Comprehensive Guide on Netcat

This article will provide you with the basic guide of Netcat and how to get a session from it using different methods.

Table of Contents:

  • Introduction
  • Features
  • Getting start with NC
  • Connecting to a Server
  • Fetching HTTP header
  • Chatting
  • Creating a Backdoor
  • Verbose Mode
  • Save Output to Disk
  • Port Scanning
  • TCP Delay Scan
  • UDP Scan
  • Reverse TCP Shell Exploitation
  • Randomize Port
  • File Transfer
  • Reverse Netcat Shell Exploitation
  • Banner grabbing

Introduction to Netcat

Netcat or nc is a utility tool that uses TCP and UDP connections to read and write in a network. It can be used for both attacking and security. In the case of attacking, it can be driven by scripts which makes it quite dependable back-end. and if we talk about security, it helps us to debug the network along with investing it.

Features

  • Act as a simple TCP/UDP/SCTP/SSL client for interacting with web servers, telnet servers, mail servers, and other TCP/IP network services. Often the best way to understand a service (for fixing problems, finding security flaws, or testing custom commands) is to interact with it using Netcat. This lets you control every character sent and view the raw, unfiltered responses.
  • Redirect or proxy TCP/UDP/SCTP traffic to other ports or hosts. This can be done using simple redirection (everything sent to a port is automatically relayed somewhere else you specify in advance) or by acting as a SOCKS or HTTP proxy so clients specify their own destinations. In client mode, Netcat can connect to destinations through a chain of anonymous or authenticated proxies.
  • Run on all major operating systems. We distribute Linux, Windows, and Mac OS X binaries, and Netcat compiles on most other systems. A trusted tool must be available whenever you need it, no matter what computer you’re using.
  • Encrypt communication with SSL, and transport it over IPv4 or IPv6.
  • Act as a network gateway for execution of system commands, with I/O redirected to the network. It was designed to work like the Unix utility cat, but for the network.
  • Act as a connection broker, allowing two (or far more) clients to connect to each other through a third (brokering) server. This enables multiple machines hidden behind NAT gateways to communicate with each other, and also enables the simple Netcat chat mode.

Getting start with NC

To start NC, the most basic option we can use the help command. This will show us all the options that we can use with Netcat. The help command is the following one :

Connecting to a Server

Here, we have connected FTP Server with the IP Address 192.168.1.6. To connect to the server at a specific port where a particular service running. In our case, the port is 21 i.e. FTP.

Syntax: nc [Target IP Address] [Target Port]

As we can see in the given image, we have vsFTPd installed on the server, and after giving the Login credentials we have successfully logged in the FTP Server.

Fetching HTTP header

We can use netcat to fetch information about any webserver. Let’s get back to the server we connected to earlier. It also has HTTP service running on port 80. So, we connected to HTTP service using netcat as we did earlier. Now after connecting to the server, we use the option that will give us the header along with the source code of the HTTP service running on the remote server.

As we can see in the given image that the header and source code is displayed through the netcat connection.

Chatting

Netcat can also be used to chat between two users. We need to establish a connection before chatting. To do this we are going to need two devices. One will play the role of initiator and one will be a listener to start the conversation and so once the connection is established, communication can be done from both ends. Here we are going to create a scenario of chatting between two users with the different operating system.

User 1

OS: Windows 10

IP Address: 192.168.1.4

Role: Listener

User 2

OS: Kali Linux

IP Address: 192.168.1.35

Role: Initiator

Now in each and every scenario, regarding netcat. This step is prominent. First, we will have to create a listener. We will use the following command to create a listener:

where,

[-l]: Listen Mode

[vv]: Verbose Mode {It can be used once, but we use twice to be more verbose}

[p]: Local Port

Now, it’s time to create an initiator, for this we will just provide the IP Address of the System where we started the Listener followed by the port number.

NOTE: Use the same port to create an initiator which was used in creating listener

Creating a Backdoor

We can also create a backdoor using NC. To create a backdoor on the target system that we can come back to at any time. Command for attacking a Linux System.

This will open a listener on the system that will pipe the command shell or the Linux bash shell to the connecting system.

Verbose Mode

In netcat, Verbose is a mode which can be initiated using [-v] parameter. Now verbose mode generates extended information. Basically, we will connect to a server using netcat two times to see the difference between normal and verbose mode. In the image given below, we can see that when we add [-v] to the netcat command it displays the information about the process that its performance while connecting to the server.

