Merge pull request #1096 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-telnet_20250711_082533

Research Update Enhanced src/network-services-pentesting/pen...

src/network-services-pentesting/pentesting-telnet.md

@@ -77,8 +77,66 @@ Entry_4:
 
 ```
 
+### Recent Vulnerabilities (2022-2025)
 
-{{#include ../banners/hacktricks-training.md}}
+* **CVE-2024-45698 – D-Link Wi-Fi 6 routers (DIR-X4860)**: The built-in Telnet service accepted hard-coded credentials and failed to sanitise input, allowing unauthenticated remote RCE as root via crafted commands on port 23. Fixed in firmware ≥ 1.04B05.
+* **CVE-2023-40478 – NETGEAR RAX30**: Stack-based buffer overflow in the Telnet CLI `passwd` command lets an adjacent attacker bypass authentication and execute arbitrary code as root.
+* **CVE-2022-39028 – GNU inetutils telnetd**: A two-byte sequence (`0xff 0xf7` / `0xff 0xf8`) triggers a NULL-pointer dereference that can crash `telnetd`, resulting in a persistent DoS after several crashes.
+
+Keep these CVEs in mind during vulnerability triage—if the target is running an un-patched firmware or legacy inetutils Telnet daemon you may have a straight-forward path to code-execution or a disruptive DoS.
+
+### Sniffing Credentials & Man-in-the-Middle
+
+Telnet transmits everything, including credentials, in **clear-text**. Two quick ways to capture them:
+
+```bash
+# Live capture with tcpdump (print ASCII)
+sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)'
+
+# Wireshark display filter
+ tcp.port == 23 && (telnet.data || telnet.option)
+```
+For active MITM, combine ARP spoofing (e.g. `arpspoof`/`ettercap`) with the same sniffing filters to harvest passwords on switched networks.
+
+### Automated Brute-force / Password Spraying
+
+```bash
+# Hydra (stop at first valid login)
+hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>
+
+# Ncrack (drop to interactive session on success)
+ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>
+
+# Medusa (parallel hosts)
+medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f
+```
+Most IoT botnets (Mirai variants) still scan port 23 with small default-credential dictionaries—mirroring that logic can quickly identify weak devices.
+
+### Exploitation & Post-Exploitation
+
+Metasploit has several useful modules:
+
+* `auxiliary/scanner/telnet/telnet_version` – banner & option enumeration.
+* `auxiliary/scanner/telnet/brute_telnet` – multithreaded bruteforce.
+* `auxiliary/scanner/telnet/telnet_encrypt_overflow` – RCE against vulnerable Solaris 9/10 Telnet (option ENCRYPT handling).
+* `exploit/linux/mips/netgear_telnetenable` – enables telnet service with a crafted packet on many NETGEAR routers.
+
+After a shell is obtained remember that **TTYs are usually dumb**; upgrade with `python -c 'import pty;pty.spawn("/bin/bash")'` or use the [HackTricks TTY tricks](/generic-hacking/reverse-shells/full-ttys.md).
+
+### Hardening & Detection (Blue team corner)
+
+1. Prefer SSH and disable Telnet service completely.  
+2. If Telnet is required, bind it to management VLANs only, enforce ACLs and wrap the daemon with TCP wrappers (`/etc/hosts.allow`).  
+3. Replace legacy `telnetd` implementations with `ssl-telnet` or `telnetd-ssl` to add transport encryption, but **this only protects data-in-transit—password-guessing remains trivial**.  
+4. Monitor for outbound traffic to port 23; compromises often spawn reverse shells over Telnet to bypass strict-HTTP egress filters.
+
+## References
+
+* D-Link Advisory – CVE-2024-45698 Critical Telnet RCE.  
+* NVD – CVE-2022-39028 inetutils `telnetd` DoS.
 
 
 
+
+
+{{#include /banners/hacktricks-training.md}}