AverageSecurityGuy

Security, Programming, Pentesting

About

Twitter

Linked In

Projects

Cheat Sheets

Book

17 September 2015

Pentesting Redis Servers

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

Redis is an in-memory key/value data store used to handle backend data for many web applications. Often, Redis is used to store configuration information, session information, and user profile information. By default the Redis server does not require authentication for client access. This is not a problem if Redis is only listening on localhost but often it is not.

Finding Redis Servers

By default Redis listens on port 6379, which is not in the Nmap top 1000 port list or the /etc/services list used by Nessus. You will need to scan specifically for this service if you want to find it.

Interacting with Redis

The easiest way to interact with Redis is to use the Redis CLI client, redis-cli. On Kali2 you can install the client by installing the redis-tools package with apt-get. After installing redis-cli you can connect to the Redis server using redis-cli -h <hostname> -p <port>.

Once connected you can use the following commands to gather data from the server:

The full list of supported commands can be found here: http://redis.io/commands. This list is all of the commands supported in the latest version of Redis. Some of the commands may not work in older versions.

In addition to redis-cli, you can also access a Redis server using a number of programming languages. A full list of Redis clients by language is available here: http://redis.io/clients.

Simple Python Example

To use the example script below you will need to install the redis-py library using pip install redis. If Pip is not installed you can install it on Kali using apt-get install python-pip.

import redis
db = redis.StrictRedis(host='127.0.0.1', port=6379)

# If we have a hash key, print all of the fields and values.
for key in db.keys():
    if db.type(key) == ‘hash’:
        r = db.hgetall(key)
        print('--------')
        for k in r:
            print('Field: {0} Value: {1}'.format(k, r['k']))
        print('--------')

Update

If you come across a Redis server that is password protected, there is an NSE script that can be used to brute force the password. Once you find the password you can connect to the server using redis-cli -h <host> -p <port> -a <password>.

Update 2015/09/18

Thanks @bonsaiviking for pointing out the redis-info NSE script. So if you are hunting specifically for Redis servers you can use something like this:

nmap -p 6379 --script=redis-info 127.0.0.1 --open

Which should yield results like this:

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-18 12:02 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000062s latency).
PORT     STATE SERVICE
6379/tcp open  unknown
| redis-info: 
|   Version            2.8.17
|   Operating System   Linux 4.0.0-kali1-amd64 x86_64
|   Architecture       64 bits
|   Process ID         8020
|   Used CPU (sys)     0.04
|   Used CPU (user)    0.06
|   Connected clients  1
|   Connected slaves   0
|   Used memory        491.84K
|_  Role               master

Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds

You can also scan for Redis servers using Metasploit with the auxiliary/scanner/misc/redis_server.

tags: python - Redis