From 87512ef46d2011a777d90ccc87ec42018bf29e0d Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Wed, 27 May 2026 03:38:13 +0000
Subject: [PATCH] Add content from: Sparkplug B Protocol Fuzzing with AI
 Assistance

---
 .../1883-pentesting-mqtt-mosquitto.md         | 63 +++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/src/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md b/src/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md
index 9af28d8062e..4bed1e1b8e7 100644
--- a/src/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md
+++ b/src/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md
@@ -148,6 +148,65 @@ mosquitto_pub -h <app-broker> -p <port> -V mqttv311 \
   -m '{"method":"Device.setState","params":{"state":{"power":"on"}},"targetDevice":"<victimDeviceId>"}'
 ```
 
+
+## Sparkplug B ICS/SCADA reconnaissance and fuzzing
+
+**Sparkplug B** adds an OT/SCADA topic namespace, a strict birth/death lifecycle, and **protobuf-encoded metrics** on top of MQTT. That makes it a good target for both **passive reconnaissance** and **negative protocol testing**.
+
+### Passive discovery
+
+Sparkplug traffic usually follows:
+
+```text
+spBv1.0/{group_id}/{message_type}/{edge_node_id}/{device_id}
+```
+
+A low-noise first step is subscribing to Sparkplug wildcard topics and extracting live nodes, devices, aliases, and metric datatypes from **NBIRTH** and **DBIRTH** traffic:
+
+```bash
+mosquitto_sub -h <broker> -p 1883 -t 'spBv1.0/#' -v
+mosquitto_sub -h <broker> -p 1883 -t 'STATE/#' -v
+```
+
+Capture at least:
+
+- `group_id`, `edge_node_id`, `device_id`
+- Which message types are actually used: `NBIRTH`, `DBIRTH`, `NDATA`, `DDATA`, `NCMD`, `DCMD`, `NDEATH`, `DDEATH`, `STATE`
+- Metric names, aliases, declared datatypes, and observed sequence/timestamp behavior
+- Whether anonymous clients can **CONNECT**, **SUBSCRIBE**, or even **PUBLISH** into `spBv1.0/#`
+
+### High-value Sparkplug B fuzz cases
+
+Once you know the real namespace and metric schema, focus on protocol-aware tests instead of generic MQTT fuzzing:
+
+- **Topic namespace fuzzing**: mutate `group_id`, `message_type`, `edge_node_id`, or `device_id` to detect weak ACLs, flat trust boundaries, and subscribers that accept malformed topic layouts.
+- **Lifecycle/order violations**: send `DDATA`/`NDATA` before `NBIRTH`/`DBIRTH`, repeat birth messages, send death without birth, or continue sending data after `NDEATH`/`DDEATH`.
+- **Metric type mismatches**: declare a metric as `Float` in birth traffic and later update it as `String`, `Bytes`, `Template`, etc. Weak implementations may corrupt state or silently accept invalid telemetry.
+- **Alias collision / rebinding**: reuse short integer aliases for different metrics or rebind an existing alias mid-session to check whether the target writes values into the wrong metric.
+- **Sequence-number manipulation**: replay sequence values, send gaps, go backwards, or force wraparound to test ordering/replay handling.
+- **Raw protobuf corruption**: mutate protobuf fields directly instead of only using high-level helper libraries, because helper APIs often prevent malformed payloads from being serialized.
+
+### Tooling
+
+Bishop Fox released an open-source **Sparkplug B MQTT Security Fuzzer** that automates passive discovery and protocol-aware fuzz categories such as `type_mismatch`, `sequence`, `alias`, `ordering`, `malformed`, and `topic`:
+
+```bash
+python3 sparkplug-fuzzer.py --setup
+python3 sparkplug-fuzzer.py -H <broker> -p 1883 -v
+# Optional auth/TLS
+python3 sparkplug-fuzzer.py -H <broker> -p 8883 --tls -u <user> -P <pass> -v
+```
+
+The fuzzer listens on `spBv1.0/#`, builds a live device map from observed birth/death traffic, and then generates targeted malformed messages against the discovered schema.
+
+### What to validate during the assessment
+
+- Broker ACLs scoped per Sparkplug group/role instead of broad `spBv1.0/#`
+- Rejection/logging of protobuf parse failures and malformed topic layouts
+- Rejection of alias rebinding, undefined aliases, and datatype changes after birth
+- Correct cleanup of node/device state after `NDEATH`/`DDEATH` and alerts on ghost sessions or repeated rebirths
+
+
 ## Shodan
 
 - `port:1883 MQTT`
@@ -156,5 +215,9 @@ mosquitto_pub -h <app-broker> -p <port> -V mqttv311 \
 ## References
 
 - [How a $20 Smart Device Gave Me Access to Your Home](https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home)
+- [Sparkplug B Protocol Fuzzing with AI Assistance](https://bishopfox.com/blog/sparkplug-b-protocol-fuzzing-with-ai-assistance)
+- [BishopFox/sparkplugFuzzer](https://github.com/BishopFox/sparkplugFuzzer)
+- [Sparkplug Specification 3.0.0](https://sparkplug.eclipse.org/specification/version/3.0/documents/sparkplug-specification-3.0.0.pdf)
+- [sparkplug_b.proto](https://github.com/eclipse-tahu/tahu/blob/master/sparkplug_b/sparkplug_b.proto)
 
 {{#include ../banners/hacktricks-training.md}}