Finger

The finger utility lets us discover information about system users. Systems running a finger daemon, which operates on TCP port 79, will respond to queries about currently logged in users as well as information requests about specific users.

Implementation

Because differing implementations of both finger clients and finger daemons can be used, available options may vary, but here are the basics of what we can do with finger.

finger @host_name.com

This command will provide a list of all the users currently logged into host_name.com. If we’re on a Unix system running a finger daemon, we can just type finger to grab the same information for the local system.

[bobuser@originix bobuser]$ finger @host_name.com Login     Name               Tty   Idle  Login Time   Office     Phone estewart  Eebel Stewart      1      39d  Jan 16 05:43 (somewhere) wwankel   Willy Wankel       /4          Feb 24 07:20 (whoknows) bspear    Billy Spear        /5          Feb 24 08:01 (nada)

This is a lot of information. We’ve just obtained three valid user IDs on the system. Chances are that at least one of our users isn’t using strong passwords. The more people logged on, the more valid user IDs available for password cracking.

finger estewart@host_name.com

Let’s see what information we can get about user Eebel Stewart:

[bobuser@originix bobuser]$ finger estewart@host_name.com     Login: estewart                         Name: Eebel Stewart Directory: /home/estewart               Shell: /bin/tcsh On since Wed Jan 16 05:43 (EST) on tty1    39 days 2 hours idle Last login Sun Feb 24 07:20 (EST) on 4 from somewhere.host_name.com No mail. No Plan. 

We got some good information here. We found out the user’s home directory, shell, and from where he last logged in.

finger stewart@host_name.com

Many finger implementations will not only search usernames but will also search real names on the system. In this case, if we can find a system running a finger daemon that supports a lot of users (such as a university’s e-mail server), we can try fingering a popular last name such as Johnson, Jones, or Stewart. We’ll be inundated with valid user IDs on the system!

Why Run a Finger Daemon?

Finger daemons were popular a few years ago, especially in academic settings. There’s no good reason for running a finger daemon now, though—at least not publicly—because it divulges entirely too much information about your systems and the people using them. If you want to run finger daemons for your internal users to look up information, at least block it at the firewall (TCP port 79). Sadly, some older Unix distributions come with finger daemons preinstalled and listening, so you may occasionally find a system whose administrator has overlooked this service and left open a gaping information hole.

Some hackers are really just good old-fashioned con artists at heart. Why should a hacker bother running port scans and searching for vulnerable network servers if she can just convince someone to give her access to the system?

A hacker is running finger commands against a local educational system to find a user to target when she discovers a user with a rather informative entry in the plan file. The plan is a user-specified public file that users can create in their home directories (~/.plan). It contains additional information that the user wants people to know. Some users go all out and include their life stories in their plans, including phone numbers, addresses, and alternative e-mail addresses.

Login: cjones                           Name: Carla Jones Directory: /home3/cjones                Shell: /bin/tcsh On since Tue Apr 30 00:37 (EDT) on pts/1 No mail. Plan: Hi! My name's Carla and I'm a 21-year old junior MassComm major who knows ABSOLUTELY NOTHING about computers! :-) My boyfriend Jon set this up for me because he said I need one – whatever!!! I'm hoping to get into broadcast journalism, but my true love is the theater! I love Broadway shows – and am always looking to go up to NYC and see one! E-mail me at cjones@my_university.edu if you're headed up there and want some company! :-) Bye for now...

This plan gives the hacker a lot of information about Carla. She contacts Carla via e-mail:

Dear Carla,     My name is Jennifer Winslow from FreeBroadway! We are a non-profit organization that provides theater-loving college students chances to see Broadway shows FOR FREE and keeps you updated on news and events! Your friend Jon has signed you up for a two-year subscription to our electronic newsletter. By registering with us, you are also eligible to win an all-expenses paid trip to New York City for three days and two nights in which you'll get treated to FIVE Broadway shows of your choice!     In order to track the progress of our contest and get full access to all that FreeBroadway has to offer, you'll need to create an account with us. We'll need the following information from you:     Full Name Address (city, state, zip) Phone     You'll also need to choose a username and password so that you can access your FreeBroadway account once it's created. This will allow us to verify that you are Carla Jones when the time comes to claim a prize. You can use the same username and password that you use for your current e-mail account.     More news and information will follow once we hear back from you. Congratulations Carla, and welcome to FreeBroadway.     Sincerely, Jennifer Winslow

You might think that most people would not fall for such an obvious ploy. You'd be surprised. Chances are Carla will happily oblige our hacker with the same login information she uses on her current e-mail system.

Social engineering can be used in other ways as well. In Chapter 14, we'll discuss the whois tool, which can give hackers important administrative, billing, and technical contacts for organizations. If a hacker focuses on one of those contact names and is able to gather enough information on that individual, she could construct a similarly crafted e-mail—tricking an employee into divulging information that he or she would not normally divulge to a total stranger.