OpenSkillIndex← back to search

Hacktricks-skills ident-pentesting

Pentest the Ident Protocol (port 113) to enumerate usernames associated with TCP connections. Use this skill whenever you need to identify users running services on a target, enumerate usernames for password attacks, or assess if a target has identd running. Trigger for any pentesting task involving port 113, user enumeration, connection ownership discovery, or when you want to build username lists for further attacks.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/113-pentesting-ident/SKILL.MD
source content

Ident Protocol Pentesting

Overview

The Ident Protocol (port 113) associates TCP connections with specific users. Originally designed for network management and security, it can inadvertently reveal usernames during security assessments.

Default port: 113/tcp

When to Use This Skill

Use this skill when:

  • Port 113 is open during your reconnaissance
  • You need to enumerate usernames on a target system
  • You want to identify which user owns specific service connections
  • You're building a username list for password attacks
  • You're assessing if identd is running and what information it reveals
  • You see 
    ident
    or 
    auth
    in nmap output

Enumeration Methods

1. Manual Connection

Connect directly to port 113 to query user information:

nc -v {target_ip} 113

When connected:

  • Press Enter to see if the service responds with any information
  • Query specific connections: 
    {client_ip},{client_port},{server_ip},{server_port}

Example:

root@kali:~# nc -v 192.168.1.100 113
Connection to 192.168.1.100 113 port [tcp/ident] succeeded!

2. Nmap Scanning

Nmap's default scripts identify users on open ports:

nmap -sC {target_ip}

Look for 

auth-owners
output which shows the user owning each service:

Example output:

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.3p2 Debian 9
|_auth-owners: root
113/tcp open  ident
|_auth-owners: identd
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X
|_auth-owners: root
445/tcp open  netbios-ssn Samba smbd 3.0.24
|_auth-owners: root

3. ident-user-enum Tool

This specialized PERL script queries ident service across multiple ports:

Install:

apt install ident-user-enum

Usage:

ident-user-enum {target_ip} {port1} {port2} {port3}

Example:

ident-user-enum 192.168.1.100 22 113 139 445

Output format:

192.168.1.100:22  root
192.168.1.100:113 identd
192.168.1.100:139 root
192.168.1.100:445 root

Recommended Workflow

Step 1: Check if port 113 is open

nmap -p 113 {target_ip}

Step 2: Run enumeration

Choose based on your needs:

  • Quick check: 
    nmap -sC -p 113,22,445 {target_ip}
  • Detailed enumeration: 
    ident-user-enum {target_ip} 22 23 113 139 445 3306 5432
  • Manual verification: 
    nc -v {target_ip} 113

Step 3: Document findings

Record:

  • Usernames discovered
  • Which ports/services they own
  • Add to your password attack wordlists

Step 4: Assess security implications

  • If identd is running, it may leak user information
  • Consider recommending disabling identd for security
  • Use discovered usernames for further attacks

Example Scenarios

Scenario 1: Quick Reconnaissance

nmap -sC -p 113,22,445 192.168.1.100

Scenario 2: Detailed User Enumeration

ident-user-enum 192.168.1.100 22 23 113 139 445 3306 5432

Scenario 3: Manual Verification

nc -v 192.168.1.100 113
# Press Enter or send query

Integration with Other Attacks

Use discovered usernames for:

  • Password spraying attacks - Test common passwords against discovered usernames
  • Brute force attempts - SSH, FTP, SMB authentication
  • Social engineering research - Build profiles of target users
  • Account enumeration - Check if usernames exist on other services

Common Errors and Responses

ErrorMeaningAction
Connection refusedidentd not runningTry other enumeration methods
TimeoutFirewall blocking port 113Skip ident, use other tools
No responseService running but not configuredTry manual connection
Empty outputService responds but no dataCheck nmap auth-owners instead

Security Considerations

For defenders:

  • Privacy risk: Ident can reveal user information to unauthorized parties
  • Modern practice: Many systems disable identd due to privacy concerns
  • Recommendation: Disable identd on production systems
  • Encryption: Use encrypted connections to protect user data

For pentesters:

  • Ident is often disabled on modern systems
  • When running, it's a valuable information source
  • Combine with other enumeration for complete picture

Files to Check

If you gain access, check:

  • /etc/identd.conf
    - Ident daemon configuration
  • /etc/default/identd
    - Service settings

References