Didier Stevens

Monday 7 December 2020

Quickpost: finger.exe

Filed under: Hacking,Networking,Quickpost — Didier Stevens @ 0:00

Windows 10 comes with the finger command, an ancient computer network tool.

You can still use it to lookup weather information, for example 🙂

It establishes a TCP connection to the hostname/IP address after the @ character, using destination port 79. And then it sends the text before the @ characters in ASCII, terminated with carriage return & line feed.

After that, it reads the reply, displays it, and closes the TCP connection.

finger.exe is not proxy-aware.

Port 79 is not hardcoded as an integer in finger.exe: the port is identified by service name “finger” (UNICODE), which is defined in the services list (%SystemRoot%\system32\drivers\etc\services). GetAddrInfo uses this list.

If you replace “finger” with “http\x00\x00” (UNICODE) in finger.exe (via binary patching, a shim, …), the finger command will connect to port 80:

As noted by many, finger.exe can be (ab)used to exchange information and files. Here I had my own go at it with finger.exe & Excel:

 

Quickpost info

4 Comments »

  1. Where can I find the latest version of NetworkMashup (or NetworkMashupPlus as seen above) as the latest version on GitHub is 6 years old.

    Comment by Harry — Friday 18 December 2020 @ 15:50

  2. That is indeed the latest version. And the Plus version is not (yet) released.

    Comment by Didier Stevens — Friday 18 December 2020 @ 21:02

  3. Any plans on releasing it?

    Comment by Anonymous — Monday 25 January 2021 @ 17:46

  4. Not immediately

    Comment by Didier Stevens — Wednesday 27 January 2021 @ 10:44


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.