go-derper

go-derper.rb is a tool for hacking memcached servers, released as part of our 2010 BlackHat USA talk. It uses elements of the memcached protocol to derive full lists of keys stored on the memcached server, and can therefore extract the contents of the cache.

In addition, it also supports basic searching of retrieved data via user-configurable regular expressions, fingerprinting of multiple caches, monitoring usage in caches as well as basic cache content manipulations such as value insertion, overwrites and deletion.

Usage

Extract contents of a cache (defaults to 10 keys per slab)

./go-derper.rb -l -s < hostname >

Extract contents of a cache, using 100 keys per slab

./go-derper.rb -l -K 100 -s < hostname >

Extract contents of a cache, using 100 keys per slab, print out values matching regexes found regexs.txt

./go-derper.rb -l -K 100 -s < hostname > -R regexs.txt

Write back into the cache, the value stored at output/run5-c4ecee795335e7ef662e661974699448

./go-derper.rb -w output/run5-c4ecee795335e7ef662e661974699448 When writing values into the cache, local paths needs to be resolved. Run go-derper from inside it's own root.

Delete the value stored at output/run5-c4ecee795335e7ef662e661974699448

./go-derper.rb -d output/run5-c4ecee795335e7ef662e661974699448 When deleting values from the cache, local paths needs to be resolved. Run go-derper from inside it's own root.

Pull stats from one cache:

./go-derper.rb -s < hostname > -S

Fingerprint multiple caches:

./go-derper.rb -f < host1 >,< host2 >,...,< hostn >

Fingerprint multiple caches stored in a file (one per line):

./go-derper.rb -F < file >

Monitor a single cache to watch changes:

./go-derper.rb -m -s < hostname >

Pull a single key:

./go-derper.rb -k < keyid > -s < hostname >