# Authentication

**By default** Redis can be accessed **without credentials**. However, it can be **configured** to support **only password, or username + password**.\
It is possible to **set a password** in ***redis.conf*** file with the parameter `requirepass`  **or temporary** until the service restarts connecting to it and running: `config set requirepass p@ss$12E45`.\
Also, a **username** can be configured in the parameter `masteruser` inside the ***redis.conf*** file.

{% hint style="info" %}
If only password is configured the username used is "**default**".\
Also, note that there is **no way to find externally** if Redis was configured with only password or username+password.
{% endhint %}

In cases like this one you will **need to find valid credentials** to interact with Redis so you could try to brute-force it:

```
msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 <IP>
hydra –P /path/pass.txt <IP> redis
```

In case you found valid credentials you need to **authenticate the session** after establishing the connection with the command:

```bash
AUTH <username> <password>
```

**Valid credentials** will be responded with: `+OK`.