MQTT协议安全测试教学文档<\/h1>

0x01 MQTT协议基础<\/h2>

1. MQTT简介<\/h3>
MQTT全称为Message Queuing Telemetry Transport，即消息队列遥测传输协议，是一种基于发布\/订阅(Publish\/Subscribe)模式的轻量级消息传输协议，主要用于物联网和车联网领域。<\/p>

2. MQTT核心角色<\/h3>

发布者(Publisher)<\/strong>：消息的生产者，负责创建消息并发布到Broker的特定主题(Topic)<\/li>
订阅者(Subscriber)<\/strong>：消息的消费者，向Broker订阅感兴趣的主题<\/li>

代理\/服务器(Broker)<\/strong>：MQTT架构的核心，负责消息路由、会话管理、认证授权等<\/li> <\/ol>
3. MQTT工作流程<\/h3>

订阅者与Broker建立TCP连接并发送SUBSCRIBE报文<\/li>
订阅者维护连接并等待Broker推送消息<\/li>
发布者向Broker发布消息到特定主题<\/li>
Broker主动将消息推送给订阅了该主题的订阅者<\/li> <\/ol>
4. MQTT特点<\/h3>

发布\/订阅模型<\/li>
Broker中心模型<\/li>
异步通信<\/li>
轻量级高效<\/li>
支持三种QoS级别(0,1,2)<\/li> <\/ul>
5. MQTT与HTTP对比<\/h3>

特性<\/th> HTTP<\/th> MQTT<\/th> <\/tr> <\/thead>

模型<\/td> 请求-响应<\/td> 发布-订阅<\/td> <\/tr>
状态<\/td> 无状态<\/td> 有状态(会话)<\/td> <\/tr>
通信方向<\/td> 客户端发起<\/td> Broker主动推送<\/td> <\/tr>
消息大小<\/td> 较大<\/td> 极小(最小2字节)<\/td> <\/tr> <\/tbody> <\/table>
0x02 MQTT环境搭建<\/h2>
1. Broker环境搭建<\/h3>

