Deakin University

Ethical Hacking
OnTrack Submission

Task 10.1P

Submitted By:
Rachit Goyal Tutor:
s222187269 Muna Al-hawawreh
2024/10/01 03:57

October 1, 2024

Produced by Doubtfire
WEEK 10 – TASK P
Answer Sheet
Name : Rachit Goyal (s222187269 )

Task A1:

1. Setting up the IoT environment:

• I cloned a Kali Linux virtual machine to act as the MQTT broker.
• Installed Mosquitto on this broker using the commands:
sudo apt-get update
sudo apt-get install mosquitto mosquitto-clients

2. Setting up clients:
• A Windows 10 machine was set up as the MQTT client.
• Installed Mosquitto on the Windows machine for publishing and
subscribing to topics.

3. Capturing MQTT traffic:

• I used Wireshark on the Kali machine to capture the MQTT traffic.

• Started the subscriber and publisher on different machines and observed

the traffic flowing between them.
 • The traffic included MQTT CONNECT, SUBSCRIBE, and PUBLISH
packets.

4. Analyzing the captured traffic:

• MQTT traffic showed the protocol's lightweight nature, with minimal
overhead.
• Important headers like QoS (Quality of Service) and retain flags were
identified.

Findings:

The MQTT broker successfully handled the publish/subscribe requests, and Wireshark
showed the structured communication between the client and broker. Key MQTT messages
were clearly visible, indicating normal behavior for this lightweight protocol.

Task A2:

1. Scanning the MQTT broker:

• Using Nmap from the attacker’s Kali machine, I ran a specific scan targeting the
MQTT broker:

nmap -sV --script mqtt-subscribe --script-args topic=test_topic 192.168.8.8

• This command scanned the broker for open ports and identified services running
on those ports.
 • I also analyzed the traffic using Wireshark to observe any unusual patterns
during the Nmap scan.

2. Analyzing the traffic:

• Wireshark showed traffic between the attacker machine and the broker as the Nmap
script interacted with the MQTT service.
• No immediate signs of unauthorized access or attacks were visible, but certain ports
showed openness that could be exploited.

Findings:

The Nmap scan revealed that the broker had port 1883 open for MQTT, which is
typical for this service. Wireshark showed that the broker responded correctly to Nmap
requests, but since the service was unprotected (with no authentication), this could be
a potential point of vulnerability.

Task A3:

1. Using whois to gather information:

• The first step was to perform a whois query on amazonaws.com to find details
about domain ownership and IP ranges:

whois amazonaws.com
 • The whois command returned general domain information but did not provide
specific IP ranges.

2. Using dig to gather AWS IP addresses:

• I used dig to gather IP addresses associated with AWS’s S3 service:

dig s3.amazonaws.com
 • This query returned several IP addresses related to AWS S3.

3. Scanning AWS IPs using Nmap:

• I used Nmap to scan the IP addresses obtained from the dig command:

nmap -p 80,443 3.5.22.84 52.217.114.120 52.216.48.16 52.217.229.200

• The scan revealed that certain IPs had port 443 open for HTTPS, while some also
had port 80 open for HTTP.

Findings:

The footprinting exercise provided useful information about AWS’s publicly available
infrastructure. Ports 80 and 443 were open on several AWS IPs, indicating web services
running on those instances. These could potentially be targeted for further security
assessments, such as testing for vulnerabilities in web servers or applications hosted on these
services.
Task B1:

Evidence Provided:

1. Notes on MQTT and IoT Systems: During the practical setup of the MQTT broker and
client, I took detailed notes about the MQTT protocol, the configuration of Mosquitto,
and the communication process between the broker and clients. Some of the key points
include:
o MQTT Protocol: A lightweight, publish-subscribe messaging protocol suitable
for IoT devices.
o Mosquitto Configuration: Modified the mosquitto.conf file to allow external
connections and added specific IPs to enable communication between the
broker and clients.
2. Screenshots of MQTT Traffic Capture: I captured screenshots of MQTT traffic using
Wireshark. This includes images showing the CONNECT, PUBLISH, and SUBSCRIBE
messages exchanged between the broker and client devices. Each screenshot provides
evidence of the message structure and the data being exchanged.
3. Screenshots of Nmap Scans: As part of the broker scanning task (Task A2), I performed
an Nmap scan to identify open ports and services on the MQTT broker. Screenshots
show the Nmap command executed and the results obtained, detailing the broker's
response to various requests.
4. Notes on Cloud Footprinting: I documented the steps taken to footprint AWS using the
whois, dig, and Nmap tools. These notes show how I retrieved IP addresses for AWS’s
S3 service and scanned them for open ports. This helped identify publicly available
services running on AWS infrastructure.

Task C1:

Reflection:

1. Most Important Learning: The most important takeaway from Module 10 was
understanding the relationship between IoT systems, cloud services, and security
vulnerabilities. Working with MQTT and AWS footprinting provided practical insights
into how devices communicate in an IoT network and how cloud services can be
assessed for weaknesses. The way the MQTT protocol manages communication
between devices—especially with minimal bandwidth—was a key learning point. It
helped me see how attackers can target unsecured brokers to intercept or manipulate
data.
2. Relation to Prior Knowledge: I already had some theoretical knowledge of networking
protocols and vulnerability scanning, but this module expanded my practical skills by
giving me hands-on experience. Previously, I had only read about MQTT in theory, but
now I understand how to deploy it in a real-world scenario and analyze its traffic.
Similarly, cloud footprinting is something I had learned about conceptually but had
not implemented using tools like whois, dig, and Nmap.
3. Importance of Learning This Module: The content in this module is crucial because
IoT devices and cloud services are ubiquitous in today’s technology landscape, making
them common targets for attackers. By learning how to set up, analyze, and footprint
these systems, I am better prepared to identify and mitigate vulnerabilities in a real-
 world setting. For example, knowing how to spot unsecured ports or misconfigured
services on AWS can help organizations avoid potential breaches.

The module emphasized the importance of hands-on troubleshooting—something often

encountered in the field. It’s not always about following predefined steps; security
professionals must be adaptable, solving problems that may not have immediate answers.