MQTT
Nmap discovered a MQTT server on the target port 1883
mqtt (originally an initialism of MQ Telemetry Transport) is a lightweight, publish-subscribe, machine to machine network protocol for message queue/message queuing service. It is designed for connections with remote locations that have devices with resource constraints or limited network bandwidth, such as in the Internet of Things (IoT). It must run over a transport protocol that provides ordered, lossless, bi-directional connections—typically, TCP/IP, but also possibly over QUIC. It is an open OASIS standard and an ISO recommendation (ISO/IEC 20922)
The default unencrypted MQTT port is 1883. The encrypted port is 8883.
the mqtt protocol defines two types of network entities: a message broker and a number of clients. An MQTT broker is a server that receives all messages from the clients and then routes the messages to the appropriate destination clients. An MQTT client is any device (from a micro controller up to a fully-fledged server) that runs an MQTT library and connects to an MQTT broker over a network.
Information is organized in a hierarchy of topics. When a publisher has a new item of data to distribute, it sends a control message with the data to the connected broker. The broker then distributes the information to any clients that have subscribed to that topic. The publisher does not need to have any data on the number or locations of subscribers, and subscribers, in turn, do not have to be configured with any data about the publishers.
While I can become a subscriber to listen in topics, authentication is not required i can use the mosquitto tool
Subscription
┌──(kali㉿kali)-[~/archive/htb/labs/broker]
└─$ mosquitto_sub -v -L mqtt://@$IP:1883/#
ActiveMQ/Advisory/MasterBroker (null)
ActiveMQ/Advisory/Consumer/Topic/# (null)Upon subscription, I received 2 topics immediately
Followed by a lot more topics
They all have a prefix of ActiveMQ in the topics, which suggests that the broker is Apache ActiveMQ
A Web console of Apache ActiveMQ has been identified in the target ports 80 and 8161, thus this is very much likely part of Apache ActiveMQ’s tech stack.