Pentesting Redis
redis port 6379
https://book.hacktricks.xyz/pentesting/6379-pentesting-redis
Enumeration
nmap --script redis-info -sV -p 6379 <IP>
msf> use auxiliary/scanner/redis/redis_server
Manual Enumeration
Redis is a text based protocol, you can just send the command in a socket and the returned values will be readable. Also remember that Redis can run using ssl/tls (but this is very weird).
In a regular Redis instance you can just connect using nc or you could also use redis-cli
nc -vn 10.10.10.10 6379
redis-cli -h 10.10.10.10 # sudo apt-get install redis-tools
Run the
info
first, it will either dump theredis
instance or say-NOAUTH Authentication required.
Username / Password are stored in the
redis.conf
file by default
grep ^[^#] redis.conf
config set requirepass p@ss$12E45.
masteruser
Get Connected
nc 10.10.63.208 6379
info
<server reply>
redis-cli -h 10.10.63.208
10.10.63.208:6379> info
NOAUTH Authentication required.
10.10.63.208:6379> AUTH B65Hx562.....
OK
Authenticated Enumeration
Authenticated enumeration
If the Redis instance is accepting anonymous connections or you found some valid credentials, you can start enumerating the service with the following commands:
INFO
[ ... Redis response with info ... ]
client list
[ ... Redis response with connected clients ... ]
CONFIG GET *
[ ... Get config ... ]
Dumping Database
Inside Redis the databases are numbers starting from
0
. You can find if anyone is used in the output of the command info inside the "Keyspace" chunk:
if value is of type string -> GET <key>
if value is of type hash -> HGETALL <key>
if value is of type lists -> lrange <key> <start> <end>
if value is of type sets -> smembers <key>
if value is of type sorted sets -> ZRANGEBYSCORE <key> <min> <max>
Use the TYPE command to check the type of value a key is mapping to:
type <key>
redis RCE
https://github.com/Ridter/redis-rce
Last updated