Telnet - Port 23

Telnet is a network protocol that provides a text-based interface for communication with a remote device. It operates over TCP and allows users to access computers over a network in an unencrypted manner, making it susceptible to various attacks. Due to its inherent security flaws, it is often recommended to use more secure alternatives, such as SSH.

Default Port: 23

Attack Workflow

1. Basic Information Gathering:

   • Identify if Telnet is open on the target host:

     Copy

     nmap -p 23 <IP>

   • A successful response indicates the service is running:

     Copy

     23/tcp open  telnet

2. Enumeration:

   • Banner Grabbing: You can grab the Telnet banner to gain insights into the service version and possible vulnerabilities.

     Copy

     nc -vn <IP> 23

   • Nmap Enumeration: Utilize Nmap to gather additional information about the Telnet service:

     Copy

     nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>

     The telnet-ntlm-info.nse script can be used to obtain NTLM information, particularly on Windows machines.

3. Understanding Telnet Options:

   • The Telnet protocol allows the negotiation of various options, which can be enumerated using a Telnet client or custom scripts. To check the supported options, you can send specific commands through a Telnet session.

   • Example command to negotiate options: You can start a Telnet session and use the following commands:

     Copy

     DO <option>
     DON'T <option>
     WILL <option>
     WON'T <option>

4. Brute Forcing Credentials:

   • If the Telnet service requires authentication, you may perform a brute force attack using tools like Hydra or Medusa:

     Copy

     hydra -l <username> -P <password-list> telnet://<IP>

5. Checking Configuration Files:

   • Review common configuration files for Telnet:

     • /etc/inetd.conf

     • /etc/xinetd.d/telnet

     • /etc/xinetd.d/stelnet

   • These files may contain options or access controls that can be exploited.