mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-21 02:23:30 +00:00
226 lines
12 KiB
Markdown
226 lines
12 KiB
Markdown
|
# 11211 - Pentesting Memcache
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
## Protocol Information
|
||
|
|
||
|
From [wikipedia](https://en.wikipedia.org/wiki/Memcached):
|
||
|
|
||
|
> **Memcached** (pronunciation: mem-cashed, mem-cash-dee) is a general-purpose distributed [memory caching](https://en.wikipedia.org/wiki/Memory\_caching) system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read.
|
||
|
|
||
|
Although Memcached supports SASL, most instances are **exposed without authentication**.
|
||
|
|
||
|
**Default port:** 11211
|
||
|
|
||
|
```
|
||
|
PORT STATE SERVICE
|
||
|
11211/tcp open unknown
|
||
|
```
|
||
|
|
||
|
## Enumeration
|
||
|
|
||
|
### Manual
|
||
|
|
||
|
To exfiltrate all the information saved inside a memcache instance you need to:
|
||
|
|
||
|
1. Find **slabs** with **active items**
|
||
|
2. Get the **key names** of the slabs detected before
|
||
|
3. Ex-filtrate the **saved data** by **getting the key names**
|
||
|
|
||
|
Remember that this service is just a **cache**, so **data may be appearing and disappearing**.
|
||
|
|
||
|
```bash
|
||
|
echo "version" | nc -vn -w 1 <IP> 11211 #Get version
|
||
|
echo "stats" | nc -vn -w 1 <IP> 11211 #Get status
|
||
|
echo "stats slabs" | nc -vn -w 1 <IP> 11211 #Get slabs
|
||
|
echo "stats items" | nc -vn -w 1 <IP> 11211 #Get items of slabs with info
|
||
|
echo "stats cachedump <number> 0" | nc -vn -w 1 <IP> 11211 #Get key names (the 0 is for unlimited output size)
|
||
|
echo "get <item_name>" | nc -vn -w 1 <IP> 11211 #Get saved info
|
||
|
|
||
|
#This php will just dump the keys, you need to use "get <item_name> later"
|
||
|
sudo apt-get install php-memcached
|
||
|
php -r '$c = new Memcached(); $c->addServer("localhost", 11211); var_dump( $c->getAllKeys() );'
|
||
|
```
|
||
|
|
||
|
### Manual2
|
||
|
|
||
|
```bash
|
||
|
sudo apt install libmemcached-tools
|
||
|
memcstat --servers=127.0.0.1 #Get stats
|
||
|
memcdump --servers=127.0.0.1 #Get all items
|
||
|
memccat --servers=127.0.0.1 <item1> <item2> <item3> #Get info inside the item(s)
|
||
|
```
|
||
|
|
||
|
### Automatic
|
||
|
|
||
|
```bash
|
||
|
nmap -n -sV --script memcached-info -p 11211 <IP> #Just gather info
|
||
|
msf > use auxiliary/gather/memcached_extractor #Extracts saved data
|
||
|
msf > use auxiliary/scanner/memcached/memcached_amp #Check is UDP DDoS amplification attack is possible
|
||
|
```
|
||
|
|
||
|
## **Dumping Memcache Keys**
|
||
|
|
||
|
In the realm of memcache, a protocol that assists in organizing data by slabs, specific commands exist for inspecting the stored data, albeit with notable constraints:
|
||
|
|
||
|
1. Keys can only be dumped by slab class, grouping keys of similar content size.
|
||
|
2. A limit exists of one page per slab class, equating to 1MB of data.
|
||
|
3. This feature is unofficial and may be discontinued at any time, as discussed in [community forums](https://groups.google.com/forum/?fromgroups=#!topic/memcached/1-T8I-RVGKM).
|
||
|
|
||
|
The limitation of only being able to dump 1MB from potentially gigabytes of data is particularly significant. However, this functionality can still offer insights into key usage patterns, depending on specific needs. For those less interested in the mechanics, a visit to the [tools section](https://lzone.de/cheat-sheet/memcached#tools) reveals utilities for comprehensive dumping. Alternatively, the process of using telnet for direct interaction with memcached setups is outlined below.
|
||
|
|
||
|
### **How it Works**
|
||
|
|
||
|
Memcache's memory organization is pivotal. Initiating memcache with the "-vv" option reveals the slab classes it generates, as shown below:
|
||
|
|
||
|
```bash
|
||
|
$ memcached -vv
|
||
|
slab class 1: chunk size 96 perslab 10922
|
||
|
[...]
|
||
|
```
|
||
|
|
||
|
To display all currently existing slabs, the following command is used:
|
||
|
|
||
|
```bash
|
||
|
stats slabs
|
||
|
```
|
||
|
|
||
|
Adding a single key to memcached 1.4.13 illustrates how slab classes are populated and managed. For instance:
|
||
|
|
||
|
```bash
|
||
|
set mykey 0 60 1
|
||
|
1
|
||
|
STORED
|
||
|
```
|
||
|
|
||
|
Executing the "stats slabs" command post key addition yields detailed statistics about slab utilization:
|
||
|
|
||
|
```bash
|
||
|
stats slabs
|
||
|
[...]
|
||
|
```
|
||
|
|
||
|
This output reveals the active slab types, utilized chunks, and operational statistics, offering insights into the efficiency of read and write operations.
|
||
|
|
||
|
Another useful command, "stats items", provides data on evictions, memory constraints, and item lifecycles:
|
||
|
|
||
|
```bash
|
||
|
stats items
|
||
|
[...]
