finger-user-enum

Username guessing tool primarily for use against the default Solaris finger service. Also supports relaying of queries through another finger server.  Recent changes are detailed in the CHANGELOG.

Download finger-user-enum v1.0 here.

SHA1sum: 017e214e786df5a25336291acd3b9c8a46b3bd7b

MD51sum: f18832f9d2b5210e5f51bd89f44abeee

User documentation is also available in PDF format.

 

finger-user-enum User Documentation

 

Contents

  • Overview
  • Installation
  • Usage
  • Some Examples
    • Normal Usage
    • Relaying Queries
  • License

 

Overview

finger-user-enum is a tool for enumerating OS-level user accounts via the finger service. As of release v1.0 it is known to work against the default Solaris daemon. It may not yet work against all daemons since there is no defined format for the data returned by the finger service.

Installation

finger-user-enum is just a stand alone PERL script, so installation is as simple as copying it to your path (e.g. /usr/local/bin). It has only been tested under Linux so far.

It depends on the following PERL modules which you may need to install first:

  • Socket
  • IO::Handle
  • IO::Select
  • IO::Socket::INET
  • Getopt::Std

If you have PERL installed, you should be able to install the modules from CPAN:

 # perl -MCPAN -e shell
 cpan> install Getopt::Std

Usage

finger-user-enum simply needs to be passed a list of users and at least one target running an finger service.

 finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum ) 

 Usage: finger-user-enum.pl [options] (-u username|-U users.txt) (-t host|-T ips.txt) 

 options are:
         -m n     Maximum number of resolver processes (default: 5)
         -u user  Check if user exists on remote system
         -U file  File of usernames to check via finger service
         -t host  Server host running finger service
         -T file  File of hostnames running the finger service
         -r host  Relay.  Intermediate server which allows relaying of finger requests.
         -p port  TCP port on which finger service runs (default: 79)
         -d       Debugging output
         -s n     Wait a maximum of n seconds for reply (default: 5)
         -v       Verbose
         -h       This help message

Some Examples

For the examples below we need a list of potential usernames. The following output demostrates the format for this list:

 $ head users.txt
 root
 bin
 daemon
 adm
 lp
 sync
 shutdown
 halt
 mail
 news

Normal Usage

The output below shows how the finger daemon responds differently to valid and invalid usernames:

 $ telnet 10.0.0.1 79
 Trying 10.0.0.1...
 Connected to 10.0.0.1.
 Escape character is '^]'.
 root
 Login       Name               TTY         Idle    When    Where
 root     Super-User            console     2:05 Wed 07:23
 Connection closed by foreign host. 

 $ telnet 10.0.0.1 79
 Trying 10.0.0.1...
 Connected to 10.0.0.1.
 Escape character is '^]'.
 blah
 Login       Name               TTY         Idle    When    Where
 blah                  ???
 Connection closed by foreign host.

finger-user-enum attempts to automatically parse the results returned by the finger daemon and report only users which exist.

Note: If you ever need to modify the pattern-matching within finger-user-enum (e.g. to support a different finger daemon), you’ll need to base the patterns on positive and negative result like those found above.

Here’s an example of the most common usage of the tool:

 $ ./finger-user-enum.pl -U users.txt -t 10.0.0.1
 Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum ) 

  ----------------------------------------------------------
 |                   Scan Information                       |
  ---------------------------------------------------------- 

 Worker Processes ......... 5
 Usernames file ........... users.txt
 Target count ............. 1
 Username count ........... 47
 Target TCP port .......... 79
 Query timeout ............ 5 secs
 Relay Server ............. Not used 

 ######## Scan started at Sun Jan 21 19:44:22 2007 #########
 root@10.0.0.1: root     Super-User            console     2:03 Wed 07:23 ..
 bin@10.0.0.1: bin             ???            pts/1        <Dec 21 13:04> 10.0.0.99
 daemon@10.0.0.1: daemon          ???                         < .  .  .  . >..
 adm@10.0.0.1: adm      Admin                              < .  .  .  . >..
 lp@10.0.0.1: lp       Line Printer Admin                 < .  .  .  . >..
 uucp@10.0.0.1: uucp Admin                         < .  .  .  . >..
 nobody@10.0.0.1: nobody4  SunOS 4.x Nobody                   < .  .  .  . >..
 ftp@10.0.0.1: ftp      Anonymous FTPUser     674          <Aug 11 14:22> 10.0.0.99
 ######## Scan completed at Sun Jan 21 19:44:23 2007 #########
 8 results. 

 47 queries in 1 seconds (47.0 queries / sec)

Relaying Queries

It is also possible to use some finger daemons as a relay (i.e. to ask the finger daemon to finger a user on another host). The following output shows how you’d get the finger daemon on 10.0.0.1 to finger users on 10.0.0.2:

 $ telnet 10.0.0.1 79
 Trying 10.0.0.1...
 Connected to 10.0.0.1.
 Escape character is '^]'.
 root@10.0.0.2
 [10.0.0.2]
 Login       Name               TTY         Idle    When    Where
 root     Super-User            console     2:12 Wed 07:23
 Connection closed by foreign host.

Note that your host won’t send any traffic directly to 10.0.0.2 during this request. Queries to 10.0.0.2 originate from 10.0.0.1.

If you need to relay your queries (and the daemon allows relaying) here is the syntax for finger-user-enum:

 $ ./finger-user-enum.pl -U users.txt -t 10.0.0.2 -r 10.0.0.1
 Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum ) 

  ----------------------------------------------------------
 |                   Scan Information                       |
  ---------------------------------------------------------- 

 Worker Processes ......... 5
 Usernames file ........... users.txt
 Target count ............. 1
 Username count ........... 47
 Target TCP port .......... 79
 Query timeout ............ 5 secs
 Relay Server ............. 10.0.0.1 

 ######## Scan started at Sun Jan 21 19:44:29 2007 #########
 root@10.0.0.2: root     Super-User            console     2:03 Wed 07:23 ..
 bin@10.0.0.2: bin             ???            pts/1        <Dec 21 13:04> 10.0.0.99
 lp@10.0.0.2: lp       Line Printer Admin                 < .  .  .  . >..
 daemon@10.0.0.2: daemon          ???                         < .  .  .  . >..
 adm@10.0.0.2: adm      Admin                              < .  .  .  . >..
 uucp@10.0.0.2: uucp Admin                         < .  .  .  . >..
 nobody@10.0.0.2: nobody4  SunOS 4.x Nobody                   < .  .  .  . >..
 ftp@10.0.0.2: ftp      Anonymous FTPUser     674          <Aug 11 14:22> 10.0.0.99
 ######## Scan completed at Sun Jan 21 19:44:31 2007 #########
 8 results. 

 47 queries in 2 seconds (23.5 queries / sec)

License

This tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If these terms are not acceptable to you, then do not use this tool.

In all other respects the GPL version 2 applies:

 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License version 2 as
 published by the Free Software Foundation. 

 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details. 

 You should have received a copy of the GNU General Public License along
 with this program; if not, write to the Free Software Foundation, Inc.,
 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.


Leave a Reply