AI-powered MQTT security auditor combining live broker probing, SSH auto-fetch, Claude Sonnet analysis, Haiku validation, and professional PDF + DOT/PNG/SVG output.
swarm.py
That's it. One file, six modes, everything built in.
pip install paho-mqtt reportlab anthropic paramikoOptional (for rendering topology graphs locally):
sudo apt install graphviz # Debian/Ubuntu/Kali/RPi OS
brew install graphviz # macOS- Go to console.anthropic.com
- Add a credit card (you get $5 free credits - enough for ~200 audit runs)
- API Keys → Create Key → copy it
Store it as an environment variable so you don't have to type it every time:
export ANTHROPIC_API_KEY=sk-ant-...python3 swarm.pyShows a numbered menu. Pick a mode, answer the prompts - no flags needed.
python3 swarm.py <mode> [options]python3 swarm.py manualOpens the mqtt-ust lab guide - a structured set of DIY attack scenarios for hands-on learning. No broker connection needed.
What you get: Step-by-step instructions for 5 attack scenarios (auth bypass, ACL abuse, retained message injection, wildcard snooping, DoS flooding) + CVE-2021-34432 root cause analysis.
# Minimum - live probing only (no SSH)
python3 swarm.py audit \
--host 192.168.1.100 \
--api-key sk-ant-...
# Full audit - live probing + SSH auto-fetch of all config files
python3 swarm.py audit \
--host 192.168.1.100 \
--mqtt-user admin --mqtt-pass secret \
--ssh-user pi --ssh-pass raspberry \
--api-key sk-ant-...
# TLS broker
python3 swarm.py audit \
--host 192.168.1.100 --mqtt-port 8883 --tls \
--mqtt-user admin --mqtt-pass secret \
--ssh-user pi --ssh-key ~/.ssh/id_rsa \
--api-key sk-ant-...What happens automatically:
Phase 1 Live MQTT probing (10 checks)
→ anonymous access, default credentials, TLS status,
wildcard subscriptions, retained persistence,
flood rate, oversized payload, client ID collision
Phase 2 SSH into broker host (auto-discovers everything)
→ mosquitto.conf, include_dir/*.conf
→ ACL file (path parsed from conf)
→ password file (user list, not hashes)
→ broker logs (tail 500 lines or journalctl)
→ mosquitto version, service status, world-readable files
Phase 3 Claude Sonnet deep analysis
→ Cross-references live data with static files
→ Finds discrepancies (e.g. conf says auth enabled but anon works)
→ Produces severity-rated findings with evidence + remediation
Claude Haiku validation judge
→ Independently validates each finding
→ Flags false positives
→ Adds confidence score (0–100%) to every finding
Phase 4 Report generation
→ PDF - professional pentest-style report
→ DOT - Graphviz topology source
→ PNG - rendered topology graph
→ SVG - scalable vector topology graph
Output files:
swarm_<host>_<timestamp>_report.pdf
swarm_<host>_<timestamp>_topology.dot
swarm_<host>_<timestamp>_topology.png
swarm_<host>_<timestamp>_topology.svg
# Show FUME commands for your broker (installs FUME if needed)
python3 swarm.py fume \
--host 192.168.1.100 \
--mqtt-user admin --mqtt-pass secret \
--fume-path ./FUME-Fuzzing-MQTT-Brokers
# Install FUME first:
git clone https://github.com/PBearson/FUME-Fuzzing-MQTT-Brokers
cd FUME-Fuzzing-MQTT-Brokers && pip install -r requirements.txt
cd ..What you get: Ready-to-run FUME commands pre-configured for your broker covering CONNECT fuzzing, topic fuzzing, payload size fuzzing, QoS/retain flag fuzzing, and CVE-2021-34432 style zero-length topic testing.
# Interactive - asks you about your deployment, generates a targeted plan
python3 swarm.py smartfuzz \
--api-key sk-ant-...
# With SSH to also pull live config into the strategy
python3 swarm.py smartfuzz \
--host 192.168.1.100 \
--ssh-user pi --ssh-pass raspberry \
--api-key sk-ant-...