Save Output to Disk

For the purpose of the record maintenance, better readability and future references, we will save the output of the Netcat. To do this we will use the parameter -o of the Netcat to save the output in the text file.

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file or not. In this case, our location for output is /root /output.txt.

Port Scanning

Netcat can be used as a port scanner although it was not designed to function as one. To work as a port scanner, we use the [-z] parameter. It tells netcat to scan listing daemon without sending any data. This makes it possible for netcat to understand the type of service that is running on that specific port. Netcat can perform TCP and UDP scan.

TCP Scan

Here,

  • [-v]: indicates Verbose mode
  • [-n]: indicates numeric-only IP addresses
  • [-z]: indicates zero -I/O mode [used for scanning]
  • [-w]: indicates timeout for connects and final net reads

Also, to perform a port scan netcat needs a range of port numbers. We can provide a range of ports to scan.

From the given image we can see that the target machine has lots of ports open with various services running on them.

TCP Delay Scan

In order to not to be noisy in an environment, it is recommended to use a delayed scan. Now to perform a delayed scan, we need to specify the delay. We will use the [-i] parameter to specify the delay in sending the next packet in seconds.

UDP Scan

Netcat can scan the UDP ports in a similar way it scanned the TCP ports. We are going to use [-u] parameter to invoke the UDP mode.

Reverse TCP Shell Exploitation

We can exploit a system using a combination of msfvenom and netcat. We will use msfvenom to create a payload and netcat to listen for the session. Firstly, we will have to create a payload.

We are using the shell_reverse_tcp payload to get a session. We have provided with Local IP address and port and then exported the script inside an Executable(exe) file. Now we will create a listener using netcat on the port we provided during the payload creation. We will now have to send the payload file to the target. When the target will run the executable file, we will get a session on our netcat listener.

Randomize Port

If we can’t decide our very own port to start listener or establish our Netcat connection. Well, netcat has a special -r parameter for us which gives us randomize local port.

File Transfer

Netcat can be used to transfer the file across devices. Here we will create a scenario where we will transfer a file from a windows system to Kali Linux system. To send the file from the Windows, we will use the following command.

Now we will have to receive the file shared on Kali Linux. Here we will provide netcat with the Windows IP Address and the port which hosts the file. And write the output inside a text file. For doing this we will use the following command:

Reverse Netcat Shell Exploitation

We will use msfvenom to create a payload and netcat to listen for the session. Firstly, we will have to create a payload.

So, when you execute the above command; you will get another command that has to be run in the target system, as shown in the image below, you will have your session as shown in the image above.

Another way to have a reverse shell is by executing the following command in the target system :

And then when you start netcat as shown in the image below, you will have a session.

Banner Grabbing

To grab the target port banner from netcat, use the following command :

So, this was a basic guide to netcat. It’s quite an interesting tool to use as well as it is pretty easy.

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Post Exploitation on Saved Password with LaZagne

This article will be focused on The LaZagne project and its usage in Post Exploitation.

Table of Content:

  • Introduction of LaZagne Project
  • Syntax and Parameters
  • Achieve Meterpreter and Upload LaZagne
  • Help Screen
  • Mails Argument
  • Windows Argument
  • Browsers Argument
  • Databases Argument
  • Wi-Fi Argument
  • All Argument
  • oN Parameter
  • Verbose Mode Parameter
  • Quiet Parameter

Introduction of LaZagne Project

The LaZagne is an open source application. It retrieves stored passwords on a System. It directly injects the Python code in the memory without writing anything on disk. This makes it difficult to trace. Usually, when we get a session on a target system, our main aim is to gather credentials. When an attacker attacks a target, there are two ways through it can compromise the target. If the attacker gets the meterpreter session, then all it does is compromise the device security.

But using some scripts and post exploitation modules, the target can compromise every nook of security of the victim. This includes Email Passwords, Social Networking Passwords, SSH Passwords, Banking Information, etc. Usually, this extracting of passwords is a noisy and clumsy task but with LaZagne it is very simple and stealthy.

Without LaZagne, Attackers normally run a bunch of different scripts targeting different applications that are installed on the Target System. But LaZagne does this automatically, it first checks which application is installed on the target system and then it runs that specific script targeting the password for that particular application.

