| ||
On the Unix side, the finger utility lets us discover information about system users. Systems running a finger daemon, which operates on TCP port 79, will respond to queries about currently logged-in users as well as information requests about specific users.
Because differing implementations of both finger clients and finger daemons can be used, available options may vary, but here are the basics of what we can do with finger.
This command will provide a list of all the users currently logged into host_name.com. If we're on a Unix system running a finger daemon, we can just type finger to grab the same information for the local system.
[bobuser@originix bobuser]$ finger @host_name.com Login Name Tty Idle Login Time Office Phone estewart Eebel Stewart 1 39d Jan 16 05:43 (somewhere) wwankel Willy Wankel /4 Feb 24 07:20 (whoknows) bspear Billy Spear /5 Feb 24 08:01 (nada)
This is a lot of useful information for profiling the network and its users. We've just obtained three valid user IDs on the system. Chances are that at least one of our users isn't using strong passwords. The more people we discover logged on, the more valid user IDs we have to try password cracking.
Let's see what information we can get about user Eebel Stewart:
[bobuser@originix bobuser]$ finger estewart@host_name.com Login: estewart Name: Eebel Stewart Directory: /home/estewart Shell: /bin/tcsh On since Wed Jan 16 05:43 (EST) on tty1 39 days 2 hours idle Last login Sun Feb 24 07:20 (EST) on 4 from somewhere.host_name.com No mail. No Plan.
We got some good information here. We found out the user's home directory, shell, and from where he last logged in.
Note | If you use the command finger l @host_name.com , you'll get the same information just listed for every user logged into the system. |
Many finger implementations will not only search usernames but will also search real names on the system. In this case, if we can find a system running a finger daemon that supports a lot of users (such as a university's e-mail server), we can try fingering a popular last name like Johnson, Jones, or Stewart. We'll be inundated with valid user IDs on the system!
Finger daemons were popular a few years ago, especially in academic settings. There's no good reason for running a finger deamon now, thoughat least not publicly because it divulges entirely too much information about your systems and the people using them. If you want to run finger daemons for your internal users to look up information, at least block it at the firewall (TCP port 79). Sadly, some older Unix distributions come with finger daemons preinstalled and listening, so you may occasionally find a system whose administrator has overlooked this service and left open a gaping information hole.
Many Cisco devices (routers and switches) run a finger daemon. While these daemons don't reveal any interesting information about the account, they do reveal the remote IP address of the user accessing the device. Thus, you can track down router administrators.
| ||