VK9 Security

79/tcp finger – Enumeration

by | Feb 15, 2020 | Active Gathering

Finger is primarily used to enumerate user information on the target system. It can also find out detailed information (if exists) such as full name, email address, phone number etc. of all its users.

Nmap result

finger-user-enum

finger-user-enum is a script used to enumerate users

https://github.com/pentestmonkey/finger-user-enum

Username guessing tool primarily for use against the default Solaris finger service.

Installation

  • git clone https://github.com/pentestmonkey/finger-user-enum.git
  • ls -l finger-user-enum

Using finger-user-enum

1. Displaying help

  • perl finger-user-enum.pl -h

2. enumerate a single user

-u = user

-t = host IP

  • perl finger-user-enum.pl -u root -t 10.10.10.76

We can see output of root user, it means the user exists (1 result). On the other hand, the screenshot below would show (0 results).

  • perl finger-user-enum.pl -u vry4n -t 10.10.10.76

3. Enumerate users using a list

  • perl finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76

4. Using a list of IPs

  • perl finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -T IP_list.txt

5. Using another port than default 79

  • perl finger-user-enum.pl -p 8000 -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76

6. Showing detailed output

  • perl finger-user-enum.pl -d -u root -t 10.10.10.76

Metasploit

1. Metasploit has a module for finger scan (auxiliary/scanner/finger/finger_users)

  • use auxiliary/scanner/finger/finger_users
  • show options
  • set RHOSTS 10.10.10.76
  • set USERS_FILE /usr/share/seclists/Usernames/Names/names.txt
  • exploit

Using finger

Finger is a tool used to enumerate users using port 79. Finger may be used to look up users on a remote machine. The format is to specify a user as “user@host”, or “@host”

1. Display man page for help

  • man finger

2. enumerate a known user. In this case root

  • finger -s root@10.10.10.76

3. Show the home directory of the user

  • finger -sl root@10.10.10.76

4. Preventing the -l option from displaying the contents of the “.plan”, “.project” and “.pgpkey” files.

  • finger -slp sammy@10.10.10.76