Introduction
Pentesting Telnet might sound like a throwback to the early days of the internet, but it’s a crucial skill in today’s cybersecurity landscape.
Telnet, despite being largely replaced by more secure protocols, still pops up in various network configurations, often as an overlooked vulnerability.
In this post, we dive into the essentials of pentesting Telnet, unraveling how you can identify and exploit weaknesses to bolster your network defenses. Stay tuned as we turn this old-school protocol into a lesson in modern cybersecurity tactics!
Basic Information
Telnet is a network protocol that lets users access a computer over a network, but it is not secure.
Default port: 23Copy
23/tcp open telnet
Enumeration
Banner Grabbing
nc -vn <IP> 23
All the interesting enumeration can be performed by nmap:Copy
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
The telnet-ntlm-info.nse script can get NTLM info, such as Windows versions.
According to the Telnet RFC, the Telnet Protocol allows various options to be negotiated using “DO, DON’T, WILL, WON’T” commands. This lets the user and server agree on different settings for their Telnet connection, like changing the character set or echo mode.
I know it’s possible to list these options, but I’m not sure how to do it. If you know, please tell me.
Brute force
hydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet
legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin
Config file
/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
Automatic Commands
Protocol_Name: Telnet #Protocol Abbreviation if there is one.
Port_Number: 23 #Comma separated if there is more than one.
Protocol_Description: Telnet #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for t=Telnet
Note: |
wireshark to hear creds being passed
tcp.port == 23 and ip.addr != myip
https://book.hacktricks.xyz/pentesting/pentesting-telnet
Entry_2:
Name: Banner Grab
Description: Grab Telnet Banner
Command: nc -vn {IP} 23
Entry_3:
Name: Nmap with scripts
Description: Run nmap scripts for telnet
Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}
Entry_4:
Name: consoleless mfs enumeration
Description: Telnet enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'
Conclusion
In conclusion, while Telnet can be useful for remote access and management of network devices, it poses significant security risks due to its lack of encryption.
During a penetration test, it is crucial to identify and assess Telnet services running on the network.
Any sensitive information transmitted via Telnet, such as usernames and passwords, can be easily intercepted by attackers.
Therefore, it is highly recommended to disable Telnet in favor of more secure alternatives like SSH. Ensuring all network communications are encrypted is essential for maintaining robust security and protecting sensitive data from potential threats.
Also Read: Pentesting SSH
