As shown in the Telnet section, fingeris very useful tool. Fingercan be
used in more situations that you would imagine. Let us look at some
interesting tricks with finger.
A fingercommand without any specified username would return all users
logged on to the server. Typical output of a fingercommand look like this:
> finger @196.xxx.129.66
[196.xxx.129.66]
Login Name Tty Idle Login Time Office Office Phone
davidssh Shuaib pts/1 Sep 12 17:35 (pc22285)
root root tty1 1d Sep 11 17:03
We see that "root" and "davidssh" is logged on. Note that "davidssh" is
active on the host - no idle time. The rest of the fields are actually quite
straightforward. Some servers do not return information unless a username is
given.
A fingercommand with a username specified returns more information about
the user. Heck NO! I think everybody knows how fingerworks (check for new
mail, check the shell) - let us jump straight to the more interesting finger
commands. A fingercommand can be done on username, or any part of the
"name" field. This statement is more interesting that you might think. Let
us show an example. Nether.netis a free shell server, and the ideal place
to test this. Observe the following fingercommand and the output (extract):
> finger test@nether.net
[nether.net]
Login Name TTY Idle When Where
test jhgsafgkdjs pts/3 <Jan 2, 2000> swara.ece.iisc.e
arcady aka test 935 <Jan 26, 2000> ppp88.dnttm.ro
k5drm TEst pts/48 <Jan 23, 2000> cm733016-a.ftwrt
test1 Test Test 165 <Jan 20, 2000> alpha1.csd.uwm.e
dogmata test pts/27 <Feb 21, 2000>
uidplate Prime Test 237 <Apr 13 13:25> gramvousa2.tem.u
testuzer test user pts/19 <Mar 25, 2000> tnt11a-154.focal
kosir Test < . . . . >
wman test pts/40 <Sep 5 18:02> FAIRVIEWPARK-189
testing Test pts/42 <Apr 22 03:08> pd01-54.inet-x.n
test1234 Test pts/47 <Apr 28 03:08> cwc373.emirates.
Information is return when any part of either the username or “real name”
matches the word "test" (not case sensitive). Imagine a system where there
is unique usernames, but a common entry in the “real name” field - a finger
on the common entry would return the information on all the users (a
university with the student number as username and "student XXXX" as real
name comes to mind).
Another interesting finger command is the finger 0@victimcommand. I have
read somewhere that this return information on users that haven't logged in.
Yippee. Just figure out the default password scheme from the system, and
these usernames is your ticket in there. Let's see it in action:
>finger 0@196.xxx.131.14
[196.xxx.131.14]
Login Name TTY Idle When Where
daemon ??? < . . . . >
bin ??? < . . . . >
sys ??? < . . . . >
jacques ??? pts/0 <Sep 23 20:34> for36-01-p36.wc.
kim ??? pts/4 <Aug 22 21:03> 196.xxx.134.xx
oracle ??? pts/0 <Aug 11 12:22> cte-nms.xxxxx
langh ??? pts/2 <Aug 11 11:02> 196.25.xxx.207
david ??? pts/0 <Sep 20 08:27> oogly.xxx.co.za
ars ??? pts/2 <Sep 20 11:33> 196.25.xxx.140
arsystem ??? < . . . . >
Now this is what I don't get - if finger 0returns users that haven't logged
in, how come some "where" fields are populated? This fingercommand rarely
works - SUN/Solaris Unix is the only variant (that I came across) that
exhibits this behavior (finger .@victimsometimes produce the same results -
experiment).
Finger hopping works like this - finger [whatever]@victim1@victim2. Let us
assume that the finger port on victim1 is blocked:
# finger @196.xxx.131.12
[196.41.131.12]
finger: read: Operation timed out
We know that the finger port on victim2 is open:
# finger @196.xxx.131.14
[196.41.131.14]
No one logged on
Now, let us hop from victim2 to victim1:
# finger @196.xxx.131.12@196.xxx.131.14
[196.xxx.131.14]
[196.xxx.131.12]
Login Name TTY Idle When Where
root Super-User console 9:07 Mon 11:44 :0
Ha! Information is returned from victim1, although the finger port is
blocked. Should victim1 have logged the fingerrequest (it's rarely logged
really), it would seems as though the request was coming from victim2.
Obviously this type of fingercommand can be crafted as wished (e.g. Finger
-l 0@v1@v2)
Fingeris really just a client for the finger service that lives on port 79.
Und? Situation: you compromised a router, having a prompt, and you wish to
attack a Unix server behind the router. You want to use the finger command
to get valid usernames, but the router does not have a finger client. The
fingercan be done using a normal TCP connection - initiated by the telnet
client. Examples:
> telnet 196.xxx.131.14 79
Trying 196.xxx.131.14...
Connected to xxx.co.za.
Escap
<cr>
e character is '^]'.
No one logged on
Connection closed by foreign host.
> telnet 196.xxx.131.14 79
Trying 196.xxx.131.14...
Connected to xxx.co.za.
Escape character is '^]'.
root
Login Name TTY Idle When Where
root Super-User console <Sep 18 11:46>
Connection closed by foreign host.
