4369 - Pentesting Erlang Port Mapper Daemon (epmd)
Support HackTricks and get benefits!
Basic Info
The erlang port mapper daemon is used to coordinate distributed erlang instances. His job is to keep track of which node name listens on which address. Hence, epmd map symbolic node names to machine addresses.
Default port: 4369
1
PORT STATE SERVICE VERSION
2
4369/tcp open epmd Erlang Port Mapper Daemon
Copied!
This is used by default on RabbitMQ and CouchDB installations.
Enumeration
Manual
1
echo -n -e "\x00\x01\x6e"|nc -vn <IP>4369
2
3
#Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html
4
dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb
5
apt-getinstall erlang
6
erl #Once Erlang is installed this will promp an erlang terminal
7
1> net_adm:names('<HOST>'). #This will return the listen addresses
If you can leak the Authentication cookie you will be able to execute code on the host. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start. If not modified or set manually it is a random string [A:Z] with a length of 20 characters.