安装Mosquitto服务器：<\/p>
sudo apt-get install mosquitto mosquitto-clients <\/span><\/span><\/code><\/pre><\/li> 查看默认配置：<\/p> cat \/etc\/mosquitto\/mosquitto.conf <\/span><\/span><\/code><\/pre><\/li> 配置访问端口(默认1883)：<\/p> sudo vim \/etc\/mosquitto\/mosquitto.conf <\/span><\/span><\/code><\/pre><\/li> 重启服务：<\/p> sudo systemctl restart mosquitto <\/span><\/span><\/code><\/pre><\/li> 配置防火墙：<\/p> sudo ufw allow 1883<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2. 客户端环境搭建<\/h3> 安装Mosquitto客户端：<\/p> sudo apt-get install mosquitto-clients <\/span><\/span><\/code><\/pre><\/li> 订阅主题：<\/p> mosquitto_sub -h [<\/span>broker_ip]<\/span> -t "topic"<\/span> -v <\/span><\/span><\/code><\/pre><\/li> 发布消息：<\/p> mosquitto_pub -h [<\/span>broker_ip]<\/span> -t "topic"<\/span> -m "message"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x03 MQTT安全测试工具<\/h2> 1. MQTT-PWN安装<\/h3> 下载工具：<\/p> git clone https:\/\/github.com\/akamai-threat-research\/mqtt-pwn.git <\/span><\/span><\/code><\/pre><\/li> 修改Dockerfile(可选)：<\/p> FROM<\/span> python:3.7-slim<\/span> <\/span><\/span><\/span><\/span>RUN<\/span> apt-get update &&<\/span> apt-get install -y git nmap <\/span><\/span><\/span><\/span>RUN<\/span> pip install paho-mqtt==<\/span>1.5.0 psutil==<\/span>5.7.0 python-nmap==<\/span>0.6.1 requests==<\/span>2.23.0 <\/span><\/span><\/span><\/span>WORKDIR<\/span> \/mqtt-pwn<\/span> <\/span><\/span><\/span><\/span>COPY<\/span> . . <\/span><\/span><\/span><\/span>CMD<\/span> ["python"<\/span>, "cli.py"<\/span>] <\/span><\/span><\/span><\/code><\/pre><\/li> 构建并运行：<\/p> docker build -t mqtt-pwn . <\/span><\/span>docker run -it mqtt-pwn <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x04 MQTT安全测试方法<\/h2> 1. 未授权访问测试<\/h3> 匿名连接测试：<\/p> mosquitto_sub -h [<\/span>broker_ip]<\/span> -t "#"<\/span> -v <\/span><\/span><\/code><\/pre><\/li> 使用MQTT-PWN测试：<\/p> connect -h [<\/span>broker_ip]<\/span> -p 1883<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2. 信息收集<\/h3> 获取Broker信息：<\/p> system <\/span><\/span><\/code><\/pre><\/li> 枚举主题：<\/p> discovery <\/span><\/span>scans <\/span><\/span><\/code><\/pre><\/li> 查看主题消息：<\/p> messages -t [<\/span>topic_name]<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. 暴力破解<\/h3> 使用MQTT-PWN暴力破解：<\/p> brute-force -h [<\/span>broker_ip]<\/span> -U [<\/span>userlist]<\/span> -P [<\/span>passlist]<\/span> <\/span><\/span><\/code><\/pre><\/li> 使用破解的凭据连接：<\/p> connect -h [<\/span>broker_ip]<\/span> -p 1883<\/span> -u [<\/span>username]<\/span> -P [<\/span>password]<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4. 命令注入测试<\/h3> 订阅命令主题：<\/p> subscribe -t commands\/serverA <\/span><\/span><\/code><\/pre><\/li> 发布恶意命令：<\/p> publish -t commands\/serverA -m "malicious_command"<\/span> <\/span><\/span><\/code><\/pre><\/li> 查看执行结果：<\/p> subscribe -t results\/serverA <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x05 安全加固建议<\/h2> 1. 认证配置<\/h3> 禁用匿名访问：<\/p> allow_anonymous false <\/span><\/span><\/code><\/pre><\/li> 配置密码文件：<\/p> password_file \/etc\/mosquitto\/passwd <\/span><\/span><\/code><\/pre><\/li> 创建用户密码：<\/p> mosquitto_passwd -c \/etc\/mosquitto\/passwd username <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2. 访问控制<\/h3> 配置ACL：<\/p> acl_file \/etc\/mosquitto\/acl <\/span><\/span><\/code><\/pre><\/li> 示例ACL规则：<\/p> user username topic readwrite topic\/name <\/code><\/pre> <\/li> <\/ol> 3. 加密通信<\/h3> 配置TLS：<\/p> listener 8883<\/span> <\/span><\/span>certfile \/etc\/mosquitto\/certs\/server.crt <\/span><\/span>keyfile \/etc\/mosquitto\/certs\/server.key <\/span><\/span><\/code><\/pre><\/li> 生成证书：<\/p> openssl req -new -x509 -days 365<\/span> -nodes -out server.crt -keyout server.key <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4. 其他安全措施<\/h3> 限制客户端ID长度<\/li> 设置最大连接数<\/li> 启用日志记录<\/li> 定期更新软件<\/li> <\/ol> 0x06 车联网应用案例<\/h2> 1. 远程解锁车辆流程<\/h3> 车辆连接<\/strong>：<\/p> T-Box连接Broker<\/li> 订阅指令Topic：iov\/vehicles\/{VIN}\/command\/door\/lock<\/code><\/li> <\/ul> <\/li> 用户操作<\/strong>：<\/p> App发送HTTPS请求到云平台<\/li> 云平台验证权限并生成MQTT消息<\/li> <\/ul> <\/li> 指令下发<\/strong>：<\/p> 云平台发布消息到车辆Topic<\/li> Broker推送消息给车辆<\/li> <\/ul> <\/li> 执行反馈<\/strong>：<\/p> 车辆执行指令<\/li> 发布状态到iov\/vehicles\/{VIN}\/status\/door\/lock<\/code><\/li> 云平台接收状态并通知用户<\/li> <\/ul> <\/li> <\/ol> 2. 潜在攻击面<\/h3> 未授权Broker访问<\/li> 弱认证凭据<\/li> Topic枚举和信息泄露<\/li> 消息注入<\/li> 中间人攻击<\/li> <\/ol> 0x07 总结<\/h2> MQTT协议在物联网和车联网领域广泛应用，其安全性直接影响物理世界。安全测试应关注：<\/p> 认证机制是否健全<\/li> 授权控制是否严格<\/li> 通信是否加密<\/li> 敏感信息是否暴露<\/li> 能否实现命令注入<\/li> <\/ol> 与传统Web测试相比，MQTT测试更注重协议层面的安全性和Broker配置，但核心安全原则不变。<\/p>

