In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
For what is the penetration testing method of Memcached cache server, I believe many inexperienced people are at a loss about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.
Next we will learn a variety of ways to take advantage of Memcached Server.
Experimental environment
Target: Memcached Server running on Ubuntu 18.04
Attacker: Kali Linux
If you don't say much, let's get started.
Manually dump data from Memcached Server
Let's start the Kali Linux machine and perform a simple nmap scan to see if there is a running Memcached Server on the target computer.
Nmap-sV-p-192.168.1.32
As shown in the figure above, Memcached is running on the target machine with port 11211.
Now, let's do some advanced searches using the nmap script command by typing the following command.
Nmap-p11211-- script=memcached-info 192.168.1.32
As shown in the figure above, the nmap script command extracts some important information about Memcached Server, such as process ID, uptime, architecture, MAC address, etc.
Now, let's try to connect to Memcached Server using telnet and enter the following command.
Telnet 192.168.1.32 11211
As you can see in the figure above, we can connect to Memcached Server through telnet. This means that the server is not protected (no SASL or any type of firewall is configured), so attackers can access the server very smoothly. Let's take further advantage of the Memcached Server that has been granted access.
Type the following command to check the current version of Memcached Server.
Version
You can see that the version of Memcached is 1.5.6, running on a Ubuntu machine.
Now, let's get the valuable data stored in the server directly. Type the following command to print all general statistics of the server.
Stats
The above information shows the current traffic statistics. This includes the number of connections, data stored in the cache, cache hit ratio, and detailed information about memory usage and information distribution.
Now we will run another command to get the slab statistics. The command is as follows:
Stats slabs
As shown in the figure above, there is currently only one slab numbered 1 in the server.
Now, let's run the following command to display the number of item in each slab and the length of storage (the number of seconds from the last access).
Stats items
Next, we run the following command to dump all keys that exist in a particular slab.
Stats cachedump 1 0
Where 1 and 0 are parameters
1 = slab ID
0 = the number of keys to dump, and 0 represents all keys that exist in the dump.
The figure above represents ITEM [b; s]
Now we can simply use the get command to get the value stored in the key, as shown below.
Get first
Get second
Get third
As you can see in the figure above, we have successfully dumped the data stored in the key value.
Use libmemcached-tools to dump data
First install libmemcached-tools on our system and type the following command.
Apt install libmemcached-tools
Now that we have libmemcached-tools installed, start using it by typing the following command.
Memcstat-servers=192.168.1.33
The above command will show us almost the same result as the previous stats command.
Now, let's dump the key values stored in the server directly. Run the following command.
Memcdump-servers=192.168.1.33
As you can see in the figure above, we have dumped all the keys that exist in the current server.
Now, let's dump all the values stored in the key separately. Run the following command.
Memccat-servers=192.168.1.33 fifth fourth third second first
The above command gets all the data stored in each key for us. An attacker can easily upload any malicious file to the server using libmemcached-tools. Here, we will show you how to upload files on the server.
Enter the following command.
Memccp-servers=192.168.1.33 file
Here, the memccp command is uploading a file called "file.txt", which exists in the root directory of our system. Now, let's use memcat to view the contents of this file.
Memcat-servers=192.168.1.33 file uses Metasploit to dump data
Start Metasploit Framework and search for Memcache.
Search memcache
You can see that there are currently four auxiliary modules available.
Here I choose to use the auxiliary/gather/memcached_extractor module. Run the command given below.
Use auxiliary/gather/memcached_extractor
After successfully importing auxiliary in Metasploit Framework, simply set up rhost and run it. The figure above shows that auxiliary has extracted the key values that currently exist in the Memcached server and saved them to the default location / root/.msf4/loot/20190218044841_default_192.168.1.35_memcached.dump_286171.txt.
Use Watchers snooping
Watchers is a way to connect to a Memcached and listen for all operations performed internally.
Now, we use telnet to connect to Memcached and enter the following command.
Watch fetchers
Where OK indicates that watcher is ready to send logs.
As you can see in the image above, all operations being performed on the server are displayed here in real time.
After reading the above, have you mastered the penetration testing method for the Memcached cache server? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.