Memcached UDP Version Scanner - Metasploit

This page contains detailed information about how to use the auxiliary/scanner/memcached/memcached_udp_version metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

Name: Memcached UDP Version Scanner
Module: auxiliary/scanner/memcached/memcached_udp_version
Source code: modules/auxiliary/scanner/memcached/memcached_udp_version.rb
Disclosure date: 2003-07-23
Last modification time: 2020-10-02 12:20:05 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 11211
List of CVEs: -

This module can be used to discover Memcached servers which expose the unrestricted UDP port 11211. A basic "version" request is executed to obtain the version of memcached.

Module Ranking and Traits

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/scanner/memcached/memcached_udp_version
msf auxiliary(memcached_udp_version) > show options
    ... show and set options ...
msf auxiliary(memcached_udp_version) > set RHOSTS ip-range
msf auxiliary(memcached_udp_version) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(memcached_udp_version) > set RHOSTS 192.168.1.3-192.168.1.200 

Example 2:

msf auxiliary(memcached_udp_version) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(memcached_udp_version) > set RHOSTS file:/tmp/ip_list.txt

Required Options

• RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Knowledge Base

yum -y install memcached
systemctl start memcached

docker run -ti --rm -p 11211:11211/udp memcached:1.5.5

msf5 > use auxiliary/scanner/memcached/memcached_udp_version
msf5 auxiliary(scanner/memcached/memcached_udp_version) > set RHOSTS a.b.c.d
RHOSTS => a.b.c.d
msf5 auxiliary(scanner/memcached/memcached_udp_version) > run

[+] a.b.c.d:11211/udp memcached version 1.4.15
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf5 > use auxiliary/scanner/memcached/memcached_udp_version
msf5 auxiliary(scanner/memcached/memcached_udp_version) > set RHOSTS a.b.c.d
RHOSTS => a.b.c.d
msf5 auxiliary(scanner/memcached/memcached_udp_version) > run

[+] a.b.c.d:11211/udp memcached version 1.5.5
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Go back to menu.

Msfconsole Usage

Here is how the scanner/memcached/memcached_udp_version auxiliary module looks in the msfconsole:

msf6 > use auxiliary/scanner/memcached/memcached_udp_version

msf6 auxiliary(scanner/memcached/memcached_udp_version) > show info

       Name: Memcached UDP Version Scanner
     Module: auxiliary/scanner/memcached/memcached_udp_version
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2003-07-23

Provided by:
  Jon Hart <[email protected]>

Check supported:
  No

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  BATCHSIZE  256              yes       The number of hosts to probe in each set
  FILTER                      no        The filter string for capturing traffic
  INTERFACE                   no        The name of the interface
  PCAPFILE                    no        The name of the PCAP capture file to process
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      11211            yes       The target port (UDP)
  SNAPLEN    65535            yes       The number of bytes to capture
  THREADS    10               yes       The number of concurrent threads
  TIMEOUT    500              yes       The number of seconds to wait for new data

Description:
  This module can be used to discover Memcached servers which expose 
  the unrestricted UDP port 11211. A basic "version" request is 
  executed to obtain the version of memcached.

References:
  https://github.com/memcached/memcached/blob/master/doc/protocol.txt

Module Options

This is a complete list of options available in the scanner/memcached/memcached_udp_version auxiliary module:

msf6 auxiliary(scanner/memcached/memcached_udp_version) > show options

Module options (auxiliary/scanner/memcached/memcached_udp_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to probe in each set
   FILTER                      no        The filter string for capturing traffic
   INTERFACE                   no        The name of the interface
   PCAPFILE                    no        The name of the PCAP capture file to process
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      11211            yes       The target port (UDP)
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    10               yes       The number of concurrent threads
   TIMEOUT    500              yes       The number of seconds to wait for new data

Advanced Options

Here is a complete list of advanced options supported by the scanner/memcached/memcached_udp_version auxiliary module:

msf6 auxiliary(scanner/memcached/memcached_udp_version) > show advanced

Module advanced options (auxiliary/scanner/memcached/memcached_udp_version):

   Name                   Current Setting  Required  Description
   ----                   ---------------  --------  -----------
   CHOST                                   no        The local client address
   CPORT                                   no        The local client port
   GATEWAY_PROBE_HOST     8.8.8.8          yes       Send a TTL=1 random UDP datagram to this host to discover the default gateway's MAC
   GATEWAY_PROBE_PORT                      no        The port on GATEWAY_PROBE_HOST to send a random UDP probe to (random if 0 or unset)
   SECRET                 1297303073       yes       A 32-bit cookie for probe requests.
   ScannerMaxResends      10               yes       The maximum times to resend a packet when out of buffers
   ScannerRecvInterval    30               yes       The maximum numbers of sends before entering the processing loop
   ScannerRecvQueueLimit  100              yes       The maximum queue size before breaking out of the processing loop
   ScannerRecvWindow      15               yes       The number of seconds to wait post-scan to catch leftover replies
   ShowProgress           true             yes       Display progress messages during a scan
   ShowProgressPercent    10               yes       The interval in percent that progress should be shown
   VERBOSE                false            no        Enable detailed status messages
   WORKSPACE                               no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the scanner/memcached/memcached_udp_version module can do:

msf6 auxiliary(scanner/memcached/memcached_udp_version) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the scanner/memcached/memcached_udp_version auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(scanner/memcached/memcached_udp_version) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Related Pull Requests

• #14212 Merged Pull Request: Fix invalid disclosure date formats
• #9678 Merged Pull Request: Add memcached UDP version scanner

References

• CVE: Not available
• https://github.com/memcached/memcached/blob/master/doc/protocol.txt

See Also

Check also the following modules related to this module:

• auxiliary/scanner/memcached/memcached_amp
• auxiliary/gather/memcached_extractor
• auxiliary/dos/misc/memcached
• auxiliary/gather/ibm_sametime_version
• auxiliary/scanner/db2/db2_version
• auxiliary/scanner/etcd/version
• auxiliary/scanner/ftp/ftp_version
• auxiliary/scanner/h323/h323_version
• auxiliary/scanner/http/coldfusion_version
• auxiliary/scanner/http/docker_version
• auxiliary/scanner/http/http_version
• auxiliary/scanner/http/joomla_version
• auxiliary/scanner/http/ssl_version
• auxiliary/scanner/imap/imap_version
• auxiliary/scanner/ipmi/ipmi_version
• auxiliary/scanner/lotus/lotus_domino_version
• auxiliary/scanner/mysql/mysql_version
• auxiliary/scanner/oracle/tnslsnr_version
• auxiliary/scanner/pop3/pop3_version
• auxiliary/scanner/postgres/postgres_version
• auxiliary/scanner/sap/sap_mgmt_con_version
• auxiliary/scanner/scada/digi_addp_version
• auxiliary/scanner/scada/digi_realport_version
• auxiliary/scanner/smb/smb_version
• auxiliary/scanner/smtp/smtp_version
• auxiliary/scanner/snmp/aix_version
• auxiliary/scanner/ssh/ssh_version
• auxiliary/scanner/ssl/ssl_version
• auxiliary/scanner/telnet/lantronix_telnet_version
• auxiliary/scanner/telnet/telnet_version
• auxiliary/scanner/vmware/vmauthd_version
• auxiliary/scanner/vxworks/wdbrpc_version
• auxiliary/scanner/udp/udp_amplification

Authors

• Jon Hart <[email protected]>

Version

This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.