# Pentesting Redis ## redis port 6379 * * Enumeration ``` nmap --script redis-info -sV -p 6379 msf> use auxiliary/scanner/redis/redis_server ``` * Manual Enumeration * Redis is a text based protocol, you can just send the command in a socket and the returned values will be readable. Also remember that Redis can run using ssl/tls (but this is very weird). * In a regular Redis instance you can just connect using nc or you could also use redis-cli ``` nc -vn 10.10.10.10 6379 redis-cli -h 10.10.10.10 # sudo apt-get install redis-tools ``` * Run the `info` first, it will either dump the `redis` instance or say `-NOAUTH Authentication required.` * Username / Password are stored in the `redis.conf` file by default ``` grep ^[^#] redis.conf config set requirepass p@ss$12E45. masteruser ``` * Get Connected ``` nc 10.10.63.208 6379 info redis-cli -h 10.10.63.208 10.10.63.208:6379> info NOAUTH Authentication required. 10.10.63.208:6379> AUTH B65Hx562..... OK ``` * Authenticated Enumeration ``` Authenticated enumeration If the Redis instance is accepting anonymous connections or you found some valid credentials, you can start enumerating the service with the following commands: INFO [ ... Redis response with info ... ] client list [ ... Redis response with connected clients ... ] CONFIG GET * [ ... Get config ... ] ``` * Dumping Database * Inside Redis the databases are numbers starting from `0`. You can find if anyone is used in the output of the command info inside the "Keyspace" chunk: * ![alt text](https://gblobscdn.gitbook.com/assets%2F-L_2uGJGU7AVNRcqRvEi%2F-MCwrx6EQpaXH4dsxZl3%2F-MCxgtV3m0F2z4KAOOsB%2Fimage.png?) ``` if value is of type string -> GET if value is of type hash -> HGETALL if value is of type lists -> lrange if value is of type sets -> smembers if value is of type sorted sets -> ZRANGEBYSCORE ``` * Use the TYPE command to check the type of value a key is mapping to: ``` type ``` * redis RCE *