Famous Scripts Included in LaZagne

  • KeeThief
  • mimipy
  • mimikatz
  • pypykatz
  • creddump
  • chainbreaker
  • pyaes
  • pyDes
  • secretstorage and many more.

Target Software

  • Firefox
  • Google Chrome
  • Opera
  • Skype
  • Postgresql
  • Thunderbird
  • Keepass
  • CoreFTP
  • FileZilla and many more.

Syntax and Parameters

On Linux Systems, LaZagne will be executed as a Python file. But when out target is Windows then we will have to use executable(exe) file. We can download more executables from here.

LaZagne has a lot of other parameters and conditions, but here we have used only certain parameters and targets due to technological limitations.

Achieve Meterpreter and Upload LaZagne

Open Kali Linux terminal and type msfconsole in order to load Metasploit framework. Now we need to compromise victim’s machine one to achieve any type of session either meterpreter or shell and to do so we can read our previous article from here.

After getting meterpreter on the remote system, we need to upload the executable file to the target machine to extract credentials. We will use upload command for this.

Now that we have the LaZagne on the target system, it’s time to enumerate passwords.

Use shell command on the meterpreter shell to get to the command line on the target system.

Help Screen

To get details about the LaZagne we will use the -h parameter. This will print the list of parameters and arguments with the working examples on our screen. This is an informative banner as it not only gives us various methods that we can use but it also tells us how to use those parameters.

Mails Argument

This argument targets mail clients like Mozilla Thunderbird and Microsoft Outlook. When this argument is selected, a script runs in the background which extracts the Login Credentials that are stored by these email clients. As we can see in the given image that it has successfully extracted the credentials that were stored in the Email Clients.

Windows Argument

This argument targets Windows Security on all fronts. When this argument is selected, a script runs in the background which includes autologon, cachedump, credman, hashdump, lsa_secrets, and others. This compromises all of the Windows defenses and gives the attacker the credentials, he is craving for. As we can see in the given image that it has successfully extracted the credentials.

Browsers Argument

This argument targets Browsers like Mozilla Firefox, Google Chrome, Opera, UC Browser, Microsoft Edge and much more. When this argument is selected, a script runs in the background which extracts the Login Credentials that are stored inside the browsers. Browsers hide the passwords and show them only after verifying the windows credentials. So, in order to extract the Credentials stored inside the browser, LaZagne attacks the SAM and gets the Windows password and then use it to extract the rest passwords. As we can see in the given image that it has successfully extracted the credentials that were stored in Firefox and Chrome.

Databases Argument

This argument targets database clients like Postgresql. When this argument is selected, a script runs in the background which extracts the Login Credentials that are stored by any database client. As we can see in the given image that it has successfully extracted the credentials that were stored in the Postgresql Client.

Wi-Fi Argument

This argument targets the stored Wi-Fi Credentials. When this argument is selected, a script runs in the background which extracts the Wi-Fi Credentials. All the Wi-Fi Network that the user had connected and opted for saving the password. As we can see in the given image that it has successfully extracted the Wi-Fi credentials.

All Argument

This argument runs all the module in the LaZagne. When this argument is selected, a script runs in the background which extracts all the Login Credentials that are stored on the Target System. As we can see in the given image that it has successfully extracted all the possible credentials from the target.

oN Parameter

This parameter should be run with some argument otherwise, it will give an error (We are using all argument here). This parameter is optional to run. This parameter not only prints the output on the terminal screen but also creates a file in the Directory it was run and writes it with the output of the Script.

Let’s check if the file was created.  As we can see in the given image that a file named credentials is created and on opening it using the cat command it shows the same result that we saw on the terminal.

Verbose Mode Parameter

This parameter should be run with some argument otherwise, it will give an error (We are using all argument here). This parameter is optional to run. In LaZagne by default, we have 2 levels of verbosity. They are Level 0 and Level 1. If no parameter is given Level 0 is selected automatically. But when we give –vv parameter, it increases the verbosity of the extraction. The output also changes. Now LaZagne forcefully runs each and every script in its arsenal and try to extract more and more credentials.

Quiet Parameter

This parameter should be run with some argument otherwise, it will give an error (We are using all argument here). This parameter is optional to run. This parameter doesn’t print any output on the terminal screen. Scripts do run in the background but there is no visibility of the passwords extracted so we use the parameter with the oN parameter we discussed earlier as it creates a file in the Directory it was run and writes it with the output of the Script.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Comprehensive Guide on Snort (Part 1)

This article will introduce a guide to understand IDS using Snort as an example for it.

