pentest telnet

Pentesting Telnet


Pentesting Telnet might sound like a throwback to the early days of the internet, but it’s a crucial skill in today’s cybersecurity landscape.

Telnet, despite being largely replaced by more secure protocols, still pops up in various network configurations, often as an overlooked vulnerability.

In this post, we dive into the essentials of pentesting Telnet, unraveling how you can identify and exploit weaknesses to bolster your network defenses. Stay tuned as we turn this old-school protocol into a lesson in modern cybersecurity tactics!

Basic Information

Telnet is a network protocol that lets users access a computer over a network, but it is not secure.

Default port: 23Copy

23/tcp open  telnet


nc -vn <IP> 23

All the interesting enumeration can be performed by nmap:Copy

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>

The telnet-ntlm-info.nse script can get NTLM info, such as Windows versions.

According to the Telnet RFC, the Telnet Protocol allows various options to be negotiated using “DO, DON’T, WILL, WON’T” commands. This lets the user and server agree on different settings for their Telnet connection, like changing the character set or echo mode.

I know it’s possible to list these options, but I’m not sure how to do it. If you know, please tell me.

Brute force

hydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin

Config file


Automatic Commands

Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
Port_Number: 23 #Comma separated if there is more than one.
Protocol_Description: Telnet #Protocol Abbreviation Spelled out

Name: Notes
Description: Notes for t=Telnet
Note: |
wireshark to hear creds being passed
tcp.port == 23 and ip.addr != myip

Name: Banner Grab
Description: Grab Telnet Banner
Command: nc -vn {IP} 23

Name: Nmap with scripts
Description: Run nmap scripts for telnet
Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}

Name: consoleless mfs enumeration
Description: Telnet enumeration without the need to run msfconsole
Note: sourced from
Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'


In conclusion, while Telnet can be useful for remote access and management of network devices, it poses significant security risks due to its lack of encryption.

During a penetration test, it is crucial to identify and assess Telnet services running on the network.

Any sensitive information transmitted via Telnet, such as usernames and passwords, can be easily intercepted by attackers.

Therefore, it is highly recommended to disable Telnet in favor of more secure alternatives like SSH. Ensuring all network communications are encrypted is essential for maintaining robust security and protecting sensitive data from potential threats.

Also Read: Pentesting SSH

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site


Scroll to Top