HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
23 - Pentesting Telnet
Support HackTricks and get benefits!

Basic Information

Telnet is a network protocol that gives users a UNsecure way to access a computer over a network.
Default port: 23
1
23/tcp open telnet
Copied!

Enumeration

1
nc -vn <IP> 23
Copied!
All the interesting enumeration can be performed by nmap:
1
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
Copied!
The script telnet-ntlm-info.nse will obtain NTLM info (Windows versions).
In the TELNET Protocol are various "options" that will be sanctioned and may be used with the "DO, DON'T, WILL, WON'T" structure to allow a user and server to agree to use a more elaborate (or perhaps just different) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, etc. (From the telnet RFC) I know it is possible to enumerate this options but I don't know how, so let me know if know how.

โ€‹Brute forceโ€‹

Config file

1
/etc/inetd.conf
2
/etc/xinetd.d/telnet
3
/etc/xinetd.d/stelnet
Copied!

HackTricks Automatic Commands

1
Protocol_Name: Telnet #Protocol Abbreviation if there is one.
2
Port_Number: 23 #Comma separated if there is more than one.
3
Protocol_Description: Telnet #Protocol Abbreviation Spelled out
4
โ€‹
5
Entry_1:
6
Name: Notes
7
Description: Notes for t=Telnet
8
Note: |
9
wireshark to hear creds being passed
10
tcp.port == 23 and ip.addr != myip
11
โ€‹
12
https://book.hacktricks.xyz/pentesting/pentesting-telnet
13
โ€‹
14
Entry_2:
15
Name: Banner Grab
16
Description: Grab Telnet Banner
17
Command: nc -vn {IP} 23
18
โ€‹
19
Entry_3:
20
Name: Nmap with scripts
21
Description: Run nmap scripts for telnet
22
Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}
23
24
25
Entry_4:
26
Name: consoleless mfs enumeration
27
Description: Telnet enumeration without the need to run msfconsole
28
Note: sourced from https://github.com/carlospolop/legion
29
Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'
30
Copied!
Support HackTricks and get benefits!