Any kind of fingercan be performed this way - simple enter field before the
@after the connection has been established.
used in more situations that you would imagine. Let us look at some
interesting tricks with finger.
A fingercommand without any specified username would return all users
logged on to the server. Typical output of a fingercommand look like this:
> finger @196.xxx.129.66
[196.xxx.129.66]
Login Name Tty Idle Login Time Office Office Phone
davidssh Shuaib pts/1 Sep 12 17:35 (pc22285)
root root tty1 1d Sep 11 17:03
We see that "root" and "davidssh" is logged on. Note that "davidssh" is
active on the host - no idle time. The rest of the fields are actually quite
straightforward. Some servers do not return information unless a username is
given.
A fingercommand with a username specified returns more information about
the user. Heck NO! I think everybody knows how fingerworks (check for new
mail, check the shell) - let us jump straight to the more interesting finger
commands. A fingercommand can be done on username, or any part of the
"name" field. This statement is more interesting that you might think. Let
us show an example. Nether.netis a free shell server, and the ideal place
to test this. Observe the following fingercommand and the output (extract):
> finger test@nether.net
[nether.net]
Login Name TTY Idle When Where
test jhgsafgkdjs pts/3 <Jan 2, 2000> swara.ece.iisc.e
arcady aka test 935 <Jan 26, 2000> ppp88.dnttm.ro
k5drm TEst pts/48 <Jan 23, 2000> cm733016-a.ftwrt
test1 Test Test 165 <Jan 20, 2000> alpha1.csd.uwm.e
dogmata test pts/27 <Feb 21, 2000>
uidplate Prime Test 237 <Apr 13 13:25> gramvousa2.tem.u
testuzer test user pts/19 <Mar 25, 2000> tnt11a-154.focal
kosir Test < . . . . >
wman test pts/40 <Sep 5 18:02> FAIRVIEWPARK-189
testing Test pts/42 <Apr 22 03:08> pd01-54.inet-x.n
test1234 Test pts/47 <Apr 28 03:08> cwc373.emirates.
Information is return when any part of either the username or “real name”
matches the word "test" (not case sensitive). Imagine a system where there
is unique usernames, but a common entry in the “real name” field - a finger
on the common entry would return the information on all the users (a
university with the student number as username and "student XXXX" as real
name comes to mind).
Another interesting finger command is the finger 0@victimcommand. I have
read somewhere that this return information on users that haven't logged in.
Yippee. Just figure out the default password scheme from the system, and
these usernames is your ticket in there. Let's see it in action:
>finger 0@196.xxx.131.14
[196.xxx.131.14]
Login Name TTY Idle When Where
daemon ??? < . . . . >
bin ??? < . . . . >
sys ??? < . . . . >
jacques ??? pts/0 <Sep 23 20:34> for36-01-p36.wc.
kim ??? pts/4 <Aug 22 21:03> 196.xxx.134.xx
oracle ??? pts/0 <Aug 11 12:22> cte-nms.xxxxx
langh ??? pts/2 <Aug 11 11:02> 196.25.xxx.207
david ??? pts/0 <Sep 20 08:27> oogly.xxx.co.za
ars ??? pts/2 <Sep 20 11:33> 196.25.xxx.140
arsystem ??? < . . . . >
Now this is what I don't get - if finger 0returns users that haven't logged
in, how come some "where" fields are populated? This fingercommand rarely
works - SUN/Solaris Unix is the only variant (that I came across) that
exhibits this behavior (finger .@victimsometimes produce the same results -
experiment).
Finger hopping works like this - finger [whatever]@victim1@victim2. Let us
assume that the finger port on victim1 is blocked:
# finger @196.xxx.131.12
[196.41.131.12]
finger: read: Operation timed out
We know that the finger port on victim2 is open:
# finger @196.xxx.131.14
[196.41.131.14]
No one logged on
Now, let us hop from victim2 to victim1:
# finger @196.xxx.131.12@196.xxx.131.14
[196.xxx.131.14]
[196.xxx.131.12]
Login Name TTY Idle When Where
root Super-User console 9:07 Mon 11:44 :0
Ha! Information is returned from victim1, although the finger port is
blocked. Should victim1 have logged the fingerrequest (it's rarely logged
really), it would seems as though the request was coming from victim2.
Obviously this type of fingercommand can be crafted as wished (e.g. Finger
-l 0@v1@v2)
Fingeris really just a client for the finger service that lives on port 79.
Und? Situation: you compromised a router, having a prompt, and you wish to
attack a Unix server behind the router. You want to use the finger command
to get valid usernames, but the router does not have a finger client. The
fingercan be done using a normal TCP connection - initiated by the telnet
client. Examples:
> telnet 196.xxx.131.14 79
Trying 196.xxx.131.14...
Connected to xxx.co.za.
Escap
<cr>
e character is '^]'.
No one logged on
Connection closed by foreign host.
> telnet 196.xxx.131.14 79
Trying 196.xxx.131.14...
Connected to xxx.co.za.
Escape character is '^]'.
root
Login Name TTY Idle When Where
root Super-User console <Sep 18 11:46>
Connection closed by foreign host.
Any kind of fingercan be performed this way - simple enter field before the
@after the connection has been established.
No comments:
Post a Comment