|
||
|
```
|
||
|
|
||
|
These statistics allow for educated assumptions about application caching behavior, including cache efficiency for different content sizes, memory allocation, and capacity for caching large objects.
|
||
|
|
||
|
### **Dumping Keys**
|
||
|
|
||
|
For versions prior to 1.4.31, keys are dumped by slab class using:
|
||
|
|
||
|
```bash
|
||
|
stats cachedump <slab class> <number of items to dump>
|
||
|
```
|
||
|
|
||
|
For example, to dump a key in class #1:
|
||
|
|
||
|
```bash
|
||
|
stats cachedump 1 1000
|
||
|
ITEM mykey [1 b; 1350677968 s]
|
||
|
END
|
||
|
```
|
||
|
|
||
|
This method iterates over slab classes, extracting and optionally dumping key values.
|
||
|
|
||
|
### **DUMPING MEMCACHE KEYS (VER 1.4.31+)**
|
||
|
|
||
|
With memcache version 1.4.31 and above, a new, safer method for dumping keys in a production environment is introduced, utilizing non-blocking mode as detailed in the [release notes](https://github.com/memcached/memcached/wiki/ReleaseNotes1431). This approach generates extensive output, hence the recommendation to employ the 'nc' command for efficiency. Examples include:
|
||
|
|
||
|
```bash
|
||
|
echo 'lru_crawler metadump all' | nc 127.0.0.1 11211 | head -1
|
||
|
echo 'lru_crawler metadump all' | nc 127.0.0.1 11211 | grep ee6ba58566e234ccbbce13f9a24f9a28
|
||
|
```
|
||
|
|
||
|
### **DUMPING TOOLS**
|
||
|
|
||
|
Table [from here](https://lzone.de/blog).
|
||
|
|
||
|
| Programming Languages | Tools | Functionality | | |
|
||
|
| --------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ------- |
|
||
|
| PHP | [simple script](http://snipt.org/xtP) | Prints key names. | | |
|
||
|
| Perl | [simple script](https://wiki.jasig.org/download/attachments/13572172/memcached-clean.pl?version=1\&modificationDate=1229693957401) | Prints keys and values | | |
|
||
|
| Ruby | [simple script](https://gist.github.com/1365005) | Prints key names. | | |
|
||
|
| Perl | [memdump](https://search.cpan.org/\~dmaki/Memcached-libmemcached-0.4202/src/libmemcached/docs/memdump.pod) | Tool in CPAN module | [Memcached-libmemcached](https://search.cpan.org/\~dmaki/Memcached-libmemc) | ached/) |
|
||
|
| PHP | [memcache.php](http://livebookmark.net/journal/2008/05/21/memcachephp-stats-like-apcphp/) | Memcache Monitoring GUI that also allows dumping keys | | |
|
||
|
| libmemcached | [peep](http://blog.evanweaver.com/2009/04/20/peeping-into-memcached/) | **Does freeze your memcached process!!!** Be careful when using this in production. Still using it you can workaround the 1MB limitation and really dump **all** keys. | | |
|
||
|
|
||
|
## Troubleshooting <a href="#troubleshooting" id="troubleshooting"></a>
|
||
|
|
||
|
### 1MB Data Limit <a href="#1mb-data-limit" id="1mb-data-limit"></a>
|
||
|
|
||
|
Note that prio to memcached 1.4 you cannot store objects larger than 1MB due to the default maximum slab size.
|
||
|
|
||
|
### Never Set a Timeout > 30 Days! <a href="#never-set-a-timeout--30-days" id="never-set-a-timeout--30-days"></a>
|
||
|
|
||
|
If you try to “set” or “add” a key with a timeout bigger than the allowed maximum you might not get what you expect because memcached then treats the value as a Unix timestamp. Also if the timestamp is in the past it will do nothing at all. Your command will silently fail.
|
||
|
|
||
|
So if you want to use the maximum lifetime specify 2592000. Example:
|
||
|
|
||
|
```
|
||
|
set my_key 0 2592000 1
|
||
|
1
|
||
|
```
|
||
|
|
||
|
### Disappearing Keys on Overflow <a href="#disappearing-keys-on-overflow" id="disappearing-keys-on-overflow"></a>
|
||
|
|
||
|
Despite the documentation saying something about wrapping around 64bit overflowing a value using “incr” causes the value to disappear. It needs to be created using “add”/”set” again.
|
||
|
|
||
|
### Replication <a href="#replication" id="replication"></a>
|
||
|
|
||
|
memcached itself does not support replication. If you really need it you need to use 3rd party solutions:
|
||
|
|
||
|
* [repcached](http://repcached.lab.klab.org/): Multi-master async replication (memcached 1.2 patch set)
|
||
|
* [Couchbase memcached interface](http://www.couchbase.com/memcached): Use CouchBase as memcached drop-in
|
||
|
* [yrmcds](https://cybozu.github.io/yrmcds/): memcached compatible Master-Slave key value store
|
||
|
* [twemproxy](https://github.com/twitter/twemproxy) (aka nutcracker): proxy with memcached support
|
||
|
|
||
|
### Commands Cheat-Sheet
|
||
|
|
||
|
{% content-ref url="memcache-commands.md" %}
|
||
|
[memcache-commands.md](memcache-commands.md)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
### **Shodan**
|
||
|
|
||
|
* `port:11211 "STAT pid"`
|
||
|
* `"STAT pid"`
|
||
|
|
||
|
## References
|
||
|
|
||
|
* [https://lzone.de/cheat-sheet/memcached](https://lzone.de/cheat-sheet/memcached)
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|