From f51264f83dab69648dc1fff1a8764a8f70e964b6 Mon Sep 17 00:00:00 2001
From: lanjelot <lanjelot@gmail.com>
Date: Sat, 9 Jun 2012 20:42:27 +1000
Subject: [PATCH] new finger_lookup module

---
 patator.py | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/patator.py b/patator.py
index 4411213..f2f2552 100755
--- a/patator.py
+++ b/patator.py
@@ -36,6 +36,7 @@ Currently it supports the following modules:
   - smtp_login    : Brute-force SMTP
   - smtp_vrfy     : Enumerate valid users using the SMTP 'VRFY' command
   - smtp_rcpt     : Enumerate valid users using the SMTP 'RCPT TO' command
+  - finger_lookup : Enumerate valid users using Finger
   - http_fuzz     : Brute-force HTTP/HTTPS
   - pop_passd     : Brute-force poppassd (not POP3)
   - ldap_login    : Brute-force LDAP
@@ -577,6 +578,7 @@ TODO
   * SSL support for SMTP, MySQL, ... (use socat in the meantime)
   * new option -e ns like in Medusa (not likely to be implemented due to design)
   * replace PyDNS|paramiko|IPy with a better module (scapy|libssh2|... ?)
+  * rewrite itertools.product that eats too much memory when processing large wordlists
 '''
 
 # }}}
@@ -1777,6 +1779,65 @@ class SMTP_login(SMTP_Base):
 
 # }}}
 
+# Finger {{{
+class Controller_Finger(Controller):
+
+  user_list = []
+
+  def push_final(self, resp):
+   for l in resp.lines:
+      if l not in self.user_list:
+        self.user_list.append(l)
+
+  def show_final(self):
+    print('\n'.join(self.user_list))
+
+class Finger_lookup:
+  '''Enumerate valid users using Finger'''
+
+  usage_hints = (
+    """%prog host=10.0.0.1 user=FILE0 0=words.txt -x ignore:fgrep='no such user'""",
+    )
+
+  available_options = (
+    ('host', 'hostnames or subnets to target'),
+    ('port', 'ports to target [79]'),
+    ('user', 'usernames to test'),
+    ('timeout', 'seconds to wait on socket operations [5]'),
+    )
+  available_actions = ()
+
+  Response = Response_Base
+
+  def execute(self, host, port=None, user='', timeout='5'):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.settimeout(int(timeout))
+
+    s.connect((host, int(port or 79)))
+    if user:
+      s.send(user)
+    s.send('\r\n')
+
+    data = ''
+    while True:
+      raw = s.recv(1024)
+      if not raw:
+        break
+      data += raw
+
+    s.close()
+
+    logger.debug('recv: %s' % repr(data))
+
+    data = data.strip()
+    mesg = repr(data)
+
+    resp = self.Response(0, mesg, data)
+    resp.lines = [l.strip('\r\n') for l in data.split('\n')]
+
+    return resp
+# }}}
+
 # LDAP {{{
 if not which('ldapsearch'):
   warnings.append('openldap')
@@ -3039,6 +3100,7 @@ modules = [
   ('smtp_login', (Controller, SMTP_login)),
   ('smtp_vrfy', (Controller, SMTP_vrfy)),
   ('smtp_rcpt', (Controller, SMTP_rcpt)),
+  ('finger_lookup', (Controller_Finger, Finger_lookup)),
   ('http_fuzz', (Controller_HTTP, HTTP_fuzz)),
   ('pop_passd', (Controller, POP_passd)),
   ('ldap_login', (Controller, LDAP_login)),