I am going to discuss a way to enumerate users of target system where Finger Protocol enables. but first, it’s better to understand what is finger protocol and how its work. In this post, ill Explain some theory behind Finger Service and protocol after that we’ll cover main enumeration part.
Let’s Get Started,
- Finger Service
- Explain Finger Protocol
- Tools for Emunration Finger.
- finger command
- Metasploit Module
The finger daemon runs on TCP port 79. The client will (in the case of remote hosts) open a connection to port 79. An RUIP (Remote User Information Program) is started on the remote end of the connection to process the request. The local host sends the RUIP one line query based upon the Finger query specification and waits for the RUIP to respond. The RUIP receives and processes the query, returns an answer, then initiates the close of the connection. The local host receives the answer and the close signal, then proceeds closing its end of the connection.
Explain Finger Protocol
The Finger protocol is based on Request for Comments document RFC 742 as an interface to the name and finger programs that provide status reports on a particular computer system or a particular person at network sites. The finger program was written in 1971 by Les Earnest who created the program to solve the need of users who wanted information on other users of the network. Information on who is logged-in was useful to check the availability of a person to meet. This was probably the earliest form of presence information for remote network users.
read more on Wikipedia: https://en.wikipedia.org/wiki/Finger_protocol
Enumeration on Finger Demon.
In Kali Linux have found a finger command which is useful for identifying a user on target finger server.
Find Logged in users on target.
the above command show u which user is currently logged in to a target system.
if there is no user logged in this will show no username.
Check User is existed or not.
now lets check a user on the target system.
if user is found it will show like this
as we know the default username of super admin is root in Unix system Silvia is a user on the target system.
if the username is not found it will show like below.
The finger command is very useful for checking users on target but it’s painful if we brute-force for a username.
here i explain something cool utills which is do bruteforce for you. 🙂 😉
fire up your msfconsole and use scanner/finger/finger_users module .
msf > use auxiliary/scanner/finger/finger_users msf auxiliary(scanner/finger/finger_users) > set rhosts 10.22.1.11 msf auxiliary(scanner/finger/finger_users) > set users_file /tmp/rockyou-top1000.txt msf auxiliary(scanner/finger/finger_users) > run
this will show like this.
cd /tmp/ wget http://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz tar -xvf finger-user-enum-1.0.tar.gz cd finger-user-enum-1.0 perl finger-user-enum.pl -t 10.22.1.11 -U /tmp/rockyou-top1000.txt
If you found this is useful for u and any suggestions, complaint and feedback please comment below.