Finger - Port 79
Last updated
Was this helpful?
Last updated
Was this helpful?
The Finger protocol is designed to provide details about users on a system. This includes information such as login names, full names, office locations, phone numbers, idle times, last mail read, and content of user project files. Despite its legitimate use, it’s a high-value target for attackers due to its unauthenticated access and support for remote queries.
Default Port: 79
The service’s vulnerability to user enumeration and its ability to run shell commands make it dangerous when exposed to the public internet or used without appropriate security measures.
Identify if the Finger protocol is running and gather system and user information through simple banner grabbing or finger @target requests.
Use finger-user-enum.pl, Nmap, or Metasploit to enumerate user accounts on the system, including service accounts and administrative users.
If vulnerable, inject system commands using the Finger protocol to execute code remotely. Combine this with Metasploit for reverse shell payloads or custom scripts for command execution.
Lateral Movement (Finger Bounce)
Use the Finger bounce attack to pivot between systems, moving from the external-facing machine to internal, protected machines.
Post-Exploitation (System Access and Persistence)
Once inside, attackers can escalate privileges and establish persistence, such as modifying .bashrc files or uploading backdoors using file-transfer utilities (e.g., SCP).
Banner grabbing is the first step to identify if the Finger service is running and what version is in use. By connecting to the port and sending specific queries, you can glean information about the users and potentially vulnerable system details.
What to Look For:
Operating system versions.
Finger daemon versions (older or custom versions could be susceptible to additional vulnerabilities, such as remote command execution).
User enumeration is one of the most common techniques to exploit the Finger protocol. You can attempt to gather information about system users, which can then be leveraged in brute-force password attacks, social engineering, or privilege escalation.
PentestMonkey’s finger-user-enum.pl: A powerful Perl-based enumeration tool that can test multiple users and targets at once.
Metasploit’s Finger Enumeration Module:
Nmap’s finger script:
Advanced hackers can exploit weaknesses in some Finger service implementations that allow command injection. This vulnerability allows you to execute system commands by crafting specific requests to the Finger service.
If the Finger service allows piping to system commands (due to poor input sanitization), you can run arbitrary commands on the victim machine.
Metasploit Module (Custom Payloads): An attacker could modify the auxiliary/scanner/finger/finger_users module to include shell injection payloads, exploiting the command execution vulnerability in real time.
The Finger bounce attack is an interesting lateral movement technique that involves using the Finger service on one host to query another host. In this case, you can pivot from a compromised system to target an internal machine behind a firewall, leveraging the compromised host as a relay for the Finger query.
Access to Plan Files: Finger sometimes provides access to user-specific plan and project files, which might include sensitive information such as project timelines, confidential documents, or even credentials.
CVE-1999-0601: Finger service is enabled, allowing remote users to enumerate valid users on the system, exposing the system to brute force or privilege escalation attacks.