Pentesting Redis

redis port 6379

  • https://book.hacktricks.xyz/pentesting/6379-pentesting-redis

  • Enumeration

nmap --script redis-info -sV -p 6379 <IP>
msf> use auxiliary/scanner/redis/redis_server
  • Manual Enumeration

  • Redis is a text based protocol, you can just send the command in a socket and the returned values will be readable. Also remember that Redis can run using ssl/tls (but this is very weird).

  • In a regular Redis instance you can just connect using nc or you could also use redis-cli

nc -vn 10.10.10.10 6379
redis-cli -h 10.10.10.10 # sudo apt-get install redis-tools
  • Run the info first, it will either dump the redis instance or say -NOAUTH Authentication required.

  • Username / Password are stored in the redis.conf file by default

grep ^[^#] redis.conf
config set requirepass p@ss$12E45.
masteruser
  • Get Connected

nc 10.10.63.208 6379
info
<server reply>
redis-cli -h 10.10.63.208
10.10.63.208:6379> info
NOAUTH Authentication required.
10.10.63.208:6379> AUTH B65Hx562.....
OK
  • Authenticated Enumeration

Authenticated enumeration
If the Redis instance is accepting anonymous connections or you found some valid credentials, you can start enumerating the service with the following commands:
INFO
[ ... Redis response with info ... ]
client list
[ ... Redis response with connected clients ... ]
CONFIG GET *
[ ... Get config ... ]
  • Dumping Database

  • Inside Redis the databases are numbers starting from 0. You can find if anyone is used in the output of the command info inside the "Keyspace" chunk:

  • alt text

if value is of type string -> GET <key>
if value is of type hash -> HGETALL <key>
if value is of type lists -> lrange <key> <start> <end>
if value is of type sets -> smembers <key>
if value is of type sorted sets -> ZRANGEBYSCORE <key> <min> <max>
  • Use the TYPE command to check the type of value a key is mapping to:

type <key>
  • redis RCE

  • https://github.com/Ridter/redis-rce

Last updated