Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/scanner/finger/finger_users.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp7include Msf::Auxiliary::Scanner8include Msf::Auxiliary::Report910def initialize11super(12'Name' => 'Finger Service User Enumerator',13'Description' => 'Identify valid users through the finger service using a variety of tricks',14'Author' => 'hdm',15'License' => MSF_LICENSE16)17register_options([18Opt::RPORT(79),19OptString.new('USERS_FILE',20[ true, 'The file that contains a list of default UNIX accounts.',21File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_users.txt')22]23)])24end2526def run_host(ip)27@users = {}2829begin30vprint_status "#{rhost}:#{rport} - Sending empty finger request."31finger_empty32vprint_status "#{rhost}:#{rport} - Sending test finger requests."33finger_zero34finger_dot35finger_chars36vprint_status "#{rhost}:#{rport} - Sending finger request for #{finger_user_common.count} users"37finger_list3839rescue ::Rex::ConnectionError40rescue ::Exception => e41print_error("#{e} #{e.backtrace}")42end43report_service(:host => rhost, :port => rport, :name => "finger")4445if(@users.empty?)46print_status("#{ip}:#{rport} No users found.")47else48print_good("#{ip}:#{rport} Users found: #{@users.keys.sort.join(", ")}")49report_note(50:host => rhost,51:port => rport,52:type => 'finger.users',53:data => {:users => @users.keys}54)55end56end575859def finger_empty60connect61sock.put("\r\n")62buff = finger_slurp_data63parse_users(buff)64disconnect65end6667def finger_zero68connect69sock.put("0\r\n")70buff = finger_slurp_data71parse_users(buff)72disconnect73end7475def finger_dot76connect77sock.put(".\r\n")78buff = finger_slurp_data79parse_users(buff)80disconnect81end8283def finger_chars84connect85sock.put("m m m m m m m m\r\n")86buff = finger_slurp_data87if buff.scan(/\r?\nm\s/).size > 788@multiple_requests = true89vprint_status "#{rhost}:#{rport} - Multiple users per request is okay."90end91parse_users(buff)92disconnect93end9495def finger_list96if !@multiple_requests97finger_user_common.each do |user|98next if @users[user]99connect100vprint_status "#{rhost}:#{rport} - Sending finger request for #{user}..."101sock.put("#{user}\r\n")102buff = finger_slurp_data103ret = parse_users(buff)104disconnect105break if not ret106end107else108while !finger_user_common.empty?109user_batch = []110while user_batch.size < 8 and !finger_user_common.empty?111new_user = finger_user_common.shift112next if @users.keys.include? new_user113user_batch << new_user114end115connect116vprint_status "#{rhost}:#{rport} - Sending finger request for #{user_batch.join(", ")}..."117sock.put("#{user_batch.join(" ")}\r\n")118buff = finger_slurp_data119ret = parse_users(buff)120disconnect121break if not ret122end123end124end125126def finger_slurp_data127buff = ""128begin129while(res = sock.get_once(-1, 5) || '')130buff << res131break if buff.length > (1024*1024)132end133rescue ::Interrupt134raise $!135rescue ::Exception136end137buff138end139140def finger_user_common141if(! @common)142File.open(datastore['USERS_FILE'], "rb") do |fd|143data = fd.read(fd.stat.size)144@common = data.split(/\n/).compact.uniq145@common.delete("")146end147end148@common149end150151def parse_users(buff)152buff.each_line do |line|153uid = nil154next if line.strip.empty?155156# Ignore Cisco systems157return if line =~ /Line.*User.*Host.*Location/158159next if line =~ /user not found/i160next if line =~ /no such user/i161next if line =~ /must provide username/162next if line =~ /real life: \?\?\?/163next if line =~ /No one logged on/164next if line =~ /^Login\s+Name\s+TTY/165166# print_status(">> #{line}")167168# No such file or directory == valid user bad utmp169170171case line172when /^([a-z0-9\.\_]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)/173# Solaris174uid = $1175if ($2 != "Name")176@users[uid] ||= {}177end178179when /^\s*Login name:\s*([^\s]+)\s+/i180# IRIX181uid = $1182@users[uid] ||= {} if uid183when /^\s*(?:Username|Login):\s*([^\s]+)\s+/i184# Debian GNU/Linux185uid = $1186@users[uid] ||= {} if uid187end188189if uid190print_good "#{rhost}:#{rport} - Found user: #{uid}" unless @users[uid] == :reported191@users[uid] = :reported192next193end194end195return true196end197end198199200