π οΈ Telnet β
Theory β
Telnet (teletype network) is a network protocol used to gain access to a virtual terminal in local or in remote systems . It provides bidirectional text-based communication .
Common telnet commands β
| Command | Description |
|---|---|
open | Connects to a specified local/remote host |
close | Closes the current connection |
quit | Exits telnet |
status | Shows the current status of the telnet client |
z | Suspends telnet (on Unix/Linux systems) |
set | Sets Telnet options (like terminal type) |
unset | Unsets Telnet options |
display | Displays current settings of Telnet options |
send | Sends special characters or sequences (like break) |
mode | Sets the mode of operation (e.g., line by line or character) |
logout | Logs out from the remote system (not available on all systems) |
Practice β
Enumeration β
Banner grabbing β
To initiate a connection with telnet server and get any information about the target .
The $TARGET_PORT is optional, but the default port is 23
The Telnet banner of a target can be captured using multiple tools on UNIX-like systems.
#Using Netcat
nc -nv $TARGET_IP $TARGET_PORT
#Using Telnet
telnet $TARGET_IP $TARGET_PORT
#Using Shodan-cli
shodan stream --ports 23,1023,2323 --datadir telnet-data/ --limit 10000
#Using nmap
nmap -p $TARGET_PORT -sVC --script "*telnet* and safe" $TARGET_IPThe Metasploit framework can also be used to make this work.
msf > use auxiliary/scanner/telnet/telnet_version
msf > set rhosts $TARGET_IP
msf > set rport $TARGET_PORT
msf > set threads 5
msf > exploitAttacks β
Passwordless authentication β
Telnet can be configured to allow users to connect to a server without needing a specific identity by utilizing a passwordless login feature. This method is commonly employed for accessing or downloading public files.
To connect without a password, one would use the following command:
telnet $TARGET_IP
# provide username, without passwordCommon credentials β
If anonymous login is disabled on the Telnet server, trying common usernames and passwords like admin, administrator, root, user, or test can be a good initial step. This approach is less aggressive than attempting to guess passwords through brute force and is recommended to try first when accessing a server.
telnet $TARGET_IP
# provide a common username with a common passwordBrute Force β
nmap -p 23 --script telnet-brute $TARGET_IPResources β
https://book.hacktricks.xyz/network-services-pentesting/pentesting-telnethttps://secybr.com/posts/telnet-pentesting-best-practices/https://github.com/InfoSecWarrior/Offensive-Pentesting-Host/blob/main/Telnet/README.mdhttps://techyrick.com/pentesting-telnet/