Pentesting Redis

redis port 6379

https://book.hacktricks.xyz/pentesting/6379-pentesting-redis
Enumeration

nmap --script redis-info -sV -p 6379 <IP>
msf> use auxiliary/scanner/redis/redis_server

Manual Enumeration
Redis is a text based protocol, you can just send the command in a socket and the returned values will be readable. Also remember that Redis can run using ssl/tls (but this is very weird).
In a regular Redis instance you can just connect using nc or you could also use redis-cli

nc -vn 10.10.10.10 6379
redis-cli -h 10.10.10.10 # sudo apt-get install redis-tools

Run the info first, it will either dump the redis instance or say -NOAUTH Authentication required.
Username / Password are stored in the redis.conf file by default

grep ^[^#] redis.conf
config set requirepass p@ss$12E45.
masteruser

Get Connected

nc 10.10.63.208 6379
info
<server reply>
redis-cli -h 10.10.63.208
10.10.63.208:6379> info
NOAUTH Authentication required.
10.10.63.208:6379> AUTH B65Hx562.....
OK

Authenticated Enumeration

Authenticated enumeration
If the Redis instance is accepting anonymous connections or you found some valid credentials, you can start enumerating the service with the following commands:
INFO
[ ... Redis response with info ... ]
client list
[ ... Redis response with connected clients ... ]
CONFIG GET *
[ ... Get config ... ]

Dumping Database
Inside Redis the databases are numbers starting from 0. You can find if anyone is used in the output of the command info inside the "Keyspace" chunk:

if value is of type string -> GET <key>
if value is of type hash -> HGETALL <key>
if value is of type lists -> lrange <key> <start> <end>
if value is of type sets -> smembers <key>
if value is of type sorted sets -> ZRANGEBYSCORE <key> <min> <max>

Use the TYPE command to check the type of value a key is mapping to:

type <key>

redis RCE
https://github.com/Ridter/redis-rce

PreviousPentesting SMB NextBanner Grabbing

Last updated 3 years ago