4369 - Pentesting Erlang Port Mapper Daemon (epmd)
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:
HackTricks Training GCP Red Team Expert (GRTE)
Basic Info
The Erlang Port Mapper Daemon (epmd) serves as a coordinator for distributed Erlang instances. It is responsible for mapping symbolic node names to machine addresses, essentially ensuring that each node name is associated with a specific address. This role of epmd is crucial for the seamless interaction and communication between different Erlang nodes across a network.
Default port: 4369
This is used by default on RabbitMQ and CouchDB installations.
Enumeration
Manual
Automatic
Erlang Cookie RCE
Remote Connection
If you can leak the Authentication cookie you will be able to execute code on the host. Usually, this cookie is located in ~/.erlang.cookie
and is generated by erlang at the first start. If not modified or set manually it is a random string [A:Z] with a length of 20 characters.
More information in https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ The author also share a program to brutforce the cookie:
Local Connection
In this case we are going to abuse CouchDB to escalate privileges locally:
Example taken from https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution You can use Canape HTB machine to practice how to exploit this vuln.
Metasploit
Shodan
port:4369 "at port"
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:
HackTricks Training GCP Red Team Expert (GRTE)
Last updated