Re: fat-finger.nse

[David Fifield <david () bamsoftware com>]

On Tue, Aug 30, 2011 at 06:35:33PM +0000, Ed Williams wrote:
> While the finger.nse works a treat for enumerating current authenticated users; a better alternative is to enumerate 
> more users using the following modification (based on my experience) & yes,  I still see the finger service around 
> the place:
>
> description = [[
> Extension of finger.nse (Eddie Bell), which only dropped the current user, to simply add generic users for additional 
> username enumeration through the finger service.
> Attempts to do an exact match on username field and a partial match on GECOS field and report back.
> ]]
>
> categories = {"default", "discovery", "safe"}
>
> require "comm"
> require "shortport"
>
> portrule = shortport.port_or_service(79, "finger")
>
> action = function(host, port)
>      local try = nmap.new_try()
>
>      return try(comm.exchange(host, port, "root admin system unix oracle mysql sybase ingres db ftp help IT user 
> test\r\n",
>            {lines=200, proto=port.protocol, timeout=5000}))
> End

Hi Ed,

I realize it's been a long time since you submitted this script. Do you
recall what finger server you tested this against? I don't see
documentation that supports a list of user names separated by spaces.
RFC 742 says, "Both ITS and SAIL sites allow several names to be
included on the line, separated by commas..." and I don't see anything
about multiple names in RFC 1288 at all.

I can see this becoming a finger-enum-users script that uses the unpwdb
library to test names one by one or in batches.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/