23 - Pentesting Telnet

Reading time: 6 minutes

Taarifa za Msingi

Telnet ni protokali ya mtandao inayowapa watumiaji njia isiyo salama ya kufikia kompyuta kupitia mtandao.

Bandari ya Kawaida: 23

23/tcp open  telnet

Uchambuzi

Kuchukua Bango

nc -vn <IP> 23

Uainishaji wote wa kuvutia unaweza kufanywa na nmap:

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>

The script telnet-ntlm-info.nse itapata taarifa za NTLM (matoleo ya Windows).

Kutoka kwenye telnet RFC: Katika Protokali ya TELNET kuna "chaguzi" mbalimbali ambazo zitaidhinishwa na zinaweza kutumika pamoja na muundo wa "FANYA, USIFANYE, ITA, HAIWEZEKANI" ili kumruhusu mtumiaji na seva kukubaliana kutumia seti ya makubaliano ya kina zaidi (au labda tofauti tu) kwa ajili ya muunganisho wao wa TELNET. Chaguzi hizo zinaweza kujumuisha kubadilisha seti ya wahusika, hali ya echo, n.k.

Ninajua inawezekana kuhesabu chaguzi hizi lakini sijui jinsi, hivyo nijulishe kama unajua jinsi.

Brute force

Config file

/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet

HackTricks Amri za Otomatiki

Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
Port_Number:  23     #Comma separated if there is more than one.
Protocol_Description: Telnet          #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for t=Telnet
Note: |
wireshark to hear creds being passed
tcp.port == 23 and ip.addr != myip

https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-telnet.html

Entry_2:
Name: Banner Grab
Description: Grab Telnet Banner
Command: nc -vn {IP} 23

Entry_3:
Name: Nmap with scripts
Description: Run nmap scripts for telnet
Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}

Entry_4:
Name: consoleless mfs enumeration
Description: Telnet enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

Recent Vulnerabilities (2022-2025)

• CVE-2024-45698 – D-Link Wi-Fi 6 routers (DIR-X4860): Huduma ya Telnet iliyojengwa ndani ilikubali akauti za hard-coded na ikashindwa kusafisha ingizo, ikiruhusu RCE isiyoidhinishwa kama root kupitia amri zilizoundwa kwenye bandari 23. Imerekebishwa katika firmware ≥ 1.04B05.
• CVE-2023-40478 – NETGEAR RAX30: Overflow ya buffer inayotegemea stack katika amri ya Telnet CLI passwd inaruhusu mshambuliaji wa karibu kupita uthibitisho na kutekeleza msimbo wa kawaida kama root.
• CVE-2022-39028 – GNU inetutils telnetd: Mfuatano wa byte mbili (0xff 0xf7 / 0xff 0xf8) unachochea dereference ya NULL-pointer ambayo inaweza kusababisha telnetd kuanguka, na kusababisha DoS ya kudumu baada ya kuanguka kadhaa.

Hifadhi hizi CVE akilini wakati wa uchambuzi wa udhaifu—ikiwa lengo linaendesha firmware isiyo na patch au daemon ya Telnet ya zamani ya inetutils unaweza kuwa na njia rahisi ya kutekeleza msimbo au DoS inayosababisha usumbufu.

Sniffing Credentials & Man-in-the-Middle

Telnet inapeleka kila kitu, ikiwa ni pamoja na akauti, katika clear-text. Njia mbili za haraka za kuziteka:

# Live capture with tcpdump (print ASCII)
sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)'

# Wireshark display filter
tcp.port == 23 && (telnet.data || telnet.option)

Kwa MITM hai, changanya ARP spoofing (mfano arpspoof/ettercap) na vichujio vya kunusa sawa ili kukusanya nywila kwenye mitandao iliyopangwa.

Automated Brute-force / Password Spraying

# Hydra (stop at first valid login)
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>

# Ncrack (drop to interactive session on success)
ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>

# Medusa (parallel hosts)
medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f

Most IoT botnets (Mirai variants) bado zinachunguza port 23 kwa kamusi ndogo za akidi za default—kuakisi mantiki hiyo kunaweza kutambua haraka vifaa dhaifu.

Ukatili & Baada ya Ukatili

Metasploit ina moduli kadhaa za manufaa:

• auxiliary/scanner/telnet/telnet_version – uainishaji wa banner & chaguo.
• auxiliary/scanner/telnet/brute_telnet – bruteforce yenye nyuzi nyingi.
• auxiliary/scanner/telnet/telnet_encrypt_overflow – RCE dhidi ya Solaris 9/10 Telnet iliyo hatarini (usimamizi wa chaguo ENCRYPT).
• exploit/linux/mips/netgear_telnetenable – inaruhusu huduma ya telnet kwa pakiti iliyoundwa kwenye router nyingi za NETGEAR.

Baada ya kupata shell kumbuka kwamba TTYs mara nyingi ni za kijinga; boresha kwa python -c 'import pty;pty.spawn("/bin/bash")' au tumia HackTricks TTY tricks.

Kuimarisha & Ugunduzi (Kona ya timu ya Blue)

1. Prefer SSH na uondoe huduma ya Telnet kabisa.
2. Ikiwa Telnet inahitajika, iunganishe tu na VLAN za usimamizi, enforce ACLs na ufunge daemon na TCP wrappers (/etc/hosts.allow).
3. Badilisha utekelezaji wa zamani wa telnetd na ssl-telnet au telnetd-ssl kuongeza usimbuaji wa usafirishaji, lakini hii inalinda tu data-in-transit—kukisia nywila bado kuna urahisi.
4. Fuata trafiki ya nje kuelekea port 23; makosa mara nyingi huzaa shells za kurudi kupitia Telnet ili kupita vichujio vya egress vya HTTP kali.

Marejeleo

• D-Link Advisory – CVE-2024-45698 Critical Telnet RCE.
• NVD – CVE-2022-39028 inetutils telnetd DoS.