79 - Finger

Finger is a program you can use to find information about computer users.


Finger Enumeration
finger @TARGET-IP
Finger a Specific Username
Login: admin Name: Jason L. Nawrocki
Directory: /home/admin Shell: /bin/bash
Office: 5877, 989-905-2731 Home Phone: 978-272-5420
Never logged in.
No mail.
No Plan.


Solaris bug that shows all logged in users:
finger 0@host
SunOS: RPC services allow user enum:
$ rusers # users logged onto LAN
finger 'a b c d e f g h'@sunhost


msf5 > search finger
Matching Modules
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 auxiliary/gather/mybb_db_fingerprint 2014-02-13 normal Yes MyBB Database Fingerprint
2 auxiliary/scanner/finger/finger_users normal Yes Finger Service User Enumerator
3 auxiliary/scanner/oracle/isqlplus_login normal Yes Oracle iSQL*Plus Login Utility
4 auxiliary/scanner/oracle/isqlplus_sidbrute normal Yes Oracle iSQLPlus SID Check
5 auxiliary/scanner/vmware/esx_fingerprint normal Yes VMWare ESX/ESXi Fingerprint Scanner
6 auxiliary/server/browser_autopwn normal No HTTP Client Automatic Exploiter
7 exploit/bsd/finger/morris_fingerd_bof 1988-11-02 normal Yes Morris Worm fingerd Stack Buffer Overflow
8 exploit/windows/http/bea_weblogic_post_bof 2008-07-17 great Yes Oracle Weblogic Apache Connector POST Request Buffer Overflow
9 post/windows/gather/enum_putty_saved_sessions normal No PuTTY Saved Sessions Enumeration Module
Find users:
msf5 > use auxiliary/scanner/finger/finger_users
msf5 auxiliary(scanner/finger/finger_users) > show options
Module options (auxiliary/scanner/finger/finger_users):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 79 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
USERS_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt yes The file that contains a list of default UNIX accounts.
msf5 auxiliary(scanner/finger/finger_users) > setg rhosts
rhosts =>
msf5 auxiliary(scanner/finger/finger_users) > run
[+] - - Found user: admin
[+] - - Found user: administrator
[+] - - Found user: backup
[+] - - Found user: bin
[+] - - Found user: daemon
[+] - - Found user: dbadmin
[+] - - Found user: diag
[+] - - Found user: games
[+] - - Found user: gnats
[+] - - Found user: gopher
[+] - - Found user: irc
[+] - - Found user: list
[+] - - Found user: lp
[+] - Users found: admin, administrator, backup, bin, daemon, dbadmin, diag, games, gnats, gopher, irc, list, lp, mail, man, news, nobody, proxy, root, saned, sync, sys, systemd-bus-proxy, udadmin, uucp, webmaster, www-data
[*] - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


Download script and run it with a wordlist: 
finger-user-enum is a tool for enumerating OS-level user accounts via the finger service. As of release v1.0 it is known to work against the default Solaris daemon. It may not yet work against all daemons since there is no defined format for the data returned by the finger service.
finger-user-enum is just a stand alone PERL script, so installation is as simple as copying it to your path (e.g. /usr/local/bin). It has only been tested under Linux so far.
It depends on the following PERL modules which you may need to install first:
  • Socket
  • IO::Handle
  • IO::Select
  • IO::Socket::INET
  • Getopt::Std
If you have PERL installed, you should be able to install the modules from CPAN:
# perl -MCPAN -e shell
cpan> install Getopt::Std
finger-user-enum simply needs to be passed a list of users and at least one target running an finger service.
Usage: [options] (-u username|-U users.txt) (-t host|-T ips.txt)
options are: -m n Maximum number of resolver processes (default: 5) -u user Check if user exists on remote system -U file File of usernames to check via finger service -t host Server host running finger service -T file File of hostnames running the finger service -r host Relay. Intermediate server which allows relaying of finger requests. -p port TCP port on which finger service runs (default: 79) -d Debugging output -s n Wait a maximum of n seconds for reply (default: 5) -v Verbose -h This help message
Some Examples
For the examples below we need a list of potential usernames. The following output demostrates the format for this list:
$ head users.txt
Normal Usage
The output below shows how the finger daemon responds differently to valid and invalid usernames:
$ telnet 79
Connected to
Escape character is '^]'.
Login Name TTY Idle When Where
root Super-User console 2:05 Wed 07:23
Connection closed by foreign host.
$ telnet 79
Connected to
Escape character is '^]'.
Login Name TTY Idle When Where
blah ???
Connection closed by foreign host.
finger-user-enum attempts to automatically parse the results returned by the finger daemon and report only users which exist.
Note: If you ever need to modify the pattern-matching within finger-user-enum (e.g. to support a different finger daemon), you’ll need to base the patterns on positive and negative result like those found above.
Here’s an example of the most common usage of the tool:
$ ./ -U users.txt -t
Starting finger-user-enum v1.0 (
| Scan Information |
Worker Processes ......... 5
Usernames file ........... users.txt
Target count ............. 1
Username count ........... 47
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Sun Jan 21 19:44:22 2007 #########
[email protected]: root Super-User console 2:03 Wed 07:23 ..
[email protected]: bin ??? pts/1 <Dec 21 13:04>
[email protected]: daemon ??? < . . . . >..
[email protected]: adm Admin < . . . . >..
[email protected]: lp Line Printer Admin < . . . . >..
[email protected]: uucp Admin < . . . . >..
[email protected]: nobody4 SunOS 4.x Nobody < . . . . >..
[email protected]: ftp Anonymous FTPUser 674 <Aug 11 14:22>
######## Scan completed at Sun Jan 21 19:44:23 2007 #########
8 results.
47 queries in 1 seconds (47.0 queries / sec)