Joffrey – Stupid MQTT Brute Forcer

If you don’t know what the MQTT protocol is I suggest watching the lecture “DEFCON 24 – Light Weight Protocol: Critical Implications” by Lucas Lundgren.

Joffrey is a wordlist based multi-threaded brute forcer for protected MQTT brokers. It can be found here on Github. The script is written in Python and is pretty straightforward.

Usage: python [ARGS]

  -h, --help           show this help message and exit
  -t TARGET            Target domain or ip to invade
  -p PORT              Target port (optional)
  --threads=NRTHREADS  Amount of threads for the King to do as he please with
  -u USERNAME          Specify username
  -w WORDLIST          Path to wordlist