Nmap Development mailing list archives
Re: fat-finger.nse
From: David Fifield <david () bamsoftware com>
Date: Thu, 24 May 2012 16:03:27 -0700
On Tue, Aug 30, 2011 at 06:35:33PM +0000, Ed Williams wrote:
While the finger.nse works a treat for enumerating current authenticated users; a better alternative is to enumerate more users using the following modification (based on my experience) & yes, I still see the finger service around the place: description = [[ Extension of finger.nse (Eddie Bell), which only dropped the current user, to simply add generic users for additional username enumeration through the finger service. Attempts to do an exact match on username field and a partial match on GECOS field and report back. ]] categories = {"default", "discovery", "safe"} require "comm" require "shortport" portrule = shortport.port_or_service(79, "finger") action = function(host, port) local try = nmap.new_try() return try(comm.exchange(host, port, "root admin system unix oracle mysql sybase ingres db ftp help IT user test\r\n", {lines=200, proto=port.protocol, timeout=5000})) End
Hi Ed, I realize it's been a long time since you submitted this script. Do you recall what finger server you tested this against? I don't see documentation that supports a list of user names separated by spaces. RFC 742 says, "Both ITS and SAIL sites allow several names to be included on the line, separated by commas..." and I don't see anything about multiple names in RFC 1288 at all. I can see this becoming a finger-enum-users script that uses the unpwdb library to test names one by one or in batches. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: fat-finger.nse David Fifield (May 24)