Sunday_Finger

Finger

---

Nmap discovered a Finger service running on the target port 79

finger

• is a simple network protocol used to retrieve information about a specific user on a remote system.
• is mostly used to gather information about a user’s login name, real name, terminal name and write status, as well as a list of users currently logged into the system.
• is considered obsolete and insecure and its usage is discouraged due to sensitive data exposure

Enumerating Users

---

┌──(kali㉿kali)-[~/archive/htb/labs/sunday]
└─$ nmap --script finger.nse -p79 $IP
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-21 15:03 CET
Nmap scan report for sunday (10.10.10.76)
Host is up (0.028s latency).
 
PORT   STATE SERVICE
79/tcp open  finger
|_finger: No one logged on\x0D
 
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

Nmap is able to enumerate logged in users. No one seems to be home

┌──(kali㉿kali)-[~/archive/htb/labs/sunday]
└─$ echo 'root' | nc -nv $IP 79
(UNKNOWN) [10.10.10.76] 79 (finger) open
Login       Name               TTY         Idle    When    Where
root     Super-User            console      <Oct 14 10:28>

I can also enumerate users by just by providing usernames

There is a script that effectively does this.

┌──(kali㉿kali)-[~/archive/htb/labs/sunday]
└─$ perl finger-user-enum.pl -t $IP -p 79 -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
 
 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------
 
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
Target count ............. 1
Username count ........... 8295455
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
 
######## Scan started at Sat Jan 21 15:08:49 2023 #########
admin@10.10.10.76: Login       Name               TTY         Idle    When    Where..adm      Admin                              < .  .  .  . >..dladm    Datalink Admin                     < .  .  .  . >..netadm   Network Admin                      < .  .  .  . >..netcfg   Network Configuratio               < .  .  .  . >..dhcpserv DHCP Configuration A               < .  .  .  . >..ikeuser  IKE Admin                          < .  .  .  . >..lp       Line Printer Admin                 < .  .  .  . >..
root@10.10.10.76: root     Super-User            console      <Oct 14 10:28>..
access@10.10.10.76: access No Access User                     < .  .  .  . >..nobody4  SunOS 4.x NFS Anonym               < .  .  .  . >..
sammy@10.10.10.76: sammy           ???            ssh          <Apr 13, 2022> 10.10.14.13         ..
sunny@10.10.10.76: sunny           ???            ssh          <Apr 13, 2022> 10.10.14.13         ..
bin@10.10.10.76: bin             ???                         < .  .  .  . >..
network@10.10.10.76: Login       Name               TTY         Idle    When    Where..netadm   Network Admin                      < .  .  .  . >..netcfg   Network Configuratio               < .  .  .  . >..
nobody@10.10.10.76: nobody   NFS Anonymous Access               < .  .  .  . >..
Admin@10.10.10.76: Admin                 < .  .  .  . >..
films+pic+galeries@10.10.10.76: Login       Name               TTY         Idle    When    Where..films+pic+galeries       ???..
printer@10.10.10.76: Login       Name               TTY         Idle    When    Where..lp       Line Printer Admin                 < .  .  .  . >..
daemon@10.10.10.76: daemon          ???                         < .  .  .  . >..
line@10.10.10.76: Login       Name               TTY         Idle    When    Where..lp       Line Printer Admin                 < .  .  .  . >..
anonymous@10.10.10.76: Login       Name               TTY         Idle    When    Where..nobody   NFS Anonymous Access               < .  .  .  . >..nobody4  SunOS 4.x NFS Anonym               < .  .  .  . >..
remote@10.10.10.76: Login       Name               TTY         Idle    When    Where..unknown  Unknown Remote UID                 < .  .  .  . >..
server@10.10.10.76: server UID                  < .  .  .  . >..
unknown@10.10.10.76: unknown  Unknown Remote UID                 < .  .  .  . >..
message@10.10.10.76: Login       Name               TTY         Idle    When    Where..smmsp    SendMail Message Sub               < .  .  .  . >..
user@10.10.10.76: user   AI User                            < .  .  .  . >..openldap OpenLDAP User                      < .  .  .  . >..nobody   NFS Anonymous Access               < .  .  .  . >..noaccess No Access User                     < .  .  .  . >..nobody4  SunOS 4.x NFS Anonym               < .  .  .  . >..
program@10.10.10.76: Login       Name               TTY         Idle    When    Where..smmsp    SendMail Message Sub               < .  .  .  . >..
sys@10.10.10.76: sys             ???                         < .  .  .  . >..
ike@10.10.10.76: ikeuser  IKE Admin                          < .  .  .  . >..

While some of these are false positive, I see some key information There are 2 Users with SSH access; sammy and sunny

I can confirm that

┌──(kali㉿kali)-[~/archive/htb/labs/sunday]
└─$ echo 'sammy' | nc -nv $IP 79                                                                    
(UNKNOWN) [10.10.10.76] 79 (finger) open
Login       Name               TTY         Idle    When    Where
sammy           ???            ssh          <Apr 13, 2022> 10.10.14.13         
 
┌──(kali㉿kali)-[~/archive/htb/labs/sunday]
└─$ echo 'sunny' | nc -nv $IP 79
(UNKNOWN) [10.10.10.76] 79 (finger) open
Login       Name               TTY         Idle    When    Where
sunny           ???            ssh          <Apr 13, 2022> 10.10.14.13         

They are valid system users.