79 - Finger | d4t4s3c hacks & pills

Information

Default Port: 79

PORT   STATE SERVICE
79/tcp open  finger                                           

Enumeration

nmap -p79 -sS 192.168.1.2
nmap -p79 -sVC 192.168.1.2

nc -vn 192.168.1.2 79
timeout 0.1 bash -c "nc -nv 192.168.1.2 79"

User Enumeration

Manual

Online User

finger root@192.168.1.2                     # ipv4
finger root@fe80::a00:27ff:fe6e:3b9         # ipv6

nmap -p79 --script="finger" 192.168.1.2

Offline User

finger root@192.168.1.2
echo root | timeout 0.5 bash -c "nc -nv 192.168.1.2 79"
(echo root; sleep 0.5) | telnet 192.168.1.2 79

User Found

finger root@192.168.1.2

Login: root           			Name: root
Directory: /root                    	Shell: /bin/bash
Last login Tue Jan 21 07:14 (CET) on tty1
No mail.
No Plan.

User (Not Found)

finger roott@192.168.1.2

finger: roott: no such user.

User Brute Force

bash

for users in $(cat usernames.dic); do echo $users | timeout 2 bash -c 'nc -vn 192.168.1.2 79 2>/dev/null'; done |grep "Login"
for users in $(cat usernames.dic); do echo $users | timeout 2 bash -c 'nc -vn 192.168.1.2 79 2>/dev/null'; done | grep "Login" | awk '{print $2}'

finger-user-enum

Download

wget -q --no-check-certificate "https://raw.githubusercontent.com/pentestmonkey/finger-user-enum/refs/heads/master/finger-user-enum.pl"

Requirements

 perl -MCPAN -e shell
 cpan> install Getopt::Std

Usage

./finger-user-enum.pl -U usernames.dic -t 192.168.1.2
./finger-user-enum.pl -U usernames.dic -t 192.168.1.2 | grep -v "no such user"

Metasploit

use auxiliary/scanner/finger/finger_users
set RHOSTS 192.168.1.2
set THREADS 10
set USERS_FILE usernames.dic
run