-
Help with FINGERD
A freind of mine has a network. He is convinced he dosnt need a security analyst. Or as it seems security at all. Anyways, i am in need of a job so he tells me, " you hack my box and sell me the exploit info." So i have been scanning and fingerprinting his ass.
I found he has a *nix box. This is what i found when scanning that.
TELNET
23: [255]
[251][1][255][251][3][255][253][24][255][253][31][13][10]
[13][10]
User Access Verification[13][10]
[13][10]
Password:
FINGER
79: [13]
[10]
Line User Host(s) Idle Location[13][10]
* 66 vty 0 idle 00:00:00
Kay well... I have no idea about the FINGER daemon.How can it be
exploited. All i can seem to remember about FINGER was an artical I read in 2600 about it being the most exploitable blah blah blah.....any ways this is good news to me. BUT any info at all would be GREATLY appriciated.
-
finger is a service that lets you see who is logged into the system and a little about them like last login, new mail, unread mail, the users $HOME directory, and their .plan file.
The way this can be exploited is most commonly in information gathering. Remotely you can use finger on a domain name and get information about who is logged into the system and on which tty.
A couple of other simple networking utilites that produce interesting output are `rusers' , `showmount', `host' and `whois'.
Here is an example of the hosts command in action.
# host -l -v -t any bu.edu
Found 1 addresses for BU.EDU
Found 1 addresses for RS0.INTERNIC.NET
Found 1 addresses for SOFTWARE.BU.EDU
Found 5 addresses for RS.INTERNIC.NET
Found 1 addresses for NSEGC.BU.EDU
Trying 128.197.27.7
bu.edu 86400 IN SOA BU.EDU HOSTMASTER.BU.EDU(
961112121 ;serial (version)
900 ;refresh period
900 ;retry refresh this often
604800 ;expiration period
86400 ;minimum TTL
)
bu.edu 86400 IN NS SOFTWARE.BU.EDU
bu.edu 86400 IN NS RS.INTERNIC.NET
bu.edu 86400 IN NS NSEGC.BU.EDU
bu.edu 86400 IN A 128.197.27.7
And here is a nifty output on that domain using whois.
bu.edu 86400 IN HINFO SUN-SPARCSTATION-10/41 UNIX
PPP-77-25.bu.edu 86400 IN A 128.197.7.237
PPP-77-25.bu.edu 86400 IN HINFO PPP-HOST PPP-SW
PPP-77-26.bu.edu 86400 IN A 128.197.7.238
PPP-77-26.bu.edu 86400 IN HINFO PPP-HOST PPP-SW
ODIE.bu.edu 86400 IN A 128.197.10.52
ODIE.bu.edu 86400 IN MX 10 CS.BU.EDU
ODIE.bu.edu 86400 IN HINFO DEC-ALPHA-3000/300LX OSF1
STRAUSS.bu.edu 86400 IN HINFO PC-PENTIUM DOS/WINDOWS
BURULLUS.bu.edu 86400 IN HINFO SUN-3/50 UNIX (Ouch)
GEORGETOWN.bu.edu 86400 IN HINFO MACINTOSH MAC-OS
CHEEZWIZ.bu.edu 86400 IN HINFO SGI-INDIGO-2 UNIX
POLLUX.bu.edu 86400 IN HINFO SUN-4/20-SPARCSTATION-SLC UNIX
SFA109-PC201.bu.edu 86400 IN HINFO PC MS-DOS/WINDOWS
UH-PC002-CT.bu.edu 86400 IN HINFO PC-CLONE MS-DOS
SOFTWARE.bu.edu 86400 IN HINFO SUN-SPARCSTATION-10/30 UNIX
CABMAC.bu.edu 86400 IN HINFO MACINTOSH MAC-OS
VIDUAL.bu.edu 86400 IN HINFO SGI-INDY IRIX
KIOSK-GB.bu.edu 86400 IN HINFO GATORBOX GATORWARE
CLARINET.bu.edu 86400 IN HINFO VISUAL-X-19-TURBO X-SERVER
DUNCAN.bu.edu 86400 IN HINFO DEC-ALPHA-3000/400 OSF1
MILHOUSE.bu.edu 86400 IN HINFO VAXSTATION-II/GPX UNIX
PSY81-PC150.bu.edu 86400 IN HINFO PC WINDOWS-95
BUPHYC.bu.edu 86400 IN HINFO VAX-4000/300 OpenVMS
Ok, so you get the idea, check out the man pages on those commands.
For any exploits go chedck out http://www.securityfocus.com/, they have a good database.
-
Ok what?
lol.
I have discovered that the Ip i was scanning is a firewall or possibly a router seeing as how the Telnet:23 password prompt
is simply only that.It has no user name prompt. Gives me three passwordprompts hen dissconnects.:)
User Access Verification[13][10]
[13][10]
Password:
Password:
Password:
Also on the finger info it says line and underneth it says
*66 vty 0 what the hell is that? Possibly the computer name on the network?Also states USER and HOST. These have been left blank.
Line User Host(s) Idle Location[13][10]
* 66 vty 0 idle 00:00:00
Please make sence of this for me i have hit a deadend.