Giving the Finger to port 79 / Simple Finger Deamon Tutorial by Paris2K



Table of Contents
<================>

1.1 Disclaimer
1.2 An Introduction to Finger
1.3 Using Finger
1.4 Finger Tricks
1.5 Finger Bounce Attack
1.6 Conclusion
1.7 After Word


1.1 Disclaimer:
<=============>

In no way does the author of this tutorial encourage any sort of illegal
activities
This tutorial's only purpose is to inform and teach about the Finger Deamon
and its known vulnerabilities.
The author can not be held responsible for anything you do with regards to
the knowledge in this tutorial.
Be a true hacker, learn and help others (to learn).


1.2 An Introduction to Finger
<===================>

The Finger Deamon is a service that normally runs on port 79 and was
originally intended as a sort of a digital businesscard for people.
A remote user can send a request to a Finger Deamon running on a system
(standard finger port is 79) and will get a reply.
This reply will tell you what users are on a system and it will also give
you some contact information of these users.
Besides just userinfo, often the reply also tells you who the admin of the
system is and how he can be reached.
People used to connect to al sorts of systems al around the world and Finger
gave them a bit more information about who's system they
were in and who had accounts there. Finger has always been primarily used at
Universities but large corporations too.
Back in the days, Finger was so commonly used at universities that students
who were asked contact info by other students would often
reply with the sentence "Finger me!" Since the world wide web however Finger
has become less and less populair, because we now have
websites to serve as our digital businesscards and people have come to
notice that with so many security threats these days it just isn't a
very good idea, nor is it worth the trouble to run a Finger Deamon. However,
not all people have come to this conclusion and you'll find there
are still a lot of systems out there running the Finger service. And these
days everybody who has a personal computer seems to be running
portscans and trying to break in to systems...without any of the basic
knowledge required. The Finger Deamon, is a great example of a service
that can (legally) provide you with a huge amount of sensitive information
about a target. Therefore I will try to explain in this tutorial, in
understandable
language, what the Finger Deamon is, what it does and how it can be used to
your advantage.


1.3 Using Finger
<==========>

When you run a portscan of http://www.foobar.com and you find that it has
port 79 open / listening, this means that http://www.foobar.com
has a Finger Deamon running. Now how would we do a request? Since windows
most often doesn't have a finger client installed we would just telnet
to the finger server like this:

telnet www.foobar.com 79

and then type in the commands we would like to issue. From a *nix shell we
don't need to use telnet because we almost always have a finger client
installed.
We can just type in the commands. From here-on I will assume wyou are using
a *nix shell. (If you plan to use windows /telnet just type all the same
commands as in *nix
but leave away the "finger" and the @host.com so "finger .@foobar.com" would
become: "." after you have telnetted into port 79 of the right host.
(without the "") )
So we want to finger www.foobar.com, this is how we do it:


finger@foobar.com

Results:

Login: Name: Tty: Idle: When: Where:

root foobar sys console 17d Tue 10:13 node0ls3.foobar.com
Amos Amanda <.......> <.......> <.......>
Anderson Kenneth
Bright Adrian
Doe John
Johnson Peter <.......> <.......> <.......>
Mitnick Kevin
Munson Greg
Orwell Dennis

Now what does this tell us?
In the first column we see the usernames and in the second the "real names",
which of course don't always have to be real names, but most of the time
actually are.
The third column shows the terminal type and the fourth the idle time. After
that its the time and place when the account was used to log in. Sometimes
you'll get more
columns with contact address, e-mailaddress, phonenumbers, etc.

If you would like to have more information on a specific user (Peter Johnson
for example) you would now enter the command:

finger johnson@foobar.com


1.4 Finger Tricks
<===========>

I hope by now you have seen what the main and huge weakness of Finger is.
For those of you who haven't I will explain.
The finger deamon shows you what accounts are on a certain system. That
means that you have gained (in a perfectly legal way) 50% of that magical
combination called
password/username-combination that will give you acces to a system. If you
have the usernames, the next step would be to load up a (perl) bruteforce or
worldist password
cracker. There are special scripts written for telnet for example. (Check
out http://www.thehackerschoice.com/ or search for VLAD's pwscan.pl) You
should make a wordlist with
passwords that are the same or almost the same as the usernames and if that
doenst work, start the bruteforce script, get some coffee and sit back and
relax 'till the script has
done the work for you.

Of course we find some accounts on a host system more interesting than
others. Mainly the root or admin account because of their special
priviledges and of course any
other account that we think might have an easy to guess / crack password.
There are a few nice tricks to get just these kind of accounts. For example
type in the command:

finger secret@foobar.com

When you issue this command the Finger Daemon will give you all the accounts
that have the word "secret" in either the username or the real name.
What's so special about that? Well you could use "test" or "temp" or "0000"
instead of "secret" and as you probably know these kind of accounts very
often have rather easy
passwords. passwords that are the same as the username or passwords that are
almost the same (test0, test1, etc)

finger .@foobar.com

finer 0@foobar.com

Try them and see what happens! try to get to know the finger deamon, read
the RFC and find your own tricks!


1.5 Finger Bounce Attack
<=================>

It is also possible to hop from one Finger Deamon to the other. For example:
if I would want to finger "www.victim.com" and know that "www.host.com" had
Finger running also, I could
make a request like this:

finger@host.com@victim.com

Host.com would now finger victim.com and show me the results. One of the
advantages is that I would now be rather anonymous. If www.victim.com would
log requests than they would
see www.host.com in their logs, and not me. A second advantage is that I
could let a trusted host finger another computer on the same network, when
this computer would normally not
allow an incoming finger request from myself.


1.6 Conclusion
<==========>

The Finger Daemon can be a huge source of information for anyone trying to
gain acces to a system. The Finger daemon legally provides you with half of
the username-password
combination that is needed to gain acces. There are a few nice tricks to get
the specific accounts that you are looking for and after that its just a
question of running a script
that cracks the passwords, using either a wordlist or the bruteforce
technique. Also keep in mind the advantages of a bounce attack, using the
finger deamon.

1.7 Afterword
<========>

I hope some of you people out there, that are new to the computer security /
hacking scene, have learned a thing or two from this tutorial.
There's more at http://paris2k.no-ip.org or http://paris2k.tk

P2K alias Paris2K
Credits


by Paris2K
26/04/2002, version 1.2 (First Released Version)