rediergeon

A Comprehensive Pentest Suite for Redis.

Rediergeon is a powerful, all-in-one security auditing tool for Redis instances. Built in Go, it combines passive vulnerability scanning, credential brute-forcing, and active post-exploitation modules into a single, easy-to-use command-line interface.

It's designed for penetration testers, security auditors, and developers who need to quickly assess and secure their Redis deployments.

🛡️ Key Features

• Multi-Faceted Auditing: Three distinct modes of operation:
  • scan: Passively scans for misconfigurations, known CVEs, and security weaknesses.
  • brute: Performs credential brute-force attacks with support for both password-only and user/password lists.
  • exploit: Executes active post-exploitation techniques for authorized testing scenarios.
• Comprehensive Vulnerability Database: Detects a wide range of issues, from unauthenticated access to specific, version-based CVEs.
• Advanced Target Control:
  • 🎯 Scan multiple targets from a file.
  • ⚡ Control concurrency and rate-limiting for large-scale scans.
  • 🤫 A --stealth mode for low-and-slow assessments.
• Flexible Reporting:
  • 📄 Generate reports in multiple formats: text, json, csv, and xml.
  • 💾 Save reports to a file while simultaneously printing to stdout.
• CI/CD Friendly: Designed for easy integration into automated security pipelines with a --silent mode and meaningful exit codes.
• Modern & Secure: Supports TLS-enabled Redis instances.

🚨 Identified Vulnerabilities & Misconfigurations

Rediergeon can identify the following issues, providing clear PoCs and actionable recommendations for each.

⚙️ Installation

You need Go (version 1.18 or newer) installed and configured.

1. Clone the repository:

   git clone https://github.com/Abhinandan-Khurana/Rediergeon.git
   cd Rediergeon
   

2. Install dependencies:

   go mod tidy
   

3. Build the executable:

   go build -o rediergeon .
   

⚙️ Direct Installation

```bash
go install -v github.com/Abhinandan-Khurana/rediergeon@latest
```

🚀 Usage

Rediergeon is structured around three main commands: scan, brute, and exploit.

scan: Vulnerability Scanning

# Scan a single host with default settings
./rediergeon scan --host 127.0.0.1

# Scan a password-protected Redis instance
./rediergeon scan --host my.redis.server -p "S3cur3P@ssw0rd!"

# Scan a list of targets from a file with 20 concurrent workers
./rediergeon scan -L targets.txt -c 20

# Run a slow, stealthy scan and save the report as JSON
./rediergeon scan -L targets.txt --stealth -o report.json -f json

brute: Credential Brute-Forcing

# Brute-force passwords for a target
./rediergeon brute --host 10.10.10.5 --pass-list common-passwords.txt

# Brute-force user/password pairs (for Redis 6+ ACLs)
./rediergeon brute --host 10.10.10.5 --user-list users.txt --pass-list passwords.txt -t 50

exploit: Active Exploitation

⚠️ DANGER ZONE These commands are intrusive and can be destructive. They will modify the target system or cause a denial of service. Only use them on systems you are explicitly authorized to test. The --confirm flag is mandatory.

# Attempt RCE by writing a PHP web shell
./rediergeon exploit rce-webshell --host 10.10.10.5 --web-root /var/www/html --confirm

# Attempt RCE by injecting an SSH key
./rediergeon exploit rce-ssh --host 10.10.10.5 --user-home /home/redis --ssh-key-file ~/.ssh/id_rsa.pub --confirm

# Dump the first 10 keys and their values
./rediergeon exploit dump-data --host 10.10.10.5 -p "RedisP@ss!" --sample-size 10 --confirm

📄 Output Formats & Examples

--------------------------------------------------------------------------------
Scan Report for Target: 127.0.0.1:6379
Timestamp: 2023-10-27T10:30:00Z
Status: Scan Completed

[CRITICAL] [RED-AUTH-001] The Redis server is accessible without a password.
  - PoC:          Successfully connected and executed 'PING' without authentication.
  - Recommendation: Set a strong password in redis.conf via 'requirepass'. Bind Redis to a trusted interface via 'bind 127.0.0.1' and enable 'protected-mode yes'.

[HIGH] [CVE-2022-0543] Vulnerable to Lua Sandbox Escape (CVE-2022-0543), allowing Remote Code Execution.
  - PoC:          Executed 'id' command via a malicious Lua script. Server response: uid=999(redis) gid=999(redis) groups=999(redis)
  - Recommendation: This is a packaging vulnerability in Debian/Ubuntu. Ensure your host system and Redis packages are fully updated. Run Redis as an unprivileged user and restrict access to the 'EVAL' command.

[MEDIUM] [RED-CFG-003] Potentially dangerous command 'CONFIG' is enabled and not renamed.
  - PoC:          The 'CONFIG' command was found in the output of the 'COMMAND' command.
  - Recommendation: If not essential, rename or disable the 'CONFIG' command in redis.conf to prevent misuse: `rename-command CONFIG ""`.

{
  "results": [
    {
      "Target": "127.0.0.1:6379",
      "Timestamp": "2023-10-27T10:30:00Z",
      "Status": "Scan Completed",
      "findings": [
        {
          "id": "RED-AUTH-001",
          "severity": "CRITICAL",
          "description": "The Redis server is accessible without a password.",
          "proof_of_concept": "Successfully connected and executed 'PING' without authentication.",
          "recommendation": "Set a strong password in redis.conf via 'requirepass'. Bind Redis to a trusted interface via 'bind 127.0.0.1' and enable 'protected-mode yes'."
        },
        {
          "id": "CVE-2022-0543",
          "severity": "CRITICAL",
          "description": "Vulnerable to Lua Sandbox Escape (CVE-2022-0543), allowing Remote Code Execution.",
          "proof_of_concept": "Executed 'id' command via a malicious Lua script. Server response: uid=999(redis) gid=999(redis) groups=999(redis)",
          "recommendation": "This is a packaging vulnerability in Debian/Ubuntu. Ensure your host system and Redis packages are fully updated. Run Redis as an unprivileged user and restrict access to the 'EVAL' command."
        }
      ]
    }
  ]
}

🔄 CI/CD Integration

Rediergeon is built for automation. You can integrate it into your CI/CD pipeline (e.g., GitHub Actions, GitLab CI) to scan your Redis instances on every build or deployment.

Key features for automation:

• --silent: Suppresses all non-essential output, making logs clean.
• Exit Codes:
  • 0: Scan completed, no vulnerabilities found.
  • 1: Scan completed, vulnerabilities were found OR an error occurred.

Example GitHub Actions Workflow

This workflow scans a Redis instance and fails the build if vulnerabilities are found.

name: Redis Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  redis-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up Go
        uses: actions/setup-go@v4
        with:
          go-version: "1.21"

      - name: Build Rediergeon
        run: go build -v -o rediergeon .

      - name: Run Rediergeon Scan
        # Use --silent for clean logs and -f json to save a machine-readable artifact
        run: |
          ./rediergeon scan \
            --host ${{ secrets.REDIS_HOST }} \
            -p "${{ secrets.REDIS_PASSWORD }}" \
            --silent \
            -f json -o redis-report.json
        continue-on-error: true # Allow the script to finish even if it exits with 1

      - name: Upload Scan Artifact
        if: always() # Always upload the report
        uses: actions/upload-artifact@v3
        with:
          name: redis-security-report
          path: redis-report.json

Crafted with ❤️ by Abhinandan-Khurana