特性<\/th>	HTTP<\/th>	MQTT<\/th> <\/tr> <\/thead>
模型<\/td>	请求-响应<\/td>	发布-订阅<\/td> <\/tr>
状态<\/td>	无状态<\/td>	有状态(会话)<\/td> <\/tr>
通信方向<\/td>	客户端发起<\/td>	Broker主动推送<\/td> <\/tr>
消息大小<\/td>	较大<\/td>	极小(最小2字节)<\/td> <\/tr> <\/tbody> <\/table> 0x02 MQTT环境搭建<\/h2> 1. Broker环境搭建<\/h3> 安装Mosquitto服务器：<\/p> sudo apt-get install mosquitto mosquitto-clients <\/span><\/span><\/code><\/pre><\/li> 查看默认配置：<\/p> cat \/etc\/mosquitto\/mosquitto.conf <\/span><\/span><\/code><\/pre><\/li> 配置访问端口(默认1883)：<\/p> sudo vim \/etc\/mosquitto\/mosquitto.conf <\/span><\/span><\/code><\/pre><\/li> 重启服务：<\/p> sudo systemctl restart mosquitto <\/span><\/span><\/code><\/pre><\/li> 配置防火墙：<\/p> sudo ufw allow 1883<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2. 客户端环境搭建<\/h3> 安装Mosquitto客户端：<\/p> sudo apt-get install mosquitto-clients <\/span><\/span><\/code><\/pre><\/li> 订阅主题：<\/p> mosquitto_sub -h [<\/span>broker_ip]<\/span> -t "topic"<\/span> -v <\/span><\/span><\/code><\/pre><\/li> 发布消息：<\/p> mosquitto_pub -h [<\/span>broker_ip]<\/span> -t "topic"<\/span> -m "message"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x03 MQTT安全测试工具<\/h2> 1. MQTT-PWN安装<\/h3> 下载工具：<\/p> git clone https:\/\/github.com\/akamai-threat-research\/mqtt-pwn.git <\/span><\/span><\/code><\/pre><\/li> 修改Dockerfile(可选)：<\/p> FROM<\/span> python:3.7-slim<\/span> <\/span><\/span><\/span><\/span>RUN<\/span> apt-get update &&<\/span> apt-get install -y git nmap <\/span><\/span><\/span><\/span>RUN<\/span> pip install paho-mqtt==<\/span>1.5.0 psutil==<\/span>5.7.0 python-nmap==<\/span>0.6.1 requests==<\/span>2.23.0 <\/span><\/span><\/span><\/span>WORKDIR<\/span> \/mqtt-pwn<\/span> <\/span><\/span><\/span><\/span>COPY<\/span> . . <\/span><\/span><\/span><\/span>CMD<\/span> ["python"<\/span>, "cli.py"<\/span>] <\/span><\/span><\/span><\/code><\/pre><\/li> 构建并运行：<\/p> docker build -t mqtt-pwn . <\/span><\/span>docker run -it mqtt-pwn <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x04 MQTT安全测试方法<\/h2> 1. 未授权访问测试<\/h3> 匿名连接测试：<\/p> mosquitto_sub -h [<\/span>broker_ip]<\/span> -t "#"<\/span> -v <\/span><\/span><\/code><\/pre><\/li> 使用MQTT-PWN测试：<\/p> connect -h [<\/span>broker_ip]<\/span> -p 1883<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2. 信息收集<\/h3> 获取Broker信息：<\/p> system <\/span><\/span><\/code><\/pre><\/li> 枚举主题：<\/p> discovery <\/span><\/span>scans <\/span><\/span><\/code><\/pre><\/li> 查看主题消息：<\/p> messages -t [<\/span>topic_name]<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. 