/ Uncategorized / By

Exploiting the Finger Service (Port 79) on Linux: A Pentester’s Guide

The Finger protocol, once a staple of early Unix systems, is now a mostly forgotten relic. But when you do encounter it on a target, port 79 can offer surprisingly useful enumeration data — and sometimes even lead to privilege escalation or lateral movement.

In this post, we’ll break down:

  • What the Finger service is
  • How to enumerate users via port 79
  • Practical commands
  • How to weaponize the info during an engagement

What is the Finger Protocol?

The Finger protocol was designed to return information about users on a remote system. It typically runs on TCP port 79 and allows a remote client to ask for:

  • A list of currently logged-in users
  • Info about specific users (full name, home directory, shell, last login)

Back in the 80s, this was normal. Today? It’s a security liability.

Why Is It Useful to a Pentester?

If a Linux box has the Finger daemon (fingerd) running:

  • You can enumerate valid system users
  • You may discover usernames that can be used in:
    • SSH bruteforce
    • Password spraying
    • Kerberos attacks (if joined to a domain)
  • It could leak login activity (last login, login times, TTY sessions)

Enumerating with Finger

Step 1: Confirm Port 79 is Open

nmap -p 79 <target-ip> --script=finger

Or just:

nmap -p 79 <target-ip>

Step 2: Connect to the Finger Service

You can use finger (if installed) or netcat.

Option A: Using finger client

finger @<target-ip>
# Get info on all users (sometimes restricted)

finger <username>@<target-ip>
# Query specific user

Option B: Using netcat (preferred for raw testing)

nc <target-ip> 79

Then type a username (e.g. john) and press Enter. Example:

john

Response may look like:

Login: john                          Name: John Doe
Directory: /home/john                Shell: /bin/bash
Last login Mon Jul  1 10:02 (UTC) on tty1

What You’re Looking For

Look for:

  • Valid usernames
  • Shell paths (to spot service or system users)
  • Last login timestamps (helpful for targeting active users)
  • Home directories (/home/<user> paths — useful for file access)

How to Weaponize This Info

Once you have valid usernames:

1. SSH Bruteforce / Password Spray

hydra -l john -P /usr/share/wordlists/rockyou.txt ssh://<target-ip>

Or:

patator ssh_login host=<target-ip> user=john password=FILE0 0=rockyou.txt

2. Check for Weak TTY Sessions

If the output shows a user logged in via pts/0 or tty1, the system may be vulnerable to:

  • Tty hijacking (if you already have low-priv shell)
  • Session snooping or abuse via /dev/pts/* (rare, but possible)

3. Try Default Passwords

Some systems with Finger enabled are old or forgotten — worth testing known/default creds like:

ssh john@<target-ip>
# Try: john / john123 / password / <hostname>

Defensive Note (for Blue Teams)

The Finger service should never be exposed on modern systems:

  • Disable the fingerd daemon
  • Filter port 79 at the firewall
  • Monitor connections for unusual access attempts

Example in Practice

Imagine you run:

nc 10.10.10.14 79

And type:

aisha

Response:

Login: aisha                 Name: Aisha Mbali
Directory: /home/aisha       Shell: /bin/bash
Last login Tue Jul  2 11:45 on tty1

Now you’ve confirmed:

  • aisha is a valid user
  • The account is actively used
  • The shell is interactive (/bin/bash)
  • You can start brute-forcing or crafting a privilege escalation path

Final Thoughts

Even though Finger is ancient, when it’s enabled on a system, it can give you an unfiltered look into the target’s userbase. This kind of recon can be a launchpad for serious exploitation.

In a pentest, every leak is a lead — and Finger leaks like a broken faucet.

Related Posts

Scroll to Top