Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

fat-finger.nse

From: Ed Williams <Ed.Williams () ngssecure com>
Date: Tue, 30 Aug 2011 18:35:33 +0000
While the finger.nse works a treat for enumerating current authenticated users; a better alternative is to enumerate 
more users using the following modification (based on my experience) & yes,  I still see the finger service around the 
place:

description = [[
Extension of finger.nse (Eddie Bell), which only dropped the current user, to simply add generic users for additional 
username enumeration through the finger service.
Attempts to do an exact match on username field and a partial match on GECOS field and report back.
]]

---
-- @output
-- PORT   STATE SERVICE VERSION
-- 79/tcp open  finger  Debian fingerd
-- | big-finger: finger: oracle: no such user.
-- | finger: sybase: no such user.
-- | finger: ingres: no such user.
-- | finger: db: no such user.
-- | finger: ftp: no such user.
-- | finger: help: no such user.
-- | Login: root                                   Name: root
-- | Directory: /root                      Shell: /bin/bash
-- | Last login Thu Nov 26 16:05 2009 (GMT) on pts/1 from 192.168.226.1
-- | No mail.
-- | No Plan.
-- |
-- | Login: mysql                                  Name: MySQL Server
-- | Directory: /var/lib/mysql             Shell: /bin/false
-- | Never logged in.
-- | No mail.
-- | No Plan.
-- |
-- | Login: stest                                  Name: local unix admin
-- | Directory: /home/stest                Shell: /bin/bash
-- | Never logged in.
-- | No mail.
-- | Plan:
-- |_cymru am byth

-- EDW - changed line number from 100 to 200, on large environments can easily enumerate 100+ users :)

author = "E D Williams <ed.williams () ngssecure com>"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html";

categories = {"default", "discovery", "safe"}

require "comm"
require "shortport"

portrule = shortport.port_or_service(79, "finger")

action = function(host, port)
     local try = nmap.new_try()

     return try(comm.exchange(host, port, "root admin system unix oracle mysql sybase ingres db ftp help IT user 
test\r\n",
           {lines=200, proto=port.protocol, timeout=5000}))
End

Diolch,

Ed.
________________________________
Ed Williams
Managing Consultant
NGS Secure
Eastern Bypass Thame
Oxon, OX9 3FF

Telephone: +44 (0)1844 210 300
Mobile: +44 (0)7545 502560
Fax: +44 (0)870 990 8423
Website: www.ngssecure.com<http://www.ngssecure.com>
Email:  Ed.Williams () ngssecure com<mailto:Ed.Williams () ngssecure com>
        [http://www.nccgroup.com/_client/images/global/NGS%20Secure.jpg]  <http://www.ngssecure.com/>
________________________________

This email is sent for and on behalf of NGS Secure Limited (Registered in England CRN: 04474600). The ultimate holding 
company is NCC Group plc (Registered in England CRN: 4627044). Registered Office: Manchester Technology Centre, Oxford 
Road, Manchester, M1 7EF

Confidentiality: This e-mail contains proprietary information, some or all of which may be confidential and/or legally 
privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, 
please notify the author by replying to this e-mail and then delete the original. If you are not the intended recipient 
you may not use, disclose, distribute, copy, print or rely on any information contained in this e-mail. You must not 
inform any other person other than NCC Group or the sender of its existence.

For more information about NGS Secure please visit www.ngssecure.com<http://www.ngssecure.com>

P Before you print think about the ENVIRONMENT
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: