{"id":105,"date":"2007-01-21T21:56:07","date_gmt":"2007-01-21T21:56:07","guid":{"rendered":"http:\/\/pentestmonkey.net\/?p=105"},"modified":"2011-08-31T16:09:54","modified_gmt":"2011-08-31T16:09:54","slug":"finger-user-enum","status":"publish","type":"post","link":"https:\/\/pentestmonkey.net\/tools\/user-enumeration\/finger-user-enum","title":{"rendered":"finger-user-enum"},"content":{"rendered":"<p>Username guessing tool primarily for use against the default Solaris finger service. Also supports relaying of queries through another finger server.\u00a0 Recent changes are detailed in the <a href=\"..\/tools\/finger-user-enum\/CHANGELOG\">CHANGELOG<\/a>.<\/p>\n<p>Download finger-user-enum v1.0 <a href=\"\/tools\/finger-user-enum\/finger-user-enum-1.0.tar.gz\">here<\/a>.<\/p>\n<p>SHA1sum: 017e214e786df5a25336291acd3b9c8a46b3bd7b<\/p>\n<p>MD51sum: f18832f9d2b5210e5f51bd89f44abeee<\/p>\n<p>User documentation is also available in <a href=\"\/tools\/finger-user-enum\/finger-user-enum-user-docs.pdf\">PDF<\/a> format.<\/p>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n<h1 align=\"center\">finger-user-enum User Documentation<\/h1>\n<p>&nbsp;<\/p>\n<h2><a title=\"SECTION00010000000000000000\" name=\"SECTION00010000000000000000\"><\/a> Contents<\/h2>\n<ul>\n<li><a title=\"tex2html11\" name=\"tex2html11\" href=\"finger-user-enum-user-docs.html#SECTION00020000000000000000\"><\/a>Overview<\/li>\n<li><a title=\"tex2html12\" name=\"tex2html12\" href=\"finger-user-enum-user-docs.html#SECTION00030000000000000000\"><\/a>Installation<\/li>\n<li><a title=\"tex2html13\" name=\"tex2html13\" href=\"finger-user-enum-user-docs.html#SECTION00040000000000000000\"><\/a>Usage<\/li>\n<li><a title=\"tex2html14\" name=\"tex2html14\" href=\"finger-user-enum-user-docs.html#SECTION00050000000000000000\"><\/a>Some Examples\n<ul>\n<li><a title=\"tex2html15\" name=\"tex2html15\" href=\"finger-user-enum-user-docs.html#SECTION00051000000000000000\"><\/a>Normal Usage<\/li>\n<li><a title=\"tex2html16\" name=\"tex2html16\" href=\"finger-user-enum-user-docs.html#SECTION00052000000000000000\"><\/a>Relaying Queries<\/li>\n<\/ul>\n<\/li>\n<li><a title=\"tex2html17\" name=\"tex2html17\" href=\"finger-user-enum-user-docs.html#SECTION00060000000000000000\"><\/a>License<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h1><a title=\"SECTION00020000000000000000\" name=\"SECTION00020000000000000000\"><\/a>Overview<\/h1>\n<p>finger-user-enum is a tool for enumerating OS-level user accounts via the finger service. As of release v1.0 it is known to work against the default Solaris daemon. It may not yet work against all daemons since there is no defined format for the data returned by the finger service.<\/p>\n<h1><a title=\"SECTION00030000000000000000\" name=\"SECTION00030000000000000000\"><\/a>Installation<\/h1>\n<p>finger-user-enum is just a stand alone PERL script, so installation is as simple as copying it to your path (e.g. \/usr\/local\/bin). It has only been tested under Linux so far.<\/p>\n<p>It depends on the following PERL modules which you may need to install first:<\/p>\n<ul>\n<li>Socket<\/li>\n<li>IO::Handle<\/li>\n<li>IO::Select<\/li>\n<li>IO::Socket::INET<\/li>\n<li>Getopt::Std<\/li>\n<\/ul>\n<p>If you have PERL installed, you should be able to install the modules from CPAN:<\/p>\n<pre> # perl -MCPAN -e shell\r\n cpan&gt; install Getopt::Std<\/pre>\n<h1><a title=\"SECTION00040000000000000000\" name=\"SECTION00040000000000000000\"><\/a>Usage<\/h1>\n<p>finger-user-enum simply needs to be passed a list of users and at least one target running an finger service.<\/p>\n<pre> finger-user-enum v1.0 ( http:\/\/pentestmonkey.net\/tools\/finger-user-enum ) \r\n\r\n Usage: finger-user-enum.pl [options] (-u username|-U users.txt) (-t host|-T ips.txt) \r\n\r\n options are:\r\n         -m n     Maximum number of resolver processes (default: 5)\r\n         -u user  Check if user exists on remote system\r\n         -U file  File of usernames to check via finger service\r\n         -t host  Server host running finger service\r\n         -T file  File of hostnames running the finger service\r\n         -r host  Relay.  Intermediate server which allows relaying of finger requests.\r\n         -p port  TCP port on which finger service runs (default: 79)\r\n         -d       Debugging output\r\n         -s n     Wait a maximum of n seconds for reply (default: 5)\r\n         -v       Verbose\r\n         -h       This help message<\/pre>\n<h1><a title=\"SECTION00050000000000000000\" name=\"SECTION00050000000000000000\"><\/a>Some Examples<\/h1>\n<p>For the examples below we need a list of potential usernames. The following output demostrates the format for this list:<\/p>\n<pre> $ head users.txt\r\n root\r\n bin\r\n daemon\r\n adm\r\n lp\r\n sync\r\n shutdown\r\n halt\r\n mail\r\n news<\/pre>\n<h2><a title=\"SECTION00051000000000000000\" name=\"SECTION00051000000000000000\"><\/a> Normal Usage<\/h2>\n<p>The output below shows how the finger daemon responds differently to valid and invalid usernames:<\/p>\n<pre> $ telnet 10.0.0.1 79\r\n Trying 10.0.0.1...\r\n Connected to 10.0.0.1.\r\n Escape character is '^]'.\r\n root\r\n Login       Name               TTY         Idle    When    Where\r\n root     Super-User            console     2:05 Wed 07:23\r\n Connection closed by foreign host. \r\n\r\n $ telnet 10.0.0.1 79\r\n Trying 10.0.0.1...\r\n Connected to 10.0.0.1.\r\n Escape character is '^]'.\r\n blah\r\n Login       Name               TTY         Idle    When    Where\r\n blah                  ???\r\n Connection closed by foreign host.<\/pre>\n<p>finger-user-enum attempts to automatically parse the results returned by the finger daemon and report only users which exist.<\/p>\n<p>Note: If you ever need to modify the pattern-matching within finger-user-enum (e.g. to support a different finger daemon), you&#8217;ll need to base the patterns on positive and negative result like those found above.<\/p>\n<p>Here&#8217;s an example of the most common usage of the tool:<\/p>\n<pre> $ .\/finger-user-enum.pl -U users.txt -t 10.0.0.1\r\n Starting finger-user-enum v1.0 ( http:\/\/pentestmonkey.net\/tools\/finger-user-enum ) \r\n\r\n  ----------------------------------------------------------\r\n |                   Scan Information                       |\r\n  ---------------------------------------------------------- \r\n\r\n Worker Processes ......... 5\r\n Usernames file ........... users.txt\r\n Target count ............. 1\r\n Username count ........... 47\r\n Target TCP port .......... 79\r\n Query timeout ............ 5 secs\r\n Relay Server ............. Not used \r\n\r\n ######## Scan started at Sun Jan 21 19:44:22 2007 #########\r\n root@10.0.0.1: root     Super-User            console     2:03 Wed 07:23 ..\r\n bin@10.0.0.1: bin             ???            pts\/1        &lt;Dec 21 13:04&gt; 10.0.0.99\r\n daemon@10.0.0.1: daemon          ???                         &lt; .  .  .  . &gt;..\r\n adm@10.0.0.1: adm      Admin                              &lt; .  .  .  . &gt;..\r\n lp@10.0.0.1: lp       Line Printer Admin                 &lt; .  .  .  . &gt;..\r\n uucp@10.0.0.1: uucp Admin                         &lt; .  .  .  . &gt;..\r\n nobody@10.0.0.1: nobody4  SunOS 4.x Nobody                   &lt; .  .  .  . &gt;..\r\n ftp@10.0.0.1: ftp      Anonymous FTPUser     674          &lt;Aug 11 14:22&gt; 10.0.0.99\r\n ######## Scan completed at Sun Jan 21 19:44:23 2007 #########\r\n 8 results. \r\n\r\n 47 queries in 1 seconds (47.0 queries \/ sec)<\/pre>\n<h2><a title=\"SECTION00052000000000000000\" name=\"SECTION00052000000000000000\"><\/a> Relaying Queries<\/h2>\n<p>It is also possible to use some finger daemons as a relay (i.e. to ask the finger daemon to finger a user on another host). The following output shows how you&#8217;d get the finger daemon on 10.0.0.1 to finger users on 10.0.0.2:<\/p>\n<pre> $ telnet 10.0.0.1 79\r\n Trying 10.0.0.1...