23 - Pentesting Telnet

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Telnet ni itifaki ya mtandao inayowapa watumiaji njia isiyo salama ya kufikia kompyuta kupitia mtandao.

Bandari ya chaguo-msingi: 23

23/tcp open  telnet

Enumeration

nc -vn <IP> 23

Enumeration zote za kuvutia zinaweza kufanywa na nmap:

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>

The script telnet-ntlm-info.nse itapata taarifa za NTLM (matoleo ya Windows).

From the telnet RFC: Katika TELNET Protocol kuna various “options” zinazoruhusiwa na zinaweza kutumika kwa muundo wa “DO, DON’T, WILL, WON’T” ili kumruhusu mteja na server kukubaliana kutumia seti ya kanuni iliyo zaidi au tofauti kwa muunganisho wao wa TELNET. Such options zinaweza kujumuisha kubadilisha character set, echo mode, n.k.

Nafahamu kuwa inawezekana kuorodhesha options hizi lakini sifahamu jinsi, hivyo niambie ikiwa unajua jinsi.

Orodhesha Telnet Options / Features

Telnet inatumia IAC + DO/DONT/WILL/WONT negotiations kuwezesha options. Unaweza kuona options zinazoungwa mkono kwa kunasa mazungumzo ya awali na kwa kujaribu (probing) features maalum.

Nmap option/feature probes

# Detect support for the Telnet ENCRYPT option
nmap -p 23 --script telnet-encryption <IP>

# Enumerate Microsoft Telnet NTLM info (NetBIOS/DNS/OS build)
nmap -p 23 --script telnet-ntlm-info <IP>

# Brute-force via NSE (alternative to Hydra/Medusa)
nmap -p 23 --script telnet-brute --script-args userdb=users.txt,passdb=pass.txt <IP>

The telnet-encryption script inakagua kama chaguo la ENCRYPT linaungwa mkono; utekelezaji fulani kihistoria ulishughulikia chaguo hili kwa njia isiyo sahihi na ulikuwa dhaifu, lakini script inakagua tu uungwaji mkono. telnet-ntlm-info huweka wazi metadata ya NTLM (NetBIOS/DNS/OS build) wakati Microsoft Telnet NTLM imewezeshwa. telnet-brute ni mchakaguzi wa NSE brute-force kwa Telnet.

Brute force

Faili ya usanidi

/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet

HackTricks Amri za Kiotomatiki

Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
Port_Number:  23     #Comma separated if there is more than one.
Protocol_Description: Telnet          #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for t=Telnet
Note: |
wireshark to hear creds being passed
tcp.port == 23 and ip.addr != myip

https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-telnet.html

Entry_2:
Name: Banner Grab
Description: Grab Telnet Banner
Command: nc -vn {IP} 23

Entry_3:
Name: Nmap with scripts
Description: Run nmap scripts for telnet
Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}

Entry_4:
Name: consoleless mfs enumeration
Description: Telnet enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

Udhaifu za Hivi Karibuni (2022-2026)

  • CVE-2024-45698 – D-Link Wi-Fi 6 routers (DIR-X4860): Uthibitishaji usiofaa wa pembejeo katika telnet service unawezesha watakasi wa mbali kuingia kwa kutumia hard-coded credentials na kuingiza OS commands; imerekebishwa na firmware 1.04B05 au baadaye.
  • CVE-2023-40478 – NETGEAR RAX30: Stack-based buffer overflow katika Telnet CLI passwd command inaruhusu network-adjacent code execution as root; authentication inahitajika lakini inaweza kupitishwa.
  • CVE-2022-39028 – GNU inetutils telnetd: A two-byte sequence (0xff 0xf7 / 0xff 0xf8) inaweza kusababisha NULL-pointer dereference katika telnetd, na crash zilizorudiwa zinaweza kusababisha inetd kuzima service (DoS).

