Memcached
In-memory key-value cache on 11211, almost always unauthenticated. Dump every key to loot sessions, tokens and cached query data; exposed UDP also enables massive amplification.
Ports
| Port | Proto | Notes |
|---|---|---|
11211 | tcp | Memcached |
11211 | udp | Memcached (amplification) |
Fingerprint
- nc 11211 + 'stats' returns server stats
- nmap memcached-info script responds
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2018-1000115 | UDP exposed by default → DDoS amplification |
Exploitation primitives
- No auth by default — read every cached key (sessions, tokens, SQL results)
- Enumerate slabs then dump keys (stats items → stats cachedump → get)
- Poison cache entries to influence the app
Overview
Memcached on 11211 caches arbitrary app data in memory with no authentication by default. Whatever the app stores — session blobs, API responses, auth tokens — you can read.
Enumeration
Connect and pull stats:
nc -nv <TARGET> 11211statsnmap:
nmap -p11211 --script memcached-info <TARGET>Dump all keys
List slab classes:
stats itemsDump keys from a slab (id, then limit):
stats cachedump 1 100Read a key’s value:
get <key>Or automate with the CLI:
memccat --servers=<TARGET>:11211 <key>Hardening
Bind to localhost, enable SASL auth, and never expose UDP to the internet.