Shulou(Shulou.com)05/31 Report--

For what is the penetration testing method of Memcached cache server, I believe many inexperienced people are at a loss about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Next we will learn a variety of ways to take advantage of Memcached Server.

Experimental environment

Target: Memcached Server running on Ubuntu 18.04

Attacker: Kali Linux

If you don't say much, let's get started.

Manually dump data from Memcached Server

Let's start the Kali Linux machine and perform a simple nmap scan to see if there is a running Memcached Server on the target computer.

Nmap-sV-p-192.168.1.32

As shown in the figure above, Memcached is running on the target machine with port 11211.

Now, let's do some advanced searches using the nmap script command by typing the following command.

Nmap-p11211-- script=memcached-info 192.168.1.32

As shown in the figure above, the nmap script command extracts some important information about Memcached Server, such as process ID, uptime, architecture, MAC address, etc.

Now, let's try to connect to Memcached Server using telnet and enter the following command.

Telnet 192.168.1.32 11211

As you can see in the figure above, we can connect to Memcached Server through telnet. This means that the server is not protected (no SASL or any type of firewall is configured), so attackers can access the server very smoothly. Let's take further advantage of the Memcached Server that has been granted access.

Type the following command to check the current version of Memcached Server.

Version

You can see that the version of Memcached is 1.5.6, running on a Ubuntu machine.

Now, let's get the valuable data stored in the server directly. Type the following command to print all general statistics of the server.

Stats

The above information shows the current traffic statistics. This includes the number of connections, data stored in the cache, cache hit ratio, and detailed information about memory usage and information distribution.

Now we will run another command to get the slab statistics. The command is as follows:

Stats slabs

As shown in the figure above, there is currently only one slab numbered 1 in the server.

Now, let's run the following command to display the number of item in each slab and the length of storage (the number of seconds from the last access).

Stats items

Next, we run the following command to dump all keys that exist in a particular slab.

Stats cachedump 1 0

Where 1 and 0 are parameters

1 = slab ID

0 = the number of keys to dump, and 0 represents all keys that exist in the dump.

The figure above represents ITEM [b; s]

Now we can simply use the get command to get the value stored in the key, as shown below.

Get first

Get second

Get third

As you can see in the figure above, we have successfully dumped the data stored in the key value.

Use libmemcached-tools to dump data

First install libmemcached-tools on our system and type the following command.

Apt install libmemcached-tools

Now that we have libmemcached-tools installed, start using it by typing the following command.

Memcstat-servers=192.168.1.33

The above command will show us almost the same result as the previous stats command.

Now, let's dump the key values stored in the server directly. Run the following command.

Memcdump-servers=192.168.1.33

As you can see in the figure above, we have dumped all the keys that exist in the current server.

Now, let's dump all the values stored in the key separately. Run the following command.

Memccat-servers=192.168.1.33 fifth fourth third second first

The above command gets all the data stored in each key for us. An attacker can easily upload any malicious file to the server using libmemcached-tools. Here, we will show you how to upload files on the server.

Enter the following command.

Memccp-servers=192.168.1.33 file

Here, the memccp command is uploading a file called "file.txt", which exists in the root directory of our system. Now, let's use memcat to view the contents of this file.

Memcat-servers=192.168.1.33 file uses Metasploit to dump data

Start Metasploit Framework and search for Memcache.

Search memcache

You can see that there are currently four auxiliary modules available.

Here I choose to use the auxiliary/gather/memcached_extractor module. Run the command given below.

Use auxiliary/gather/memcached_extractor

After successfully importing auxiliary in Metasploit Framework, simply set up rhost and run it. The figure above shows that auxiliary has extracted the key values that currently exist in the Memcached server and saved them to the default location / root/.msf4/loot/20190218044841_default_192.168.1.35_memcached.dump_286171.txt.

Use Watchers snooping

Watchers is a way to connect to a Memcached and listen for all operations performed internally.

Now, we use telnet to connect to Memcached and enter the following command.

Watch fetchers

Where OK indicates that watcher is ready to send logs.

As you can see in the image above, all operations being performed on the server are displayed here in real time.

After reading the above, have you mastered the penetration testing method for the Memcached cache server? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.