Skip to content

Sparkplug B Protocol Fuzzing with AI Assistance #2286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+63 −0
Open

Sparkplug B Protocol Fuzzing with AI Assistance #2286

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions src/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,65 @@ mosquitto_pub -h <app-broker> -p <port> -V mqttv311 \
-m '{"method":"Device.setState","params":{"state":{"power":"on"}},"targetDevice":"<victimDeviceId>"}'
```


## Sparkplug B ICS/SCADA reconnaissance and fuzzing

**Sparkplug B** adds an OT/SCADA topic namespace, a strict birth/death lifecycle, and **protobuf-encoded metrics** on top of MQTT. That makes it a good target for both **passive reconnaissance** and **negative protocol testing**.

### Passive discovery

Sparkplug traffic usually follows:

```text
spBv1.0/{group_id}/{message_type}/{edge_node_id}/{device_id}
```

A low-noise first step is subscribing to Sparkplug wildcard topics and extracting live nodes, devices, aliases, and metric datatypes from **NBIRTH** and **DBIRTH** traffic:

```bash
mosquitto_sub -h <broker> -p 1883 -t 'spBv1.0/#' -v
mosquitto_sub -h <broker> -p 1883 -t 'STATE/#' -v
```

Capture at least:

- `group_id`, `edge_node_id`, `device_id`
- Which message types are actually used: `NBIRTH`, `DBIRTH`, `NDATA`, `DDATA`, `NCMD`, `DCMD`, `NDEATH`, `DDEATH`, `STATE`
- Metric names, aliases, declared datatypes, and observed sequence/timestamp behavior
- Whether anonymous clients can **CONNECT**, **SUBSCRIBE**, or even **PUBLISH** into `spBv1.0/#`

### High-value Sparkplug B fuzz cases

Once you know the real namespace and metric schema, focus on protocol-aware tests instead of generic MQTT fuzzing:

- **Topic namespace fuzzing**: mutate `group_id`, `message_type`, `edge_node_id`, or `device_id` to detect weak ACLs, flat trust boundaries, and subscribers that accept malformed topic layouts.
- **Lifecycle/order violations**: send `DDATA`/`NDATA` before `NBIRTH`/`DBIRTH`, repeat birth messages, send death without birth, or continue sending data after `NDEATH`/`DDEATH`.
- **Metric type mismatches**: declare a metric as `Float` in birth traffic and later update it as `String`, `Bytes`, `Template`, etc. Weak implementations may corrupt state or silently accept invalid telemetry.
- **Alias collision / rebinding**: reuse short integer aliases for different metrics or rebind an existing alias mid-session to check whether the target writes values into the wrong metric.
- **Sequence-number manipulation**: replay sequence values, send gaps, go backwards, or force wraparound to test ordering/replay handling.
- **Raw protobuf corruption**: mutate protobuf fields directly instead of only using high-level helper libraries, because helper APIs often prevent malformed payloads from being serialized.

### Tooling

Bishop Fox released an open-source **Sparkplug B MQTT Security Fuzzer** that automates passive discovery and protocol-aware fuzz categories such as `type_mismatch`, `sequence`, `alias`, `ordering`, `malformed`, and `topic`:

```bash
python3 sparkplug-fuzzer.py --setup
python3 sparkplug-fuzzer.py -H <broker> -p 1883 -v
# Optional auth/TLS
python3 sparkplug-fuzzer.py -H <broker> -p 8883 --tls -u <user> -P <pass> -v
```

The fuzzer listens on `spBv1.0/#`, builds a live device map from observed birth/death traffic, and then generates targeted malformed messages against the discovered schema.

### What to validate during the assessment

- Broker ACLs scoped per Sparkplug group/role instead of broad `spBv1.0/#`
- Rejection/logging of protobuf parse failures and malformed topic layouts
- Rejection of alias rebinding, undefined aliases, and datatype changes after birth
- Correct cleanup of node/device state after `NDEATH`/`DDEATH` and alerts on ghost sessions or repeated rebirths


## Shodan

- `port:1883 MQTT`
Expand All @@ -156,5 +215,9 @@ mosquitto_pub -h <app-broker> -p <port> -V mqttv311 \
## References

- [How a $20 Smart Device Gave Me Access to Your Home](https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home)
- [Sparkplug B Protocol Fuzzing with AI Assistance](https://bishopfox.com/blog/sparkplug-b-protocol-fuzzing-with-ai-assistance)
- [BishopFox/sparkplugFuzzer](https://github.com/BishopFox/sparkplugFuzzer)
- [Sparkplug Specification 3.0.0](https://sparkplug.eclipse.org/specification/version/3.0/documents/sparkplug-specification-3.0.0.pdf)
- [sparkplug_b.proto](https://github.com/eclipse-tahu/tahu/blob/master/sparkplug_b/sparkplug_b.proto)

{{#include ../banners/hacktricks-training.md}}