to perform the malformed data test\n--ni Add flag --ni to perform only non intrusive tests\n```\n\nWhen the analysis is complete, a pdf (called `report.pdf`) is created. In these report are listed the results of the attacks performed by MQTTSA and, based on these results, some high level suggestions to improve the security of the MQTT instance.\n\n## Attacks\n\nThe attacks implemented (that can be run individually from the `/src/` folder) are the following:\n\n- Sniffing attack\n- Brute Force\n- Information Disclosure\n- Malformed Data\n- Denial of Service\n\n### Sniffing attack\n\nUse the specified interface to intercept MQTT connect packets for credentials: *client ids*, *usernames* and *passwords*. In case these are found, the tool will use them to perform the other attacks (e.g., connect and intercept messages).\n\n### Brute force\n\nUse the given username and a wordlist to perform a bruteforce attack. An example wordlist is provided in `/src/words.txt`.\n\n### Information disclosure\n\nOnce the tool manages to connect to the broker, it listens for and parses each received message according to 10 patterns: domain names, IPs and MACs, email addresses, passwords, phone numbers, credit cards and messages containing typical IoT, status and GPS keywords. In case the *non intrusive* mode is specified, it will not attempt to detect ACLs; otherwise it will try to publish on listened topics and wait for the test messages to be received.\n\n### Malformed data\n\nThe tool will try to craft malformed packets to try to raise some exceptions in the broker. **This attack might affect the performance of the broker, so do not perform this attack in critical scenarios**.\n\n### Denial of Service\n\nThe tool will first attempt to saturate the number of connection (*slow* DoS approach - Ref. to [1] for additional details); then damage the service quality by publishing with many clients heavy payloads. **This attack might affect the performance of the broker, so do not perform this attack in critical scenarios**. In addition, it attempts to discover if the message payload size or the number of QoS 1 messages that the broker will queue (for persistent clients) have been limited.\n\n[[1] Vaccari, Ivan \u0026 Aiello, Maurizio \u0026 Cambiaso, Enrico. (2020). SlowITe, a Novel Denial of Service Attack Affecting MQTT. Sensors. 20. 2932. 10.3390/s20102932](https://www.researchgate.net/publication/341563324_SlowITe_a_Novel_Denial_of_Service_Attack_Affecting_MQTT). ","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstfbk%2Fmqttsa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstfbk%2Fmqttsa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstfbk%2Fmqttsa/lists"}