Table of Content :

  • Introduction to IDS
  • Categories of IDS
  • Types of IDS
  • Introduction to Snort

Introduction to IDS

IDS Stands for Intrusion Detection System. The techniques and methods on which an IDS is founded on are used to monitor and reveal malicious activities both on the host and network level. Once the said activities occur then an alert is issued to aware every one of the attack. It can be hardware or software or a combination of both; depends on the requirement. An IDS use both signature or anomaly based technique together or separately; again depending on requirement. Your network topology determines where to add intrusion detection systems. Whether it should be positioned at one or more places depends on if you want to track internal threat or external threat. For instance, if you want to protect yourself from external traffic then you should place an IDS at the router and if you want to protect the inner network then place the IDS on every network segment.

Categories of IDS

Signature-Based IDS

This IDS verifies signatures of data packets in the network traffic. Basically, it finds the data packets and uses their signatures to confirm whether they are a threat or not. Such signatures are commonly known for intrusion-related signatures or anomalies related to internet protocol. Intruders such as computer viruses, etc, always have a signature, therefore, it can be easily detected by software IDS. As it uses signatures to identify the threats.

Anomaly IDS

This IDS usually detects if a data packet behaves anomaly. It issues an alert if packet anomalies are present in protocol header parts. This system produces better results in some cases than signature-based IDS. Normally such IDS captures data from the network and on these packets, it then applies the rules to it in order to detect anomalies.

Types of IDS

NIDS

NIDS stand for Network Intrusion Detection System. These types of IDS will capture data packets that were received and sent in the network and tally such packets from the database of signatures. if the packet is a match then no alert will be issued otherwise it will issue an alert letting everyone know of a malicious attack. Snort is an excellent example of a NIDS.

HIDS

HIDS stands for Host Intrusion Detection System which, obviously, acts as a host. Such types of IDS monitor system and application logs to detect intruder activity. Some IDS reacts when some malicious activity takes place, others monitor all the traffics coming to the host where IDS is installed and give alerts in real time.

Introduction to snort

Snort is a Network Intrusion Detection System (NIDS). It’s quite popular and is open source software which helps in monitor network traffic in real-time, hence it can also be considered as a packet sniffer. Basically, it examines each and every data packet in depth to see if there are any malicious payloads. it can also be used for protocol analysis and content searching. It is capable of detecting various attacks like port scans, buffer overflow, etc. It’s available for all platforms i.e. Windows, Linux, etc. It doesn’t require any recompilation with the system or hardware to added to your distribution; root privileges are required though. It inspects all the network traffic against the provided set of rules and then alerts the administration about any suspicious activity. it’s divided into multiple components and all the components work together to detect an intrusion. Following are the major components of snort :

  • Packet Decoder
  • Pre-processors
  • Detection Engine
  • Logging and Alerting System
  • Output Modules

Installation of Snort

First, use the ifconfig command in your Ubuntu to check the interface. As you can see the image below the interface is ens33.

Now, let’s install snort by using the following command :

Once the installation starts, it will ask you the interface that we previously checked. Give its name here and press enter.

Then it will ask you about your network IP. Here, you can either provide a single IP or the range of IPs as we have given below in the image :

Then possible, it will again ask you for the name of the interface, provide it again and press enter.

As the snort is installed, open the configuration file using nano or any text editor to make some changes inside. Use the following command to do so :

Scroll down the text file near line number 45 to specify your network for protection as shown in the given image.

#Setup the network addresses you are protecting

Now run given below command to enable IDS mode of snort :

The above command will compile the complete file and test the configuration setting automatically as shown in given below image:

Once the snort is installed and configured, we can start making changes to its rules as per our own requirement and desire. To the rules on which snort works use the following command :

As shown in the image below, you can find all the documents related to rules.

Snort Rule Format

Snort offers its user to write their own rule for generating logs of Incoming/Outgoing network packets. Only they need to follow the snort rule format where packets must meet the threshold conditions. Always bear in mind that the snort rule can be written by combining two main parts “the Header” and “the Options” segment.

The header part contains information such as the action, protocol, the source IP and port, the network packet Direction operator towards the destination IP and port, the remaining will be considered in the options part.

