Pirates of the MQTT: Raiding IIoT Systems with a Rogue Client
Case study using Fischertechnik's Lernfabrik 4.0 (9V).
- The script to sniff mqtt packets and store them into .pcap files (
sniff_mqtt.py). - The script to extract mqtt information (topic, payload, qos) from recorded .pcap files into an sqlite database (
extractor.py). - The script to carry out the MQTT rogue client attack against the Fischertechnik Lernfabrik (
attack_order.py). - The malicious program to upload to the VGR along with the malicious config file to upload to the VGR (
TxtParkPosVGRandConfig.ParkPos.json)
Due to the large sizes of the .pcap files, they are not provided in this repo. Only the SQLite database file is provided.
-
To quickly run the attack directly from the provided database, simply run:
python3 attack_order.py -
In case you would like to run the entire chain of scripts, run the scripts in the following order:
python3 sniff_mqtt.py -i [INTERFACE_HERE]-- this needs to be run individually for each packet capture of an order. See the-oflag to specify the output file for the traffic capture.python3 extractor.pypython3 attack_order.py
Each of the scripts come with flags/options to help customize the usage of the script. To view these options, please run the script with --help.
These packages refer to packages outside of the Python built-in packages that is required for the successful run of the scripts.
-
For just running the main attack (i.e., the
attack_order.pyscript)):aiomqttparamikoscp
-
For running the entire chain of files:
aiomqttparamikoscppysharkglobpaho-mqtt
- Clone the GitHub repo.
- Navigate to the cloned directory contain project files.
- Run the script:
python3 attack_order.py
Disclaimer: This project is intended for educational purposes only. Unauthorized use of these scripts for malicious purposes is illegal and unethical. Always obtain proper authorization before testing security on any system.
