23 - Pentesting Telnet
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
Telnet is a network protocol that gives users a UNsecure way to access a computer over a network.
Default port: 23
23/tcp open telnet
Enumeration
Banner Grabbing
nc -vn <IP> 23
All the interesting enumeration can be performed by nmap:
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
The script telnet-ntlm-info.nse
will obtain NTLM info (Windows versions).
From the telnet RFC: In the TELNET Protocol are various "options" that will be sanctioned and may be used with the "DO, DON'T, WILL, WON'T" structure to allow a user and server to agree to use a more elaborate (or perhaps just different) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, etc.
I know it is possible to enumerate this options but I don't know how, so let me know if know how.
Brute force
Config file
/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
HackTricks Automatic Commands
Protocol_Name: Telnet #Protocol Abbreviation if there is one.
Port_Number: 23 #Comma separated if there is more than one.
Protocol_Description: Telnet #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for t=Telnet
Note: |
wireshark to hear creds being passed
tcp.port == 23 and ip.addr != myip
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-telnet.html
Entry_2:
Name: Banner Grab
Description: Grab Telnet Banner
Command: nc -vn {IP} 23
Entry_3:
Name: Nmap with scripts
Description: Run nmap scripts for telnet
Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}
Entry_4:
Name: consoleless mfs enumeration
Description: Telnet enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'
Recent Vulnerabilities (2022-2025)
- CVE-2024-45698 – D-Link Wi-Fi 6 routers (DIR-X4860): The built-in Telnet service accepted hard-coded credentials and failed to sanitise input, allowing unauthenticated remote RCE as root via crafted commands on port 23. Fixed in firmware ≥ 1.04B05.
- CVE-2023-40478 – NETGEAR RAX30: Stack-based buffer overflow in the Telnet CLI
passwd
command lets an adjacent attacker bypass authentication and execute arbitrary code as root. - CVE-2022-39028 – GNU inetutils telnetd: A two-byte sequence (
0xff 0xf7
/0xff 0xf8
) triggers a NULL-pointer dereference that can crashtelnetd
, resulting in a persistent DoS after several crashes.
Keep these CVEs in mind during vulnerability triage—if the target is running an un-patched firmware or legacy inetutils Telnet daemon you may have a straight-forward path to code-execution or a disruptive DoS.
Sniffing Credentials & Man-in-the-Middle
Telnet transmits everything, including credentials, in clear-text. Two quick ways to capture them:
# Live capture with tcpdump (print ASCII)
sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)'
# Wireshark display filter
tcp.port == 23 && (telnet.data || telnet.option)
For active MITM, combine ARP spoofing (e.g. arpspoof
/ettercap
) with the same sniffing filters to harvest passwords on switched networks.
Automated Brute-force / Password Spraying
# Hydra (stop at first valid login)
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>
# Ncrack (drop to interactive session on success)
ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>
# Medusa (parallel hosts)
medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f
Most IoT botnets (Mirai variants) still scan port 23 with small default-credential dictionaries—mirroring that logic can quickly identify weak devices.
Exploitation & Post-Exploitation
Metasploit has several useful modules:
auxiliary/scanner/telnet/telnet_version
– banner & option enumeration.auxiliary/scanner/telnet/brute_telnet
– multithreaded bruteforce.auxiliary/scanner/telnet/telnet_encrypt_overflow
– RCE against vulnerable Solaris 9/10 Telnet (option ENCRYPT handling).exploit/linux/mips/netgear_telnetenable
– enables telnet service with a crafted packet on many NETGEAR routers.
After a shell is obtained remember that TTYs are usually dumb; upgrade with python -c 'import pty;pty.spawn("/bin/bash")'
or use the HackTricks TTY tricks.
Hardening & Detection (Blue team corner)
- Prefer SSH and disable Telnet service completely.
- If Telnet is required, bind it to management VLANs only, enforce ACLs and wrap the daemon with TCP wrappers (
/etc/hosts.allow
). - Replace legacy
telnetd
implementations withssl-telnet
ortelnetd-ssl
to add transport encryption, but this only protects data-in-transit—password-guessing remains trivial. - Monitor for outbound traffic to port 23; compromises often spawn reverse shells over Telnet to bypass strict-HTTP egress filters.
References
- D-Link Advisory – CVE-2024-45698 Critical Telnet RCE.
- NVD – CVE-2022-39028 inetutils
telnetd
DoS.
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.