|
Table
of Contents
<================>
1.1 Disclaimer
1.2 An Introduction to Finger
1.3 Using Finger
1.4 Finger Tricks
1.5 Finger Bounce Attack
1.6 Conclusion
1.7 After Word
1.1
Disclaimer:
<=============>
In no way does the author of this tutorial encourage any
sort of illegal activities This tutorial's only purpose is
to inform and teach about the Finger Deamon and its known
vulnerabilities. The author can not be held responsible for
anything you do with regards to the knowledge in this
tutorial. Be a true hacker, learn and help others (to
learn).
1.2 An
Introduction to Finger
<===================>
The Finger Deamon is a service that normally runs on port
79 and was originally intended as a sort of a digital
businesscard for people. A remote user can send a request to
a Finger Deamon running on a system (standard finger port
is 79) and will get a reply. This reply will tell you what
users are on a system and it will also give you some
contact information of these users. Besides just userinfo,
often the reply also tells you who the admin of the system
is and how he can be reached. People used to connect to al
sorts of systems al around the world and Finger gave them a
bit more information about who's system they were in and
who had accounts there. Finger has always been primarily
used at Universities but large corporations too.
Back in the days, Finger was so commonly used at
universities that students who were asked contact info by
other students would often reply with the sentence "Finger
me!" Since the world wide web however Finger has become
less and less populair, because we now have websites to
serve as our digital businesscards and people have come to
notice that with so many security threats these days it just
isn't a very good idea, nor is it worth the trouble to run a
Finger Deamon. However, not all people have come to this
conclusion and you'll find there are still a lot of systems
out there running the Finger service. And these days
everybody who has a personal computer seems to be running
portscans and trying to break in to systems...without any
of the basic knowledge required. The Finger Deamon, is a
great example of a service that can (legally) provide you
with a huge amount of sensitive information about a target.
Therefore I will try to explain in this tutorial, in
understandable language, what the Finger Deamon is, what it
does and how it can be used to your advantage.
1.3
Using Finger
<==========>
When you run a portscan of http://www.foobar.com and you
find that it has port 79 open / listening, this means that
http://www.foobar.com has a Finger Deamon running. Now how
would we do a request? Since windows most often doesn't
have a finger client installed we would just telnet to the
finger server like this:
telnet www.foobar.com 79
and then type in the commands we would like to issue. From
a *nix shell we don't need to use telnet because we almost
always have a finger client installed.
We can just type in the commands. From here-on I will
assume wyou are using a *nix shell. (If you plan to use
windows /telnet just type all the same commands as in *nix
but leave away the "finger" and the @host.com so "finger
.@foobar.com" would become: "." after you have telnetted
into port 79 of the right host. (without the "") ) So we
want to finger www.foobar.com, this is how we do it:
finger@foobar.com
Results:
Login: Name: Tty: Idle: When: Where:
root foobar sys console 17d Tue 10:13 node0ls3.foobar.com
Amos Amanda <.......> <.......> <.......>
Anderson
Kenneth
Bright Adrian
Doe John
Johnson Peter <.......> <.......> <.......>
Mitnick Kevin
Munson Greg
Orwell Dennis
Now what does this tell us?
In the first column we see the usernames and in the second
the "real names", which of course don't always have to be
real names, but most of the time actually are.
The third column shows the terminal type and the fourth the
idle time. After that its the time and place when the
account was used to log in. Sometimes you'll get more
columns with contact address, e- mailaddress, phonenumbers,
etc.
If you would like to have more information on a specific
user (Peter Johnson for example) you would now enter the
command:
finger johnson@foobar.com
1.4
Finger Tricks
<===========>
I hope by now you have seen what the main and huge weakness
of Finger is. For those of you who haven't I will explain.
The finger deamon shows you what accounts are on a certain
system. That means that you have gained (in a perfectly
legal way) 50% of that magical combination called
password/username-combination that will give you acces to a
system. If you have the usernames, the next step would be
to load up a (perl) bruteforce or worldist password cracker.
There are special scripts written for telnet for example.
(Check out http://www.thehackerschoice.com/ or search for
VLAD's pwscan.pl) You should make a wordlist with passwords
that are the same or almost the same as the usernames and
if that doenst work, start the bruteforce script, get some
coffee and sit back and relax 'till the script has done the
work for you.
Of course we find some accounts on a host system more
interesting than others. Mainly the root or admin account
because of their special priviledges and of course any other
account that we think might have an easy to guess / crack
password. There are a few nice tricks to get just these kind
of accounts. For example type in the command:
finger secret@foobar.com
When you issue this command the Finger Daemon will give you
all the accounts that have the word "secret" in either the
username or the real name. What's so special about that?
Well you could use "test" or "temp" or "0000" instead of
"secret" and as you probably know these kind of accounts
very often have rather easy passwords. passwords that are
the same as the username or passwords that are almost the
same (test0, test1, etc)
finger .@foobar.com
finer 0@foobar.com
Try them and see what happens! try to get to know the
finger deamon, read the RFC and find your own tricks!
1.5
Finger Bounce Attack
<=================>
It is also possible to hop from one Finger Deamon to the
other. For example:
if I would want to finger "www.victim.com" and know that
"www.host.com" had Finger running also, I could make a
request like this:
finger@host.com@victim.com
Host.com would now finger victim.com and show me the
results. One of the advantages is that I would now be
rather anonymous. If www.victim.com would log requests than
they would see www.host.com in their logs, and not me. A
second advantage is that I could let a trusted host finger
another computer on the same network, when this computer
would normally not allow an incoming finger request from
myself.
1.6
Conclusion
<==========>
The Finger Daemon can be a huge source of information for
anyone trying to gain acces to a system. The Finger daemon
legally provides you with half of the username-password
combination that is needed to gain acces. There are a few
nice tricks to get the specific accounts that you are
looking for and after that its just a question of running a
script that cracks the passwords, using either a wordlist or
the bruteforce technique. Also keep in mind the advantages
of a bounce attack, using the finger deamon.
1.7
Afterword
<========>
I hope some of you people out there, that are new to the
computer security / hacking scene, have learned a thing or
two from this tutorial. There's more at
http://paris2k.no-ip.org or http://paris2k.tk
P2K alias Paris2K
Credits
by Paris2K
26/04/2002, version 1.2 (First Released Version) |