5439 - Redshift
💡 学习提示: 本文档介绍 5439 - Redshift 的渗透测试方法,适合信息安全初学者和从业人员参考。
⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。
⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。
5439 - 渗透测试 Redshift
基本信息
This port is used by Amazon Redshift (AWS managed data warehouse). Redshift wire protocol is a slightly modified PostgreSQL protocol, so most Postgres client tooling works (psql, psycopg2, JDBC/ODBC) but auth and TLS requirements differ.
For more information check:
https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.html
信息收集 & Connectivity
- 默认 port: 5439/TCP (customizable). Serverless workgroups also default to 5439.
- Public endpoint pattern:
<clusterid>.<random>.<region>.redshift.amazonaws.com(public) or.redshift.amazonaws.com.cn(China). Serverless:<workgroup>.<random>.<region>.redshift-serverless.amazonaws.com. - TLS: Redshift requires TLS 1.2+ and perfect-forward-secrecy ciphers. Old clients may fail; force modern TLS:
- Parameter group
require_sslcontrols if plaintext is allowed. New clusters/workgroups usedefault.redshift-2.0withrequire_ssl=true, so downgrade/mitm is harder.
Quick enum with psql
Errors differentiate bad password vs missing user → potential username enumeration during brute force.
认证 paths to test
- 数据库 password for master user (often named
awsuser) or created DB users. - IAM auth tokens: generate short-lived credentials and connect via libpq/JDBC/ODBC using
sslmode=requireandauthMech=IAMorplugin_name=com.amazon.redshift.plugin.OktaCredentialsProvider. Abuse stolen IAM creds/roles withrds-db:connectstyle permission equivalent for Redshift. - IAM Identity Center / SAML / Azure AD plugins: JDBC
plugin_namemay spin up local webserver for SSO; captured loopback callback can leak SAML assertion or temp creds.
Common misconfigurations (network)
- Cluster marked PubliclyAccessible=true with wide-open SG (0.0.0.0/0) exposes Postgres-like surface for brute force or SQLi exploitation.
- 默认 port 5439 plus default SG allows easy discovery (Shodan/Censys). Changing port is minor obscurity but sometimes overlooked in hardening checklists.
- No enhanced VPC routing → COPY/UNLOAD go over public Internet; can be abused for exfil when attacker controls S3 bucket/endpoint.
攻击 notes
- If login succeeds, Redshift lacks superuser in serverless; in provisioned clusters the master user has broad rights including creating UDFs (Python), external schema to Spectrum, COPY from attacker S3, and
UNLOADto exfil data. - Check cluster parameter group for
max_concurrency_scaling_clusters,require_ssl,enable_user_activity_logging– logging disabled aids stealth. - Serverless workgroups still reachable via TCP; same SQL attack surface as provisioned clusters.
- 客户端-side metadata SQLi (Dec 2024): JDBC 2.1.0.31, Python connector 2.1.4 and ODBC 2.1.5.0 build metadata queries with unquoted user input in
getSchemas/getTables/getColumns(CVE-2024-12744/5/6). If an app lets attackers control catalog or pattern arguments, you can inject arbitrary SQL that runs with the DB user used by the connector. - UDF execution model change: Python UDFs stop working June 30, 2026; only Lambda UDFs allowed after. Offensive impact: legacy provisioned clusters still run Python UDFs for in-cluster code exec (no FS/network). Lambda UDFs move code to Lambda where the IAM role may reach Internet/VPC endpoints for SSRF/pivot but with no direct cluster filesystem access. Hunting old clusters with Python UDFs enabled can still yield 远程代码执行 primitives.
Recent security changes (offense impact)
- Public access disabled by default on new clusters/snapshots (Jan 10, 2025 change). Legacy ones may still be public.
- 加密 at rest + enforced TLS by default means sniffing/mitm harder; need valid credentials or SSRF into VPC path.
- Serverless VPCE rollout change (Jun 27, 2025): workgroup endpoints created in up to 3 AZs at creation time. Discovery tools should enumerate all workgroup VPCE DNS names per AZ to find reachable IPs.