23 - Pentesting Telnet

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Instantly available setup for vulnerability assessment & penetration testing. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.

Pentest-Tools.com | 25+ Online Penetration Testing ToolsPentest-Tools.com

Basic Information

Telnet is a network protocol that gives users a UNsecure way to access a computer over a network.

Default port: 23

23/tcp open  telnet

Enumeration

Banner Grabbing

nc -vn <IP> 23

All the interesting enumeration can be performed by nmap:

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>

The script telnet-ntlm-info.nse will obtain NTLM info (Windows versions).

From the telnet RFC: In the TELNET Protocol are various "options" that will be sanctioned and may be used with the "DO, DON'T, WILL, WON'T" structure to allow a user and server to agree to use a more elaborate (or perhaps just different) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, etc.

I know it is possible to enumerate this options but I don't know how, so let me know if know how.

Brute force

Config file

/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet

HackTricks Automatic Commands

Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
Port_Number:  23     #Comma separated if there is more than one.
Protocol_Description: Telnet          #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for t=Telnet
  Note: |
    wireshark to hear creds being passed
    tcp.port == 23 and ip.addr != myip

    https://book.hacktricks.xyz/pentesting/pentesting-telnet

Entry_2:
  Name: Banner Grab
  Description: Grab Telnet Banner
  Command: nc -vn {IP} 23

Entry_3:
  Name: Nmap with scripts
  Description: Run nmap scripts for telnet
  Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}
  
Entry_4:
  Name: consoleless mfs enumeration
  Description: Telnet enumeration without the need to run msfconsole
  Note: sourced from https://github.com/carlospolop/legion
  Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

Pentest-Tools.com | 25+ Online Penetration Testing ToolsPentest-Tools.com

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Previous22 - Pentesting SSH/SFTP Next25,465,587 - Pentesting SMTP/s

Last updated 2 months ago