Zingatia CVE hizi wakati wa vulnerability triage—ikiwa lengo linaendesha firmware isiyosafishwa au legacy inetutils Telnet daemon unaweza kupata njia rahisi ya code-execution au DoS ya kuingilia.

CVE-2026-24061 — GNU Inetutils telnetd auth bypass (Critical)

Summary: telnetd katika GNU Inetutils hadi 2.7 inaruhusu remote authentication bypass kupitia thamani ya mazingira USER ya -f root, ikileta unauthenticated root access.
Root cause: argument injection (CWE-88) kwa sababu telnetd inapeleka client-supplied USER environment variable kwa login bila sanitization.
Scope: GNU Inetutils telnetd versions 1.9.3–2.7 zimeathirika (published January 21, 2026).

Mitigations

  • Patch/upgrade affected packages immediately (e.g., Debian fixes are in 2:2.4-2+deb12u2, 2:2.6-3+deb13u1, and 2:2.7-2).
  • Disable Telnet au zuia ufikiaji kwa mitandao ya usimamizi inayotumika hadi unapofanya patch.

Sniffing Credentials & Man-in-the-Middle

Telnet hupitisha kila kitu, pamoja na credentials, kwa clear-text. Njia mbili za haraka za kuzikamata ni:

# Live capture with tcpdump (print ASCII)
sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)'

# Wireshark display filter
tcp.port == 23 && (telnet.data || telnet.option)

Kwa MITM ya aktifu, changanya ARP spoofing (kwa mfano arpspoof/ettercap) na sniffing filters sawa ili kukusanya passwords kwenye switched networks.

Otomatiki Brute-force / Password Spraying

# Hydra (stop at first valid login)
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>

# Ncrack (drop to interactive session on success)
ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>

# Medusa (parallel hosts)
medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f

Wengi wa IoT botnets (Mirai variants) bado huchunguza port 23 kwa default-credential dictionaries ndogo—kuiga mantiki hiyo kunaweza haraka kutambua vifaa dhaifu.

Exploitation & Post-Exploitation

Metasploit ina moduli kadhaa zinazofaa:

  • auxiliary/scanner/telnet/telnet_version – uorodhesha banner na chaguzi.
  • auxiliary/scanner/telnet/brute_telnet – bruteforce yenye multithreading.
  • auxiliary/scanner/telnet/telnet_encrypt_overflow – RCE dhidi ya Solaris 9/10 Telnet zilizo na udhaifu (utunzaji wa option ENCRYPT).
  • exploit/linux/mips/netgear_telnetenable – huwezesha telnet service kwa packet iliyotengenezwa kwenye routers nyingi za NETGEAR.

Baada ya kupata shell, kumbuka kwamba TTYs are usually dumb; boresha kwa python -c 'import pty;pty.spawn("/bin/bash")' au tumia HackTricks TTY tricks.

Hardening & Detection (Blue team corner)

  1. Tumia SSH na zima Telnet service kabisa.
  2. Ikiwa Telnet inahitajika, ifunge kwa management VLANs pekee, tekeleza ACLs na uzunguse daemon na TCP wrappers (/etc/hosts.allow).
  3. Badilisha utekelezaji wa zamani wa telnetd na ssl-telnet au telnetd-ssl ili kuongeza transport encryption, lakini hii inalinda tu data-in-transit—password-guessing bado ni rahisi.
  4. Angalia trafiki inayotoka kwa port 23; udukuzi mara nyingi huanzisha reverse shells kupitia Telnet ili kupita vichujio kali vya HTTP egress.

References

  • D-Link Advisory – CVE-2024-45698 Critical Telnet RCE.
  • NVD – CVE-2022-39028 inetutils telnetd DoS.
  • NVD – CVE-2026-24061.
  • Canadian Centre for Cyber Security Alert AL26-002 (CVE-2026-24061).
  • Debian Security Tracker – CVE-2026-24061 fixed versions.

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks