Pentesting Finger

Overview:

• The finger daemon listens on port 79, and is really a relic of a time when computers were far too trusting and open. It provides status reports on logged in users. It can also provide details about a specific user and when they last logged in and from where.

• Credit: https://0xdf.gitlab.io/2018/09/29/htb-sunday.html

PORT      STATE SERVICE   VERSION
79/tcp    open  finger    Sun Solaris fingerd

• Finger is an exceedingly old protcol very rarely in use today.

• Nmap results can show logged in users

| finger: Login       Name               TTY         Idle    When    Where\x0D
| sunny    sunny                 pts/1            Thu 14:52  10.10.14.245        \x0D

Check for logged in users

finger @10.10.10.76
No one logged on

Check for details on a user

finger [email protected]
jack                  ???
#above does not exist 
finger [email protected]      
Login       Name               TTY         Idle    When    Where
root     Super-User            console      <Oct 14 10:28>
#user that does exist and is logged in 
finger [email protected]
Login       Name               TTY         Idle    When    Where
ikeuser  IKE Admin                          < .  .  .  . >
#user that does exist but is not logged in 

Bruteforce Users

If finger returns no logged in users, we can try to brute force usernames. We’ll use the finger-user-enum.pl script from pentestmonkey.

Finger for file Transfers

finger for File Transfer

While working on this post, I was checking out gtfobins, and their page on finger shows how it can be used for file transfer. For example, to exfil the password file from Sunday, with the listener started locally:

You can upload files to a target machine as well: