nmap --script redis-info -sV -p 6379 <IP>
msf> use auxiliary/scanner/redis/redis_server
- Manual Enumeration
- Redis is a text based protocol, you can just send the command in a socket and the returned values will be readable. Also remember that Redis can run using ssl/tls (but this is very weird).
- In a regular Redis instance you can just connect using nc or you could also use redis-cli
nc -vn 10.10.10.10 6379
redis-cli -h 10.10.10.10 # sudo apt-get install redis-tools
- Run the
info first, it will either dump the redis instance or say -NOAUTH Authentication required.
- Username / Password are stored in the
redis.conf file by default
grep ^[^#] redis.conf
config set requirepass p@ss$12E45.
masteruser
nc 10.10.63.208 6379
info
<server reply>
redis-cli -h 10.10.63.208
10.10.63.208:6379> info
NOAUTH Authentication required.
10.10.63.208:6379> AUTH B65Hx562.....
OK
- Authenticated Enumeration
Authenticated enumeration
If the Redis instance is accepting anonymous connections or you found some valid credentials, you can start enumerating the service with the following commands:
INFO
[ ... Redis response with info ... ]
client list
[ ... Redis response with connected clients ... ]
CONFIG GET *
[ ... Get config ... ]
- Dumping Database
- Inside Redis the databases are numbers starting from
0. You can find if anyone is used in the output of the command info inside the "Keyspace" chunk:
if value is of type string -> GET <key>
if value is of type hash -> HGETALL <key>
if value is of type lists -> lrange <key> <start> <end>
if value is of type sets -> smembers <key>
if value is of type sorted sets -> ZRANGEBYSCORE <key> <min> <max>
- Use the TYPE command to check the type of value a key is mapping to:
