Finger is primarily used to enumerate user information on the target system. It can also find out detailed information (if exists) such as full name, email address, phone number etc. of all its users.

Nmap result


finger-user-enum is a script used to enumerate users

Username guessing tool primarily for use against the default Solaris finger service.


  • git clone
  • ls -l finger-user-enum

Using finger-user-enum

1. Displaying help

  • perl -h

2. enumerate a single user

-u = user

-t = host IP

  • perl -u root -t

We can see output of root user, it means the user exists (1 result). On the other hand, the screenshot below would show (0 results).

  • perl -u vry4n -t

3. Enumerate users using a list

  • perl -U /usr/share/seclists/Usernames/Names/names.txt -t

4. Using a list of IPs

  • perl -U /usr/share/seclists/Usernames/Names/names.txt -T IP_list.txt

5. Using another port than default 79

  • perl -p 8000 -U /usr/share/seclists/Usernames/Names/names.txt -t

6. Showing detailed output

  • perl -d -u root -t


1. Metasploit has a module for finger scan (auxiliary/scanner/finger/finger_users)

  • use auxiliary/scanner/finger/finger_users
  • show options
  • set RHOSTS
  • set USERS_FILE /usr/share/seclists/Usernames/Names/names.txt
  • exploit

Using finger

Finger is a tool used to enumerate users using port 79. Finger may be used to look up users on a remote machine. The format is to specify a user as “user@host”, or “@host”

1. Display man page for help

  • man finger

2. enumerate a known user. In this case root

  • finger -s root@

3. Show the home directory of the user

  • finger -sl root@

4. Preventing the -l option from displaying the contents of the “.plan”, “.project” and “.pgpkey” files.

  • finger -slp sammy@