Security, Programming, Pentesting
by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}
Redis is an in-memory key/value data store used to handle backend data for many web applications. Often, Redis is used to store configuration information, session information, and user profile information. By default the Redis server does not require authentication for client access. This is not a problem if Redis is only listening on localhost but often it is not.
By default Redis listens on port 6379, which is not in the Nmap top 1000 port list or the /etc/services list used by Nessus. You will need to scan specifically for this service if you want to find it.
The easiest way to interact with Redis is to use the Redis CLI client, redis-cli. On Kali2 you can install the client by installing the redis-tools package with apt-get. After installing redis-cli you can connect to the Redis server using redis-cli -h <hostname> -p <port>.
Once connected you can use the following commands to gather data from the server:
info - Outputs server data including version, number of databases, and the number of keys in each database.select <n> - Select a database to work with. By default Redis has 16 databases available, 0 - 15. Typically, only 0 is used.keys <pattern> - Display all keys matching the regex pattern. To see all keys use *.type <key> - Displays the type of the value stored in the key, string, hash, set.get <key> - Print the value of the string key.hgetall <key> - Get all of the field/value pairs stored in the hash key.hget <field> <key> - Get the value of the specified field in the hash key.The full list of supported commands can be found here: http://redis.io/commands. This list is all of the commands supported in the latest version of Redis. Some of the commands may not work in older versions.
In addition to redis-cli, you can also access a Redis server using a number of programming languages. A full list of Redis clients by language is available here: http://redis.io/clients.
To use the example script below you will need to install the redis-py library using pip install redis. If Pip is not installed you can install it on Kali using apt-get install python-pip.
import redis
db = redis.StrictRedis(host='127.0.0.1', port=6379)
# If we have a hash key, print all of the fields and values.
for key in db.keys():
if db.type(key) == ‘hash’:
r = db.hgetall(key)
print('--------')
for k in r:
print('Field: {0} Value: {1}'.format(k, r['k']))
print('--------')
If you come across a Redis server that is password protected, there is an NSE script that can be used to brute force the password. Once you find the password you can connect to the server using redis-cli -h <host> -p <port> -a <password>.
Thanks @bonsaiviking for pointing out the redis-info NSE script. So if you are hunting specifically for Redis servers you can use something like this:
nmap -p 6379 --script=redis-info 127.0.0.1 --open
Which should yield results like this:
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-18 12:02 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.000062s latency). PORT STATE SERVICE 6379/tcp open unknown | redis-info: | Version 2.8.17 | Operating System Linux 4.0.0-kali1-amd64 x86_64 | Architecture 64 bits | Process ID 8020 | Used CPU (sys) 0.04 | Used CPU (user) 0.06 | Connected clients 1 | Connected slaves 0 | Used memory 491.84K |_ Role master Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds
You can also scan for Redis servers using Metasploit with the auxiliary/scanner/misc/redis_server.
tags: python - Redis