Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: fat-finger.nse
From: David Fifield <david () bamsoftware com>
Date: Thu, 24 May 2012 16:03:27 -0700

On Tue, Aug 30, 2011 at 06:35:33PM +0000, Ed Williams wrote:
While the finger.nse works a treat for enumerating current authenticated users; a better alternative is to enumerate 
more users using the following modification (based on my experience) & yes,  I still see the finger service around 
the place:

description = [[
Extension of finger.nse (Eddie Bell), which only dropped the current user, to simply add generic users for additional 
username enumeration through the finger service.
Attempts to do an exact match on username field and a partial match on GECOS field and report back.

categories = {"default", "discovery", "safe"}

require "comm"
require "shortport"

portrule = shortport.port_or_service(79, "finger")

action = function(host, port)
     local try = nmap.new_try()

     return try(comm.exchange(host, port, "root admin system unix oracle mysql sybase ingres db ftp help IT user 
           {lines=200, proto=port.protocol, timeout=5000}))

Hi Ed,

I realize it's been a long time since you submitted this script. Do you
recall what finger server you tested this against? I don't see
documentation that supports a list of user names separated by spaces.
RFC 742 says, "Both ITS and SAIL sites allow several names to be
included on the line, separated by commas..." and I don't see anything
about multiple names in RFC 1288 at all.

I can see this becoming a finger-enum-users script that uses the unpwdb
library to test names one by one or in batches.

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
  • Re: fat-finger.nse David Fifield (May 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]