Syntax: Action Protocol Source IP Source port -> Destination IP Destination port (options)

Header Fields:-

Action: It informs Snort what kind of action to be performed when it discovers a packet that matches the rule description. There are five existing default job actions in Snort: alert, log, pass, activate, and dynamic are keyword use to define the action of rules. You can also go with additional options which include drop, reject, and sdrop.

Protocol: After deciding the option for action in the rule, you need to describe specific Protocol (IP, TCP, UDP, ICMP, any) on which this rule will be applicable.  

Source IP: This part of header describes the sender network interface from which traffic is coming.

Source Port: This part of header describes the source Port from which traffic is coming.

Direction operator (“->”, “<>”): It denotes the direction of traffic flow between sender and receiver networks.

Destination IP: This part of header describes the destination network interface in which traffic is coming for establishing the connection.

Destination Port: This part of header describes the destination Port on which traffic is coming for establishing the connection.

Option Fields:

The body for rule option is usually written between circular brackets “()” that contains keywords with their argument and separated by semicolon “;” from another keyword.

There are four major categories of rule options.

General: These options contains metadata that offers information with reference to them.

Payload: These options all come across for data contained by the packet payload and can be interconnected.

Non-payload: These options come across for non-payload data.

Post-detection: These options are rule specific triggers that happen after a rule has fired.”

General Rule Options (Metadata)

In this article are going to explore more about general rule option for beginners so that they can easily write a basic rule in snort rule file and able to analyst packet of their network. Metadata is part of the optional rule which basically contains additional information of about snort rule that is written with the help of some keywords and with their argument details.

Keyword Description
msg The msg keyword stands for “Message” that informs to snort that written argument should be print in logs while analyst of any packet.
reference The reference keyword allows rules to a reference to information present on other systems available on the Internet such as CVE.
gid The gid keyword stands for “Generator ID “which is used to identify which part of Snort create the event when a specific rule will be launched.
sid The sid keyword stands for “Snort ID” is used to uniquely identify Snort rules.
rev The rev keyword stands for “Revision” is used to uniquely identify revisions of Snort rules.
classtype The classtype keyword is used to assigned classifications and priority numbers to the group and distinguish them a rule as detecting an attack that is part of a more general type of attack class.

Syntax: config classification: name, description, priority number.

priority The priority keyword to assigns a severity rank to your rules.

Let’s start writing snort rule:

To check whether the Snort is logging any alerts as proposed, add a detection rule alert on IP packets in the “local.rules file”

Before writing new rules let’s empty the ICMP rule file by using the following command :

The cat command will confirm whether the file is empty. Now, let’s empty the icmp-info.rules :

Now let’s write the rule :

If you observe in the image below, we have used a one-way arrow which means that snort will alert us about incoming malicious traffic :

The IP (192.168.1.10) we will attack from is shown in the image shown below :

Now, we will send two packets with the following command :

You can check the details of the packets that are being sent :

Use the following command to activate snort in order to catch the malicious packets :

Here,

-A Set alert mode: fast, full, console, test or none

-q stands for Quiet, Don’t show banner and status report.

Run snort uid as <uname> user

-g Run snort gid as <gname> group (or gid)

-c <rules> Use Rules File

-i listen on interface

And as you can see in the image below the alerts are being issued by snort :

Now, add the following rule to see both incoming and outgoing traffic when an alert is issued :

As the below image shows in this we have used ‘<>’, it is used in order to monitor both sent and received packets when an alert is issued.

Again we will send two packets like before using the following command :

And therefore, as a result, you can see both packets as shown in the image below :

Now we will apply rules on port 21, 22 and 80. This way, whenever a suspicious packet is sent to these ports, we will be notified. Following are the rules to apply to achieve the said :

When the packet is sent to port 80 as shown in the image :

Snort will issue an alert of HTTP packet as its shown in the image below :

Similarly, when a data packet sent to ftp as given in the following image :

The FTP packets will be detected and one will be notified.

Again, in a similar manner, when one tries to send packets to SSH as shown in the image below :

Snort will notify the administration as shown below :

This way, using snort or any other IDS one can be protected from network attacks by being notified of them in time.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Penetration Testing on Memcached Server

In our previous article, we learned how to configure Memcached Server in Ubuntu 18.04 system to design our own pentest lab. Today we will learn multiple ways to exploit Memcached Server.

Table of Contents

  • Dumping data from the Memcached server manually.
  • Dumping data using libmemcached-tools.
  • Dumping data using Metasploit.
  • Monitoring using Watchers.

