Finger
Nmap discovered a Finger server on the target port 79
The running service is Mercury/32 fingerd
- is a simple network protocol used to retrieve information about a specific user on a remote system.
- is mostly used to gather information about a user’s login name, real name, terminal name and write status, as well as a list of users currently logged into the system.
- is considered obsolete and insecure and its usage is discouraged due to sensitive data exposure
User Enumeration
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ nmap --script finger.nse -p79 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-04 13:14 CET
Nmap scan report for 192.168.159.140
Host is up (0.022s latency).
PORT STATE SERVICE
79/tcp open finger
| finger: Login: Admin Name: Mail System Administrator\x0D
| \x0D
|_[No profile information]\x0D
Nmap done: 1 IP address (1 host up) scanned in 10.30 secondsThere is a user, admin, who claims to be Mail System Administrator
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ perl finger-user-enum.pl -t $IP -p 79 -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt | grep -v 'is not known at this site...'
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
Target count ............. 1
Username count ........... 8295455
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Tue Mar 4 13:25:20 2025 #########
admin@192.168.159.140: Login: admin Name: Mail System Administrator....[No profile information]..
magnus@192.168.159.140: Login: magnus Name: Magnus....[No profile information]..
Admin@192.168.159.140: Login: Admin Name: Mail System Administrator....[No profile information]..
charlotte@192.168.159.140: Login: charlotte Name: Charlotte..
jonas@192.168.159.140: Login: jonas Name: Jonas....[No profile information]..
martha@192.168.159.140: Login: martha Name: Martha....[No profile information]..
Charlotte@192.168.159.140: Login: Charlotte Name: Charlotte....[No profile information]..
postmaster@192.168.159.140: Login: Admin Name: Mail System Administrator....[No profile information]..
Magnus@192.168.159.140: Login: Magnus Name: Magnus....[No profile information]..
newuser@192.168.159.140: Login: newuser Name: Test User....[No profile information]..
agnes@192.168.159.140: Login: agnes Name: Agnes....[No profile information]..
Martha@192.168.159.140: Login: Martha Name: Martha....[No profile information]..
Jonas@192.168.159.140: Login: Jonas Name: Jonas....[No profile information]..Enumerated the following users;
adminmagnuscharlottejonasmarthapostmasternewuseragnes
ela
A new possible user has been identified
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ echo 'ela' | nc -nv $IP 79
(UNKNOWN) [192.168.159.140] 79 (finger) open
ela is not known at this site.The ele user is confirmed