Target Ennumeration on a *nix

30 November -0001
Once a cracking target has been established it is usually helpful to establish user accounts on the target machine in order to brute force passwords. Without a username most brute force attempts will be useless. There are three easy ways to try to discover users on a particular machine. These are finger, smtp and pop.

Finger (port 79) attempts are the easiest to attempt. To issue the finger command try: ‘finger’ at the command prompt. This will return results that may include the users real name, how long they have been logged in, their last login and if they have mail (perhaps even more information).

If the a finger server is in fact running on the target (you should have run at least a cursory port mapping of the target to determine this information by this point). Assuming a finger server is running you can hit the server all day with attempted guesses at accounts. Good accounts to guess at include, but are not limited to:

You should also try as many system accounts or usernames as you can think of. Now, if this seems tiresome and tedious, it is. You can shortcut this guessing step on some systems by either issuing:

$ finger


$ finger

on rare occasions this will return a list of all the users on the particular machine.

If finger attempts don’t get you anywhere, or if a finger server isn’t running (a very common occurrence) you should turn to the most trusting servers on earth, the smtp and pop servers. SMTP (port 25) contain all sorts of useful information in the verify (VRFY) command. Using this command you can verify a user account. To get to this information you will have to telnet to the target server’s port 25, greet the server and then type ‘vrfy user’. You may be very lucky and run across a server that allows you to issue expand commands (EXPN). This will allow you to find all the recipients of a certain masquerade mail account. Verifying mailing accounts such as users or postmaster should show you all of the recipients of mail sent to these accounts. I have even heard that on older versions of Red Hat, by telneting to the SMTP server you can ‘vrfy users’ and get a list of ALL the user accounts on the system. Assuming these two methods don’t work and mail relay is turned off (see spoofing e-mail article) you can verify accounts by selecting to send a spoofed e-mail from a non-existent address to a user on the system. If the system actually contains the account it will usually allow the relay even though the sender is bogus (this is internal relay and is usually turned on). If the account does not exist the server will inform you as soon as you type the ‘rcpt to:’ command. Beware, however, as some mail servers are set to relay all local recipient undeliverable mail to the postmaster account and this may mean that this means of verification will be denied to you.

Most mail servers are smart enough to know to turn off their smtp verify and expand commands. In this case the next best option to verify accounts is to turn to the pop server. You telnet to the pop server in much the same way as to the smtp server. This is the server that allows remote users to download their mail off of the server. The appropriate commands for pop are ‘user so-and-so’ and ‘pass such-and-such’ (with so-and-so and such-and-such replaced with actual usernames and passwords). Many pop servers, however, are set to accept all users as +OK user, so try a few you know won’t work such as user smell_my_stinky_fart to check if the server will actually tell you if the username is bogus or not.

Good luck, and remember, most modern and well maintained servers will deny all these attempts to innumerate their users. The sendmail local relay is the most reliable I have found for being able to check users on an up to date machine, but even this doesn’t work much any more.