Requirements

Target: Memcached Server running in Ubuntu 18.04 system

Attacker: Kali Linux

Let’s Begin!!

Dumping data from Memcached server manually

Boot up your Kali Linux machine and do a simple nmap scan first to check whether the target machine is running Memcached Server or not.

As you can see in the above image, Memcached is running in the target machine and the port 11211 is open.

Now, let’s do a little advanced search using nmap script command by typing the following command.

As you can see in the above image, nmap script command fetched us some crucial information about the Memcached server such as process ID, Uptime, Architecture, MAC Address etc.

Now, let’s try to connect the Memcached server using telnet by typing in the commands given below.

As you can see in the above image, we are able to connect the Memcached Server through telnet. In such cases, the server is unprotected, hence, an attacker can gain access to the server without any obstacle because the server is not configured with SASL or any kind of firewall. Let’s go ahead and begin exploitation of the Memcached Server of which we gained access previously.

Type in a command version to do a version scan of the Memcached Server.

The above data represents that the version of Memcached is 1.5.6 and it is running in a Ubuntu machine.

Now, let’s get straight to fetch the valuable data stored in the server. Type the command shown below to print all the general statistics of the server.

The above information shows the current traffic statistics. It serves the number of connections, data is stored into the cache, cache hit ratios and detailed information on the memory usage and distribution of information through the slab allocation used to store individual items.

Now, we will run another command to fetch the slab statistics. Slabs are created and allocated for storing information within the cache. Run the command shown below.

As you can observe in the above image, currently there is only one slab present in the server whose slab number is 1.

Now, let’s run a command mentioned below to fetch count, age, eviction, expired etc. organized by slab ID.

The above image gives us an insight into how the data is organized in slab ID 1.

Now, let’s run the command below to dump all the keys present in a particular slab.

Here 1 and 0 are the parameters,

1 = slab ID.

0 = It represents the number of keys you want to dump, 0 will dump all the keys present in the slab ID respectively.

The above image represents ITEM <item_key> [<item_size> b; <expiration_timestamp> s]

Now, we can simply use the get command to fetch the values stored in the keys as shown below.

As you can see in the above image, we have successfully dumped the data stored in the key values.

Dumping data using libmemcached-tools

Dumping of data using this toolkit makes the work a lot easier. So, let’s start by installing libmemcached-tools in our system by typing in the following command.

Now that we have installed libmemcached-tools let’s start using it by typing in the following command.

The above command will give pretty much the same result as the stats command which we had used earlier while fetching the server statistics manually.

Now, let’s get straight to dumping the key values stored in the server. Run the command given below.

As you can see in the above image, we have dumped all the keys present in the server currently.

Now, let’s dump all the values stored in the keys respectively. Run the command shown below.

The above command fetched us all the data stored in the respective key values. An attacker can use libmemcached-tools to easily upload any malicious file to the server too. Here, we will be showing an example of how to upload a file in the server.

Type the command shown below.

Here, the memccp command is uploading a file named “file.txt” present in the root directory of our system. Now, let’s use memcat to view the content of the file which we have uploaded in the server.

As you can see, the above command fetched us the content of the file.

Dumping Data using Metasploit

As we all know, no exploitation is complete without using the Metasploit Framework once. So let’s dig in and see how we can exploit Memcached using Metasploit.

Fire up the Metasploit Framework and search Memcache.

The above image shows that there are currently 4 auxiliaries present in Metasploit.

We will be using auxiliary/gather/memcached_extractor to fetch the keys and the values stored in it. Run the command given below.

Once you have successfully imported the auxiliary in the Metasploit Framework, just set the rhost and then run the auxiliary. We know that Memcached stores data temporarily. So the above image shows that the auxiliary had fetched us both the Key and the Value currently present in the Memcached Server and stored it in its default location /root/.msf4/loot/20190218044841_default_192.168.1.35_memcached.dump_286171.txt

Monitoring using Watchers

Watchers are a way to connect to Memcached and monitor all the actions being performed internally.

Now connect the Memcached using telnet and type the command shown below.

The command line OK indicates that watcher is ready to send logs.

As you can see in the above image, all the actions which are being performed in the server are shown here live.

Conclusion

In this article, we have learned beginner level methods to exploit Memcached. In our future articles, we will be showing advanced methods to exploit Memcached Servers.

Stay tuned!!

Author: Benoy Naskar is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here