# With architecture diagram / context file
python3 swarm.py smartfuzz \
--host 192.168.1.100 \
--context-file ./architecture.txt \
--api-key sk-ant-...What it asks you:
[?] Number of MQTT clients in deployment: 12
[?] Device types: ESP32 temperature sensors, Raspberry Pi gateway
[?] Deployment purpose: Industrial HVAC control
[?] Crown jewel (most critical asset): HVAC control actuator topics
[?] Specific concerns (optional): Rogue device injection
[?] Architecture file (optional): ./arch_diagram.txt
What Claude Sonnet generates + Haiku validates:
- Priority fuzz targets specific to your deployment
- Pre-built FUME commands tailored to your setup
- Crown jewel attack paths (step-by-step)
- Custom payloads for your device types
- Saved to
swarm_smartfuzz_*_strategy.txt
# Without live context (general MQTT security expert)
python3 swarm.py chat \
--api-key sk-ant-...
# With live broker context (recommended - loads real config/ACL/logs)
python3 swarm.py chat \
--host 192.168.1.100 \
--ssh-user pi --ssh-pass raspberry \
--api-key sk-ant-...
# With additional context file
python3 swarm.py chat \
--host 192.168.1.100 \
--ssh-user pi --ssh-pass raspberry \
--context-file ./pentest_notes.txt \
--api-key sk-ant-...What the chatbot knows:
- Your live
mosquitto.conf, ACL file, and broker logs (if SSH provided) - All MQTT protocol vulnerabilities and CVEs
- Mosquitto-specific hardening techniques
- MQTT Mayhem attack scenarios
- OT/ICS and IoT security context
- OWASP IoT Top 10, IEC 62443, NIST IoT
Chat commands:
clear Reset conversation history
save Save transcript to swarm_chat_<timestamp>.txt
exit End the session
Example session:
You: Is my ACL file stopping wildcard subscriptions?
SWARM: Looking at your ACL file, line 7 grants 'topic read #' to user 'device01'...
You: What CVEs affect my version of Mosquitto?
SWARM: Your broker is running 1.6.9 (from the version info collected). This version...
# With live probing (recommended)
python3 swarm.py diagram \
--host 192.168.1.100 \
--mqtt-user admin --mqtt-pass secret \
--ssh-user pi --ssh-pass raspberry \
--api-key sk-ant-...
# Standalone - generates a template diagram without live data
python3 swarm.py diagramGenerates DOT + PNG + SVG topology maps showing the broker, connected clients, observed topics, and security findings - all colour-coded.
| Colour | Meaning |
|---|---|
| 🔴 Red | CRITICAL or HIGH finding / anonymous client / sensitive topic |
| 🟠 Orange | HIGH risk / wildcard subscriber / default credential client |
| 🟡 Amber | MEDIUM risk / $SYS broker internal topic |
| 🟢 Green | Secure / authenticated / TLS enabled |
| 🟣 Purple | SWARM audit tool node itself |
python3 swarm.py <mode> [options]
MODES:
manual No options needed
audit All common options apply
fume --fume-path
smartfuzz --context-file
chat --context-file
diagram All common options apply
COMMON OPTIONS:
--host Broker IP or hostname
--mqtt-port MQTT port (default: 1883)
--mqtt-user MQTT username
--mqtt-pass MQTT password
--tls Enable TLS for MQTT connection
--ssh-user SSH username (enables Phase 2 file auto-fetch)
--ssh-pass SSH password
--ssh-key SSH private key path (e.g. ~/.ssh/id_rsa)
--ssh-port SSH port (default: 22)
--api-key Anthropic API key (or set ANTHROPIC_API_KEY env var)
--output Output file prefix (default: swarm_<host>_<timestamp>)
MODE-SPECIFIC:
fume:
--fume-path Path to FUME installation (default: ./FUME-Fuzzing-MQTT-Brokers)
smartfuzz / chat:
--context-file Path to additional context file (architecture notes, etc.)
| Check | What SWARM Does |
|---|---|
| Anonymous Access | Connects with no credentials - CRITICAL if accepted |
| Default Credentials | Tests 15 common pairs (admin/admin, pi/raspberry, etc.) |
| Supplied Credentials | Validates your provided credentials |
| TLS / Encryption | Probes port 8883, checks cipher and TLS version |
| Plain-text Exposure | Flags if both 1883 and 8883 are open simultaneously |
| Wildcard Subscription | Subscribes to # and $SYS/#, reports what leaks |
| Retained Message Abuse | Publishes retained msg, reconnects, confirms persistence |
| Topic ACL Isolation | Attempts publish to /admin/cmd and other sensitive topics |
| Rate Limiting / Flood | Sends 200-message burst, measures accepted msg/s |
| Oversized Payload | Sends 512 KB message, checks if message_size_limit is set |
| Client ID Collision | Connects twice with same ID, detects session hijack risk |
| mosquitto.conf | Checks every security-relevant directive via SSH |
| ACL file | Checks for wildcard abuse, missing restrictions, $SYS access |
| Broker logs | Detects brute force, flooding, denied access, suspicious patterns |
┌─────────────────────────────────────────────┐
│ Claude Sonnet 4.6 │
│ Deep analysis, findings generation, │
│ fuzzing strategy, chat responses │
└────────────────────┬────────────────────────┘
│ findings + evidence
▼
┌─────────────────────────────────────────────┐
│ Claude Haiku 4.5 │
│ Independent validation judge: │
│ · Is evidence accurate? │
│ · Is severity correctly calibrated? │
│ · Flag false positives │
│ · Confidence score per finding (0–100%) │
└─────────────────────────────────────────────┘
Every finding in the report shows its Haiku confidence score. Low confidence findings are clearly marked for manual review.
# Step 1: Understand the manual lab first
python3 swarm.py manual
# Step 2: Run the full AI audit against your target
python3 swarm.py audit \
--host 192.168.1.100 \
--mqtt-user admin --mqtt-pass secret \
--ssh-user pi --ssh-pass raspberry
# Step 3: Chat with the expert about specific findings
python3 swarm.py chat \
--host 192.168.1.100 \
--ssh-user pi --ssh-pass raspberry
# Step 4: Build a targeted fuzzing plan
python3 swarm.py smartfuzz \
--host 192.168.1.100 \
--ssh-user pi --ssh-pass raspberry
# Step 5: Execute fuzzing with FUME
python3 swarm.py fume \
--host 192.168.1.100 \
--mqtt-user admin --mqtt-pass secret
# Step 6: Generate standalone diagram for the report
python3 swarm.py diagram \
--host 192.168.1.100 \
--ssh-user pi --ssh-pass raspberry| File | Mode | Description |
|---|---|---|
swarm_*_report.pdf |
audit, smartfuzz | Full security report with findings, Haiku scores, remediation |
swarm_*_topology.dot |
audit, diagram, smartfuzz | Graphviz source file |
swarm_*_topology.png |
audit, diagram, smartfuzz | Rendered topology image |
swarm_*_topology.svg |
audit, diagram, smartfuzz | Scalable vector topology |
swarm_smartfuzz_*_strategy.txt |
smartfuzz | Full AI fuzzing strategy JSON |
swarm_chat_*.txt |
chat | Saved conversation transcript |
paho-mqtt not installed
pip install paho-mqttparamiko not installed (SSH Phase 2 skips silently)
pip install paramikographviz not installed (DOT file still saved, just not auto-rendered)
sudo apt install graphviz # Linux
brew install graphviz # macOS
# Then manually render:
dot -Tpng topology.dot -o topology.png
dot -Tsvg topology.dot -o topology.svg
# Or paste .dot content into: https://dreampuf.github.io/GraphvizOnline/SSH connection refused
- Ensure SSH is running on the broker host:
sudo systemctl start ssh - Ensure the SSH user has read access to
/etc/mosquitto/ - Try
--ssh-keyinstead of--ssh-passfor key-based auth
API key errors
- Verify key starts with
sk-ant- - Check you have credits at console.anthropic.com
- Or set:
export ANTHROPIC_API_KEY=sk-ant-...
| Feature | SWARM | MQTTSA | MQTT Explorer | mqttui |
|---|---|---|---|---|
| Live security probing | ✅ | ✅ | ❌ | ❌ |
| SSH auto-fetch config/ACL/logs | ✅ | ❌ | ❌ | ❌ |
| AI-powered analysis (Claude) | ✅ | ❌ | ❌ | ❌ |
| Dual-model validation (Haiku judge) | ✅ | ❌ | ❌ | ❌ |
| PDF pentest report | ✅ | ✅ | ❌ | ❌ |
| DOT/PNG/SVG topology with security colour coding | ✅ | ❌ | ❌ | ❌ |
| AI-powered fuzzing strategy | ✅ | ❌ | ❌ | ❌ |
| Expert AI chatbot with live context | ✅ | ❌ | ❌ | ❌ |
| Interactive CLI menu | ✅ | ❌ | ❌ | ❌ |
- mqtt-ust Manual Testing Lab
- FUME - Fuzzing MQTT Brokers
- MQTTSA - MQTT Security Assessment
- CVE-2021-34432 - Mosquitto zero-length topic crash
- OWASP IoT Top 10
- Anthropic API Docs
For authorised security testing and educational purposes only. Do not run against brokers you do not own or have explicit written permission to test.
Powered by Claude Sonnet 4.6 (analysis) + Claude Haiku 4.5 (validation judge)