Finger.exe & ClickFix

    Published: 2025-11-16. Last Updated: 2025-11-16 07:27:55 UTC
    by Didier Stevens (Version: 1)
    0 comment(s)

    The finger.exe command is used in ClickFix attacks.

    finger is a very old UNIX command, that was converted to a Windows executable years ago, and is part of Windows since then.

    In the ClickFix attacks, it is used to retrieve a malicious script via the finger protocol.

    We wrote about finger.exe about 3 years ago: "Finger.exe LOLBin".

    What you need to know:

    • finger communication takes place over TCP
    • the finger protocol uses TCP port 79 and there is no way to change this port
    • finger.exe is not proxy aware

    So if you are in a corporate environment with an explicit proxy (and blocking all Internet facing communication that doesn't go through the proxy), the finger.exe command won't be able to communicate.

    And if you have a transparent proxy, finger.exe will be able to communicate provided the proxy allows TCP connections to port 79.

     

    Didier Stevens
    Senior handler
    blog.DidierStevens.com

    Keywords:
    0 comment(s)

    SANS Holiday Hack Challenge 2025

    Published: 2025-11-16. Last Updated: 2025-11-16 07:15:45 UTC
    by Didier Stevens (Version: 1)
    0 comment(s)

    The SANS Holiday Hack Challenge™ 2025 is available.

    Keywords:
    0 comment(s)

      Comments

      Login here to join the discussion.


      Diary Archives