Nmap Development mailing list archives
fat-finger.nse
From: Ed Williams <Ed.Williams () ngssecure com>
Date: Tue, 30 Aug 2011 18:35:33 +0000
While the finger.nse works a treat for enumerating current authenticated users; a better alternative is to enumerate more users using the following modification (based on my experience) & yes, I still see the finger service around the place: description = [[ Extension of finger.nse (Eddie Bell), which only dropped the current user, to simply add generic users for additional username enumeration through the finger service. Attempts to do an exact match on username field and a partial match on GECOS field and report back. ]] --- -- @output -- PORT STATE SERVICE VERSION -- 79/tcp open finger Debian fingerd -- | big-finger: finger: oracle: no such user. -- | finger: sybase: no such user. -- | finger: ingres: no such user. -- | finger: db: no such user. -- | finger: ftp: no such user. -- | finger: help: no such user. -- | Login: root Name: root -- | Directory: /root Shell: /bin/bash -- | Last login Thu Nov 26 16:05 2009 (GMT) on pts/1 from 192.168.226.1 -- | No mail. -- | No Plan. -- | -- | Login: mysql Name: MySQL Server -- | Directory: /var/lib/mysql Shell: /bin/false -- | Never logged in. -- | No mail. -- | No Plan. -- | -- | Login: stest Name: local unix admin -- | Directory: /home/stest Shell: /bin/bash -- | Never logged in. -- | No mail. -- | Plan: -- |_cymru am byth -- EDW - changed line number from 100 to 200, on large environments can easily enumerate 100+ users :) author = "E D Williams <ed.williams () ngssecure com>" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"default", "discovery", "safe"} require "comm" require "shortport" portrule = shortport.port_or_service(79, "finger") action = function(host, port) local try = nmap.new_try() return try(comm.exchange(host, port, "root admin system unix oracle mysql sybase ingres db ftp help IT user test\r\n", {lines=200, proto=port.protocol, timeout=5000})) End Diolch, Ed. ________________________________ Ed Williams Managing Consultant NGS Secure Eastern Bypass Thame Oxon, OX9 3FF Telephone: +44 (0)1844 210 300 Mobile: +44 (0)7545 502560 Fax: +44 (0)870 990 8423 Website: www.ngssecure.com<http://www.ngssecure.com> Email: Ed.Williams () ngssecure com<mailto:Ed.Williams () ngssecure com> [http://www.nccgroup.com/_client/images/global/NGS%20Secure.jpg] <http://www.ngssecure.com/> ________________________________ This email is sent for and on behalf of NGS Secure Limited (Registered in England CRN: 04474600). The ultimate holding company is NCC Group plc (Registered in England CRN: 4627044). Registered Office: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF Confidentiality: This e-mail contains proprietary information, some or all of which may be confidential and/or legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail and then delete the original. If you are not the intended recipient you may not use, disclose, distribute, copy, print or rely on any information contained in this e-mail. You must not inform any other person other than NCC Group or the sender of its existence. For more information about NGS Secure please visit www.ngssecure.com<http://www.ngssecure.com> P Before you print think about the ENVIRONMENT _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- fat-finger.nse Ed Williams (Aug 30)