Sonoff Exploiter

Sonoff is a smart switch made for smart home automation. Sonoff devices connected to an MQTT broker can be manipulated by publishing certain special crafted messages.


A sonoff device that is connected to our MQTT broker will subscribe to certain topics in order to get commands from its operator. We can utilize this fact to send the same messages to those topics but from our end.

When we publish the message to a certain topic, the sonoff device will execute that command and send the results to the RESULT topic (with the same prefix as the former topic).


We currently support 17 types of commands:

  • FullTopic
  • Hostname
  • IPAddress1
  • MqttClient
  • MqttHost
  • MqttPassword
  • MqttUser
  • Password
  • Password2
  • SSId
  • SSId2
  • WebConfig
  • WebPassword
  • WebServer
  • WifiConfig
  • otaU


In order to execute this exploit, a special plugin was created. Let’s examine the help strings:

>> sonoff --help
usage: sonoff [-h] [-p PREFIX] [-t TIMEOUT]

Sonoff devices tend to share certain information on demand. This module looks
for those pieces of information actively.

optional arguments:
  -h, --help            show this help message and exit
  -p PREFIX, --prefix PREFIX
                        the topic prefix of the sonoff device (default:
  -t TIMEOUT, --timeout TIMEOUT
                        for how long to listen (default: 10)

First, we need to find out what is the topic prefix of our victim. We can achieve this by using the topics command. Once we have it, simply feed it to the sonoff plugin and look for output.