---
title: "5439 - Redshift"
weight: 5439
date: "2026-03-10T10:03:28+08:00"
lastmod: "2026-03-10T13:26:55+08:00"
---

💡 **学习提示**: 本文档介绍 **5439 - Redshift** 的渗透测试方法，适合信息安全初学者和从业人员参考。

⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

---

> ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

## 5439 - 渗透测试 Redshift

### 基本信息

This port is used by **Amazon Redshift** (AWS managed data warehouse). Redshift wire protocol is a slightly modified **PostgreSQL** protocol, so most Postgres client tooling works (psql, psycopg2, JDBC/ODBC) but auth and TLS requirements differ.

For more information check:

https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.html

### 信息收集 & Connectivity

- 默认 port: **5439/TCP** (customizable). Serverless workgroups also default to 5439.
- Public endpoint pattern: `<clusterid>.<random>.<region>.redshift.amazonaws.com` (public) or `.redshift.amazonaws.com.cn` (China). Serverless: `<workgroup>.<random>.<region>.redshift-serverless.amazonaws.com`.
- **TLS**: Redshift requires TLS 1.2+ and perfect-forward-secrecy ciphers. Old clients may fail; force modern TLS:
  ```bash
  psql "host=<endpoint> port=5439 user=awsuser dbname=dev sslmode=require"
  # or using redshift-psql wrapper
  ```
- **Parameter group `require_ssl`** controls if plaintext is allowed. New clusters/workgroups use `default.redshift-2.0` with `require_ssl=true`, so downgrade/mitm is harder.

#### Quick enum with psql

```bash
## basic banner/version
psql "host=<endpoint> user=<u> dbname=dev" -c 'select version();'
## list dbs, users, privileges
\l
\du
select * from pg_user;
select * from svv_redshift_sessions;
```
Errors differentiate bad password vs missing user → potential **username enumeration** during brute force.

### 认证 paths to test

- **数据库 password** for master user (often named `awsuser`) or created DB users.
- **IAM auth tokens**: generate short-lived credentials and connect via libpq/JDBC/ODBC using `sslmode=require` and `authMech=IAM` or `plugin_name=com.amazon.redshift.plugin.OktaCredentialsProvider`. Abuse stolen IAM creds/roles with `rds-db:connect` style permission equivalent for Redshift.
  ```bash
  aws redshift get-cluster-credentials --cluster-identifier <id> \
      --db-user pentest --db-name dev --duration-seconds 900
  psql "host=<endpoint> user=pentest password=<token> dbname=dev sslmode=require"
  ```
- **IAM Identity Center / SAML / Azure AD plugins**: JDBC `plugin_name` may spin up local webserver for SSO; captured loopback callback can leak SAML assertion or temp creds.

### Common misconfigurations (network)

- Cluster marked **PubliclyAccessible=true** with wide-open SG (0.0.0.0/0) exposes Postgres-like surface for brute force or SQLi exploitation.
- **默认 port 5439** plus default SG allows easy discovery (Shodan/Censys). Changing port is minor obscurity but sometimes overlooked in hardening checklists.
- **No enhanced VPC routing** → COPY/UNLOAD go over public Internet; can be abused for exfil when attacker controls S3 bucket/endpoint.

### 攻击 notes

- If login succeeds, Redshift lacks superuser in serverless; in provisioned clusters the master user has broad rights including creating UDFs (Python), external schema to Spectrum, COPY from attacker S3, and `UNLOAD` to exfil data.
- Check cluster parameter group for `max_concurrency_scaling_clusters`, `require_ssl`, `enable_user_activity_logging` – logging disabled aids stealth.
- Serverless workgroups still reachable via TCP; same SQL attack surface as provisioned clusters.
- **客户端-side metadata SQLi (Dec 2024)**: JDBC 2.1.0.31, Python connector 2.1.4 and ODBC 2.1.5.0 build metadata queries with unquoted user input in `getSchemas/getTables/getColumns` (CVE-2024-12744/5/6). If an app lets attackers control catalog or pattern arguments, you can inject arbitrary SQL that runs with the DB user used by the connector.
  ```python
  # exploit vulnerable python connector 2.1.4 via metadata API
  import redshift_connector
  conn = redshift_connector.connect(host='<endpoint>', database='dev', user='lowpriv', password='pw')
  cur = conn.cursor()
  # injection in table_pattern leaks data from pg_tables
  cur.get_tables(table_schema='public', table_name_pattern="%' UNION SELECT usename,passwd FROM pg_user--")
  ```
- **UDF execution model change**: Python UDFs stop working June 30, 2026; only Lambda UDFs allowed after. Offensive impact: legacy provisioned clusters still run Python UDFs for in-cluster code exec (no FS/network). Lambda UDFs move code to Lambda where the IAM role may reach Internet/VPC endpoints for SSRF/pivot but with no direct cluster filesystem access. Hunting old clusters with Python UDFs enabled can still yield 远程代码执行 primitives.

### Recent security changes (offense impact)

- **Public access disabled by default** on new clusters/snapshots (Jan 10, 2025 change). Legacy ones may still be public.
- **加密 at rest + enforced TLS by default** means sniffing/mitm harder; need valid credentials or SSRF into VPC path.
- **Serverless VPCE rollout change (Jun 27, 2025)**: workgroup endpoints created in up to 3 AZs at creation time. Discovery tools should enumerate all workgroup VPCE DNS names per AZ to find reachable IPs.

---


### 搜索引擎语法

#### FOFA

```bash
# FOFA 搜索语法
port="5439"
```

#### Shodan

```bash
# Shodan 搜索语法
port:5439
```

#### ZoomEye

```bash
# ZoomEye 搜索语法
port:5439
```

---

## 📖 参考资料

- [HackTricks - 5439-redshift](https://book.hacktricks.wiki/en/network-services-pentesting/5439-redshift.html)