Redis Scanner Workflow

1. Framework Initialization
Redis ASCII Logo:
Display the Redis ASCII logo upon startup.
Dynamic CVE Table:
Directly beneath the logo, present a dynamically updated Redis Known CVEs Table with
Redis versions and their corresponding CVEs (fetched from CVE Database).
At the last row of the table, get latest version of Redis by fetching api from github for latest
release. List old versions and associated CVEs.
https://api.github.com/repos/redis/redis/releases/latest
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Redis
Interactive Menu:
Present an interactive menu with options:
Scan Redis Server
Scan Web Application
Full Scan (Redis + Web Application)
Help/Documentation
Exit

2. User Options and Parameter Setup

Module Selection:
After choosing a scanning mode, display available modules (e.g., unencrypted
communication, session management, input sanitization).
The displayed modules should be specific to the scanning mode chosen by the user in the
interactive menu. This ensures the user sees only the relevant modules, avoiding confusion and
improving efficiency.
For example:
 If the user selects Scan Redis Server, the framework will display only Redis-specific
scanning modules.
 If the user selects Scan Web Application, only web application available pages will
appear which is getting from crawling and dir brute forcing.
  If the user selects Full Scan, the framework will display both Redis scanning modules
and web application available pages, with a clear distinction between the two categories.
Include a short description for each module to improve clarity.
Set Parameters:
Prompt the user to set module-specific parameters (e.g., target IP, port, action type).
Validate input immediately. If invalid parameters are detected:
List Function:
when the user type in command line interface as ‘list’, it will show all the available
modules in the scanner framework.
Add one function Module parameter – listing equally and description for user.
Search Function:
Error: "Search requires a keyword."
If the keyword is invalid: "Error: No modules found for the keyword '<keyword>'.
Please try again."
Action Function:
Error: "Invalid action mode '<input>'. Valid modes are: 'scan', 'exploit', 'analyze'."
Remove NETWORK_RANGE parameter from all scanning modules as it's unnecessary.
Exploit successful/ error/ fail choose with color response and CLI auto complete function. (Add
one function)
- All the successful jobs output will print with green color.
- All the error response and fail jobs output will print with red color.
- Command auto complete mode for all scanning modules parameter and commands.
(Tab key usable)

3. Web Application Interaction

Web Crawling & Brute Forcing:
Automatically initiate web crawling and directory brute-forcing.
Log all discovered PHP pages and their paths.
Vulnerability Scanning:
Scan each PHP page for vulnerabilities like:
Insecure Session Management
 Inadequate Input Sanitization
Insecure File Upload Handling
Report each vulnerability with the exact page name and type of vulnerability.
If vulnerabilities are detected, move to exploitation (next step).
If no vulnerabilities are found, interact with the Redis server directly.

Exploitation:
If web application vulnerabilities are detected:
Move to the Exploitation step and target the Redis server via the vulnerable web interface.
If web application no vulnerabilities are detected:
Proceed directly to Redis server interaction for scanning and testing.
Report successful exploits and mitigation strategies in a detailed summary.

4. Redis Server Interaction

Separate Redis-related scans from web application scans to reduce duplication.
For each Redis scanning module:
Check for configurations such as:
Lack of authentication (unauthenticated access).
Unencrypted communication (no TLS configuration).
Memory misconfiguration.
High-risk commands exposure.
In-memory data manipulation.
Insecure module loading.
Log results in a user-friendly format.

5. Error Handling Improvements

Search Function:
Display appropriate error messages for missing or invalid keywords.
 Action Function:
Display errors for invalid action modes with a list of valid options.

6. Reporting
After completing scans:
Present a detailed Summary Report:
Vulnerable web pages with vulnerabilities listed.
Redis vulnerabilities with recommended mitigation steps.
Option to save the report in a user-friendly format (e.g., PDF).

7. Modular Workflow for Scalability

User Efficiency:
Enable users to select scanning modes independently (e.g., scan Redis server only or web
application only).
Customize scans (e.g., skip certain pages or ports). Customizing scans allows users to
define specific parameters or exclude certain aspects of the scanning process to focus on their
primary objectives.
For example:
Selective Page Scanning:
Users can specify particular web pages or directories to scan, skipping unrelated or non-
critical pages. If a user knows that vulnerabilities are likely in login.php and commands.php, they
can direct the scanner to focus only on those pages.
Target-Specific Ports:
When scanning Redis servers, users can specify which ports to target, avoiding scanning
default ports unnecessarily. A user may want to scan only Redis ports like 6380 or 6379.
Streamline user interaction with dynamic menus and contextual help.
Module Naming: Ensure all modules have unique and descriptive names to avoid duplication
and confusion.
8. Vulnerability Prioritization
Start with Unencrypted Communication Module:
Begin scanning with the unencrypted communication module.
Allow users to select server ports after analyzing network traffic.
Add Functionality:
Scan web applications to detect specific vulnerable PHP pages. Add one function during
running time to choose port. Yes or no! (After sending traffic to Redis server)
Clearly list vulnerabilities with descriptions (e.g., "Insecure Session Management on page
login.php").
Remove Exploit Function:
Exclude the exploit function from the unencrypted communication module for a cleaner,
focused scanning process.

