23 - Pentesting Telnet

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

Telnet is a network protocol that gives users a UNsecure way to access a computer over a network.

Default port: 23

23/tcp open  telnet

Enumeration

nc -vn <IP> 23

All the interesting enumeration can be performed by nmap:

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>

The script telnet-ntlm-info.nse will obtain NTLM info (Windows versions).

From the telnet RFC: In the TELNET Protocol are various “options” that will be sanctioned and may be used with the “DO, DON’T, WILL, WON’T” structure to allow a user and server to agree to use a more elaborate (or perhaps just different) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, etc.

I know it is possible to enumerate this options but I don’t know how, so let me know if know how.

Enumerate Telnet Options / Features

Telnet uses IAC + DO/DONT/WILL/WONT negotiations to enable options. You can observe supported options by capturing the initial negotiation and by probing for specific features.

Nmap option/feature probes

# Detect support for the Telnet ENCRYPT option
nmap -p 23 --script telnet-encryption <IP>

# Enumerate Microsoft Telnet NTLM info (NetBIOS/DNS/OS build)
nmap -p 23 --script telnet-ntlm-info <IP>

# Brute-force via NSE (alternative to Hydra/Medusa)
nmap -p 23 --script telnet-brute --script-args userdb=users.txt,passdb=pass.txt <IP>

The telnet-encryption script checks whether the ENCRYPT option is supported; some implementations historically handled this option incorrectly and were vulnerable, but the script only checks support. telnet-ntlm-info discloses NTLM metadata (NetBIOS/DNS/OS build) when Microsoft Telnet NTLM is enabled. telnet-brute is an NSE brute-force auditor for Telnet.

Brute force

Config file

/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet

HackTricks Automatic Commands

Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
Port_Number:  23     #Comma separated if there is more than one.
Protocol_Description: Telnet          #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for t=Telnet
  Note: |
    wireshark to hear creds being passed
    tcp.port == 23 and ip.addr != myip

    https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-telnet.html

Entry_2:
  Name: Banner Grab
  Description: Grab Telnet Banner
  Command: nc -vn {IP} 23

Entry_3:
  Name: Nmap with scripts
  Description: Run nmap scripts for telnet
  Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}

Entry_4:
  Name: consoleless mfs enumeration
  Description: Telnet enumeration without the need to run msfconsole
  Note: sourced from https://github.com/carlospolop/legion
  Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

Recent Vulnerabilities (2022-2026)

  • CVE-2024-45698 – D-Link Wi-Fi 6 routers (DIR-X4860): Improper input validation in the telnet service allows remote attackers to log in using hard-coded credentials and inject OS commands; fixed by firmware 1.04B05 or later.
  • CVE-2023-40478 – NETGEAR RAX30: Stack-based buffer overflow in the Telnet CLI passwd command enables network-adjacent code execution as root; authentication is required but can be bypassed.
  • CVE-2022-39028 – GNU inetutils telnetd: A two-byte sequence (0xff 0xf7 / 0xff 0xf8) can trigger a NULL-pointer dereference in telnetd, and repeated crashes can lead inetd to disable the service (DoS).

Keep these CVEs in mind during vulnerability triage—if the target is running an un-patched firmware or legacy inetutils Telnet daemon you may have a straight-forward path to code-execution or a disruptive DoS.

CVE-2026-24061 — GNU Inetutils telnetd auth bypass (Critical)

Summary: telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a USER environment variable value of -f root, resulting in unauthenticated root access. Root cause: argument injection (CWE-88) because telnetd forwards the client-supplied USER environment variable to login without sanitization. Scope: GNU Inetutils telnetd versions 1.9.3–2.7 are affected (published January 21, 2026).

Mitigations

  • Patch/upgrade affected packages immediately (e.g., Debian fixes are in 2:2.4-2+deb12u2, 2:2.6-3+deb13u1, and 2:2.7-2).
  • Disable Telnet or restrict access to trusted management networks while patching.

Sniffing Credentials & Man-in-the-Middle

Telnet transmits everything, including credentials, in clear-text. Two quick ways to capture them:

# Live capture with tcpdump (print ASCII)
sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)'

# Wireshark display filter
 tcp.port == 23 && (telnet.data || telnet.option)

For active MITM, combine ARP spoofing (e.g. arpspoof/ettercap) with the same sniffing filters to harvest passwords on switched networks.

Automated Brute-force / Password Spraying

# Hydra (stop at first valid login)
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>

# Ncrack (drop to interactive session on success)
ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>

# Medusa (parallel hosts)
medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f

Most IoT botnets (Mirai variants) still scan port 23 with small default-credential dictionaries—mirroring that logic can quickly identify weak devices.

Exploitation & Post-Exploitation

Metasploit has several useful modules:

  • auxiliary/scanner/telnet/telnet_version – banner & option enumeration.
  • auxiliary/scanner/telnet/brute_telnet – multithreaded bruteforce.
  • auxiliary/scanner/telnet/telnet_encrypt_overflow – RCE against vulnerable Solaris 9/10 Telnet (option ENCRYPT handling).
  • exploit/linux/mips/netgear_telnetenable – enables telnet service with a crafted packet on many NETGEAR routers.

After a shell is obtained remember that TTYs are usually dumb; upgrade with python -c 'import pty;pty.spawn("/bin/bash")' or use the HackTricks TTY tricks.

Hardening & Detection (Blue team corner)

  1. Prefer SSH and disable Telnet service completely.
  2. If Telnet is required, bind it to management VLANs only, enforce ACLs and wrap the daemon with TCP wrappers (/etc/hosts.allow).
  3. Replace legacy telnetd implementations with ssl-telnet or telnetd-ssl to add transport encryption, but this only protects data-in-transit—password-guessing remains trivial.
  4. Monitor for outbound traffic to port 23; compromises often spawn reverse shells over Telnet to bypass strict-HTTP egress filters.

References

  • D-Link Advisory – CVE-2024-45698 Critical Telnet RCE.
  • NVD – CVE-2022-39028 inetutils telnetd DoS.
  • NVD – CVE-2026-24061.
  • Canadian Centre for Cyber Security Alert AL26-002 (CVE-2026-24061).
  • Debian Security Tracker – CVE-2026-24061 fixed versions.

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks