Telnet - Port 23

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
Visit our shop for e-books and courses. 📚
Support us and buy me a coffee. ☕

Telnet is a network protocol that provides a text-based interface for communication with a remote device. It operates over TCP and allows users to access computers over a network in an unencrypted manner, making it susceptible to various attacks. Due to its inherent security flaws, it is often recommended to use more secure alternatives, such as SSH.

Default Port: 23

Attack Workflow

Basic Information Gathering:
- Identify if Telnet is open on the target host:
  nmap -p 23 <IP>
- A successful response indicates the service is running:
  23/tcp open telnet
Enumeration:
- Banner Grabbing: You can grab the Telnet banner to gain insights into the service version and possible vulnerabilities.
  nc -vn <IP> 23
- Nmap Enumeration: Utilize Nmap to gather additional information about the Telnet service:
  nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
  The telnet-ntlm-info.nse script can be used to obtain NTLM information, particularly on Windows machines.
Understanding Telnet Options:
- The Telnet protocol allows the negotiation of various options, which can be enumerated using a Telnet client or custom scripts. To check the supported options, you can send specific commands through a Telnet session.
- Example command to negotiate options: You can start a Telnet session and use the following commands:
  DO <option> DON'T <option> WILL <option> WON'T <option>
Brute Forcing Credentials:
- If the Telnet service requires authentication, you may perform a brute force attack using tools like Hydra or Medusa:
  hydra -l <username> -P <password-list> telnet://<IP>
Checking Configuration Files:
- Review common configuration files for Telnet:
  - /etc/inetd.conf
  - /etc/xinetd.d/telnet
  - /etc/xinetd.d/stelnet
- These files may contain options or access controls that can be exploited.

PreviousSSH- Port 22 NextSMTP/s - Port 25,465,587

Last updated 6 months ago

Was this helpful?

Attack Workflow

Basic Information Gathering:

Identify if Telnet is open on the target host:
```
nmap -p 23 <IP>
```
A successful response indicates the service is running:
```
23/tcp open  telnet
```

Enumeration:

Banner Grabbing: You can grab the Telnet banner to gain insights into the service version and possible vulnerabilities.
```
nc -vn <IP> 23
```
Nmap Enumeration: Utilize Nmap to gather additional information about the Telnet service:
```
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
```
The telnet-ntlm-info.nse script can be used to obtain NTLM information, particularly on Windows machines.

Understanding Telnet Options:

The Telnet protocol allows the negotiation of various options, which can be enumerated using a Telnet client or custom scripts. To check the supported options, you can send specific commands through a Telnet session.
Example command to negotiate options: You can start a Telnet session and use the following commands:
```
DO <option>
DON'T <option>
WILL <option>
WON'T <option>
```

Brute Forcing Credentials:

If the Telnet service requires authentication, you may perform a brute force attack using tools like Hydra or Medusa:
```
hydra -l <username> -P <password-list> telnet://<IP>
```

Checking Configuration Files:

Review common configuration files for Telnet:
- /etc/inetd.conf
- /etc/xinetd.d/telnet
- /etc/xinetd.d/stelnet
These files may contain options or access controls that can be exploited.