9. Testing and Demonstration

Default and Hardened Configurations:
Test the scanner with both default and hardened Redis server configurations to ensure
comprehensive coverage.

10. Exit
Ensure the framework exits successfully, saving all logs and reports automatically in a
predefined directory.
Add one function: Quit (entire exit from framework), exit (exit from current menu to previous
step)
Redis Version CVE List
Redis Scanner Workflow
1. Framework Initialization
Startup Process:
The framework.py file is executed.
Displays the Redis ASCII Logo and dynamically updates a CVE Table with known vulnerabilities
and their associated Redis versions.
Interactive menu options appear:
Scan Redis Server
Scan Web Application
Full Scan (Redis + Web Application)
Help/Documentation
Exit

Dynamic Module Loading:

The load_modules function dynamically loads all scanning modules from the modules directory.
Modules are identified by their .py extension, and each module is instantiated as a ScannerModule
object.

2. User Options and Parameter Setup

Module Selection:
User chooses a scanning mode from the menu.
Based on the mode:
Redis Server Mode: Displays Redis-specific modules.
Web Application Mode: Displays web application modules after crawling and brute-forcing to
identify PHP pages.
Full Scan Mode: Displays all modules with clear separation between Redis and web application
modules.

Setting Parameters:
User configures parameters for the selected module:
Examples: TARGET, PORT, ACTION, etc.
Parameters are validated:
Invalid inputs result in clear error messages (e.g., "Invalid action mode '<input>'. Valid modes are:
'scan', 'exploit', 'analyze'").

Additional Features:
Search Function:
User can search for modules by keyword.
Returns matching modules or an error message if no matches are found.
Command Auto-Complete:
Provides auto-completion for module commands and parameters.
Output Color Coding:
Green: Successful actions.
Red: Errors or failures.

3. Web Application Interaction

 Web Crawling and Brute-Forcing:
Crawls the target web application to identify PHP pages.
Brute-forces directories using a predefined wordlist (common_php_pages.txt).

Vulnerability Scanning:
Scans discovered PHP pages for:
Insecure Session Management
Inadequate Input Sanitization
Insecure File Upload Handling
Reports each vulnerability with the exact page name and type.

Conditional Workflow:
If vulnerabilities are detected:
The scanner proceeds to exploit the Redis server via the vulnerable web interface.
If no vulnerabilities are found:
The scanner directly interacts with the Redis server for further scanning.

4. Redis Server Interaction

Module-Specific Scans:
Each Redis scanning module performs targeted scans for:
Unencrypted Communication:
Detects lack of TLS.
Analyzes captured traffic (unencrypted_traffic.pcap).
Memory Misconfiguration:
Checks for maxmemory settings.
Exploits DoS vulnerabilities by sending large key-value pairs.
High-Risk Commands:
Identifies commands like FLUSHALL, CONFIG, and MODULE for potential misuse.
Broken Authentication:
Checks for misconfigurations in requirepass and bind settings.

Command Execution:
Executes Redis commands via modules like redis_broken_auth.py and redis_danger.py.
Logs results to help identify misconfigurations or high-risk operations.

5. Exploitation Phase

Vulnerable Web Interface Exploitation:

Injects payloads into vulnerable web pages to interact with Redis commands (commands.php).
Tests command availability and logs responses (e.g., whether commands are renamed or disabled).

Direct Exploitation:
If no web vulnerabilities are found, modules directly execute Redis commands to check for:
Authentication bypass.
Data manipulation.
 Configuration exposure.

Logging and Mitigation:

Logs successful exploits and recommends mitigation strategies:
Example: "Enable requirepass to secure the Redis server."

6. Reporting

Summary Report:
Generates a report summarizing:
Vulnerable web pages and their types of vulnerabilities.
Redis server misconfigurations and vulnerabilities.
Includes mitigation steps.

Output Format:
Saves reports in a user-friendly format (e.g., PDF or plain text).

7. Modular Workflow for Scalability

Customizable Scans:
Users can:
Skip specific pages or ports.
Selectively enable modules.
For example:
Limit scans to login.php and commands.php.
Target only Redis ports 6379 and 6380.

Dynamic Module Management:

Modules can be added or removed without modifying the core framework.

8. Vulnerability Prioritization

Unencrypted Communication:
Prioritizes identifying unencrypted communication (e.g., missing TLS).
Allows users to select server ports based on traffic analysis.

Port Selection During Execution:

Provides runtime options for scanning additional ports after initial traffic analysis.

9. Testing and Demonstration

Configuration Testing:
Tests the scanner on:
Default Redis server configurations.
Hardened configurations with improved security settings.
Ensures the scanner detects vulnerabilities in both scenarios.
10. Exit

Quit vs. Exit:

Quit: Fully exits the framework.
Exit: Returns to the previous menu or step.

Log Management:
Ensures all logs and reports are saved before exiting.