暴力破解<\/h3> 使用MQTT-PWN暴力破解：<\/p> brute-force -h [<\/span>broker_ip]<\/span> -U [<\/span>userlist]<\/span> -P [<\/span>passlist]<\/span> <\/span><\/span><\/code><\/pre><\/li> 使用破解的凭据连接：<\/p> connect -h [<\/span>broker_ip]<\/span> -p 1883<\/span> -u [<\/span>username]<\/span> -P [<\/span>password]<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4. 命令注入测试<\/h3> 订阅命令主题：<\/p> subscribe -t commands\/serverA <\/span><\/span><\/code><\/pre><\/li> 发布恶意命令：<\/p> publish -t commands\/serverA -m "malicious_command"<\/span> <\/span><\/span><\/code><\/pre><\/li> 查看执行结果：<\/p> subscribe -t results\/serverA <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x05 安全加固建议<\/h2> 1. 认证配置<\/h3> 禁用匿名访问：<\/p> allow_anonymous false <\/span><\/span><\/code><\/pre><\/li> 配置密码文件：<\/p> password_file \/etc\/mosquitto\/passwd <\/span><\/span><\/code><\/pre><\/li> 创建用户密码：<\/p> mosquitto_passwd -c \/etc\/mosquitto\/passwd username <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2. 访问控制<\/h3> 配置ACL：<\/p> acl_file \/etc\/mosquitto\/acl <\/span><\/span><\/code><\/pre><\/li> 示例ACL规则：<\/p> user username topic readwrite topic\/name <\/code><\/pre> <\/li> <\/ol> 3. 加密通信<\/h3> 配置TLS：<\/p> listener 8883<\/span> <\/span><\/span>certfile \/etc\/mosquitto\/certs\/server.crt <\/span><\/span>keyfile \/etc\/mosquitto\/certs\/server.key <\/span><\/span><\/code><\/pre><\/li> 生成证书：<\/p> openssl req -new -x509 -days 365<\/span> -nodes -out server.crt -keyout server.key <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4. 其他安全措施<\/h3> 限制客户端ID长度<\/li> 设置最大连接数<\/li> 启用日志记录<\/li> 定期更新软件<\/li> <\/ol> 0x06 车联网应用案例<\/h2> 1. 远程解锁车辆流程<\/h3> 车辆连接<\/strong>：<\/p> T-Box连接Broker<\/li> 订阅指令Topic：iov\/vehicles\/{VIN}\/command\/door\/lock<\/code><\/li> <\/ul> <\/li> 用户操作<\/strong>：<\/p> App发送HTTPS请求到云平台<\/li> 云平台验证权限并生成MQTT消息<\/li> <\/ul> <\/li> 指令下发<\/strong>：<\/p> 云平台发布消息到车辆Topic<\/li> Broker推送消息给车辆<\/li> <\/ul> <\/li> 执行反馈<\/strong>：<\/p> 车辆执行指令<\/li> 发布状态到iov\/vehicles\/{VIN}\/status\/door\/lock<\/code><\/li> 云平台接收状态并通知用户<\/li> <\/ul> <\/li> <\/ol> 2. 潜在攻击面<\/h3> 未授权Broker访问<\/li> 弱认证凭据<\/li> Topic枚举和信息泄露<\/li> 消息注入<\/li> 中间人攻击<\/li> <\/ol> 0x07 总结<\/h2> MQTT协议在物联网和车联网领域广泛应用，其安全性直接影响物理世界。安全测试应关注：<\/p> 认证机制是否健全<\/li> 授权控制是否严格<\/li> 通信是否加密<\/li> 敏感信息是否暴露<\/li> 能否实现命令注入<\/li> <\/ol> 与传统Web测试相比，MQTT测试更注重协议层面的安全性和Broker配置，但核心安全原则不变。<\/p>

MQTT协议安全测试教学文档<\/h1>

0x01 MQTT协议基础<\/h2>

1. MQTT简介<\/h3> MQTT全称为Message Queuing Telemetry Transport，即消息队列遥测传输协议，是一种基于发布\/订阅(Publish\/Subscribe)模式的轻量级消息传输协议，主要用于物联网和车联网领域。<\/p>

0x02 MQTT环境搭建<\/h2>

0x03 MQTT安全测试工具<\/h2>

0x04 MQTT安全测试方法<\/h2>

0x05 安全加固建议<\/h2>

0x06 车联网应用案例<\/h2>

1. MQTT简介<\/h3>
MQTT全称为Message Queuing Telemetry Transport，即消息队列遥测传输协议，是一种基于发布\/订阅(Publish\/Subscribe)模式的轻量级消息传输协议，主要用于物联网和车联网领域。<\/p>