FingerTrace

The entire FingerTrace package is available at:

I am currently in the process of rewriting FingerTrace is PERL. The new version will be a lot easier to use.

Index

What's Needed

GNU Fingerd
GNU Fingerd is needed because it provides the option of executing a file (~/.fingerrc) when a finger request comes in.
netstat
netstat provides information about the current connections to the machine. This is used to find out what machine is sending the finger request.
Some sort of editor, a C compiler, the tcsh shell, and some common shell commands (sed,awk, etc.)
These are used in the creation, and execution of the .fingerrc file. Most systems should have all of these.
Access to a computer of the same architecture as the main finger server.
The C programs are run by the finger server, so they must be compiled on the same type of computer as the finger server is.

GNU Fingerd

What is it?

The fingerd (finger daemon) is a program that accepts, and handles finger requests. GNU Fingerd adds many features to the standard fingerd. Among these features is the option to execute the file $HOME/.fingerrc ($HOME refers to your home directory). It is this feature that we will exploit to gain information on who wants to know about us.

How do I know if I have it

Another feature of GNU Fingerd is several "special users" that provide various information. These are the "special users":

The administrator can create special users as well that display files. Two of these administer defined users that are on most systems running fingerd are .help and .site.

So how do you find out if your system is running GNU Fingerd? Try the command: 

	finger .version

If you get something that looks like this: 


	GNU Finger server version ...

Then you are running GNU Fingerd. However, if you get something like this: 


	?Sorry, could not find ".VERSION"

Or some other such error then you are not running GNU Fingerd

What do I do if I don't have it?

Ask your system manager to install it. The source is available at: prep.ai.mit.edu:/pub/gnu/finger-1.37.tar.gz

The .fingerrc file

When a finger request comes in for you the finger server looks for the file ~/.fingerrc. If it is there and executable then it pipes that finger output through the file. So the normal finger output goes into your file as standard in, and the standard out is sent in reply to the finger request.

I'm not going to go into the myriad uses of this file. All we need to know for now is that to transfer the input to the output we use the command: 


cat

We add to this several commands to find out where the finger request is coming from.

Find the Host

The netstat command.

The netstat command provides information about connections to the computer. Among other things it provides the host connecting, and the port connecting to. If we match the connecting port to the port used for the finger daemon then we ca n take the corosponding host, and poof we have the fingering host.

The -n flag

The display of netstat truncates host names if they are too long. For this reason we should use the -n flag to get IP numbers instead of host names.

The fingerd port

The fingerd port is normally 79. The /etc/services file lists the services and there associated ports (there are some exceptions but finger isn't one of them). Look at the file and find what port numbers go to the service 'finger'.

Getting the info


	 set FROM=`netstat -n | grep 79 | head -1 | awk '{print $5}' | sed 's/\./ /g'` 
	 set LFROM=`~$USER/.fhba $FROM[1].$FROM[2].$FROM[3].$FROM[4]`

So what does this long command do? It says the variable FROM to the fingering host & port.

It then runs the program ~/.fhba (which is a C program to compiler) which uses DNS to change the IP number into a more useful host name.

  1. netstat -n displays the connections with IP numbers
  2. grep 79 finds all lines with 79 as the port
  3. head -1 takes the first of these
  4. awk '{print $5}' displays the 5th column (connecting host)
  5. sed 's/\./ /g' changes the . to spaces, thus making the variable easier to use. In this version we do want the final, fifth, number for we will use it to find the user.

NOTE: Not all systems use the same format for netstat. If you get a "subscript not found" or similar error, try changing $5 to $2. If that doesn't work you might try $1,$3, or $4. If nothing works send me a message and I'll try and help.

The .fhba command

The .fhba command is a dirty little C program I wrote to change an IP number into a host-name. You could use the nslookup command but I think this one is a little faster. See below for the C source.

Finding the User

Now that we have the host & port we can go about finding the user. There are two ways to find the user. The most reliable way is to use the ident protocol to ask the host what user is using the port ($FROM[5]) to access the finger port (79). However , not all hosts have identd installed. If ident fails we can send a finger request to the host asking who is logged on. This gives some idea of who the fingering user is, though not a pin point id.

To start we try the ident protocol using the program idlookup (see below): 


	set WHO=`~$USER/bin/idlookup $LFROM $FROM[5] 79`

This runs the program idlookup which uses the ident protocol to ask the fingering host ($LFROM) what user is using the port $FROM[5] to access the finger port (79). If it fails though we will have to do something else. In tcsh the $? variable is the return status of the last executed command, if that's not 0 we know it failed: 


	if ( $? != 0 ) set WHO=0

I have written a script called findwho which will be run in the background at the end to finger the host and try and find who might have been the fingering user: 


	if ( $WHO == 0 ) then
		csh -c "~$USER/bin/findwho $LFROM ~$USER/.fingerlog" >& /dev/null
	endif