\r\n Connected to 10.0.0.1.\r\n Escape character is '^]'.\r\n root@10.0.0.2\r\n [10.0.0.2]\r\n Login       Name               TTY         Idle    When    Where\r\n root     Super-User            console     2:12 Wed 07:23\r\n Connection closed by foreign host.<\/pre>\n<p>Note that your host won&#8217;t send any traffic directly to 10.0.0.2 during this request. Queries to 10.0.0.2 originate from 10.0.0.1.<\/p>\n<p>If you need to relay your queries (and the daemon allows relaying) here is the syntax for finger-user-enum:<\/p>\n<pre> $ .\/finger-user-enum.pl -U users.txt -t 10.0.0.2 -r 10.0.0.1\r\n Starting finger-user-enum v1.0 ( http:\/\/pentestmonkey.net\/tools\/finger-user-enum ) \r\n\r\n  ----------------------------------------------------------\r\n |                   Scan Information                       |\r\n  ---------------------------------------------------------- \r\n\r\n Worker Processes ......... 5\r\n Usernames file ........... users.txt\r\n Target count ............. 1\r\n Username count ........... 47\r\n Target TCP port .......... 79\r\n Query timeout ............ 5 secs\r\n Relay Server ............. 10.0.0.1 \r\n\r\n ######## Scan started at Sun Jan 21 19:44:29 2007 #########\r\n root@10.0.0.2: root     Super-User            console     2:03 Wed 07:23 ..\r\n bin@10.0.0.2: bin             ???            pts\/1        &lt;Dec 21 13:04&gt; 10.0.0.99\r\n lp@10.0.0.2: lp       Line Printer Admin                 &lt; .  .  .  . &gt;..\r\n daemon@10.0.0.2: daemon          ???                         &lt; .  .  .  . &gt;..\r\n adm@10.0.0.2: adm      Admin                              &lt; .  .  .  . &gt;..\r\n uucp@10.0.0.2: uucp Admin                         &lt; .  .  .  . &gt;..\r\n nobody@10.0.0.2: nobody4  SunOS 4.x Nobody                   &lt; .  .  .  . &gt;..\r\n ftp@10.0.0.2: ftp      Anonymous FTPUser     674          &lt;Aug 11 14:22&gt; 10.0.0.99\r\n ######## Scan completed at Sun Jan 21 19:44:31 2007 #########\r\n 8 results. \r\n\r\n 47 queries in 2 seconds (23.5 queries \/ sec)<\/pre>\n<h1><a title=\"SECTION00060000000000000000\" name=\"SECTION00060000000000000000\"><\/a>License<\/h1>\n<p>This tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If these terms are not acceptable to you, then do not use this tool.<\/p>\n<p>In all other respects the GPL version 2 applies:<\/p>\n<pre> This program is free software; you can redistribute it and\/or modify\r\n it under the terms of the GNU General Public License version 2 as\r\n published by the Free Software Foundation. \r\n\r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\r\n GNU General Public License for more details. \r\n\r\n You should have received a copy of the GNU General Public License along\r\n with this program; if not, write to the Free Software Foundation, Inc.,\r\n 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Username guessing tool primarily for use against the default Solaris finger service. Also supports relaying of queries through another finger server.\u00a0 Recent changes are detailed in the CHANGELOG. Download finger-user-enum v1.0 here. SHA1sum: 017e214e786df5a25336291acd3b9c8a46b3bd7b MD51sum: f18832f9d2b5210e5f51bd89f44abeee User documentation is also available in PDF format.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[13],"tags":[115,19,76,114],"_links":{"self":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/105"}],"collection":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/comments?post=105"}],"version-history":[{"count":4,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/105\/revisions"}],"predecessor-version":[{"id":566,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/105\/revisions\/566"}],"wp:attachment":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/media?parent=105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/categories?post=105"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/tags?post=105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}