maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/pentesting-telnet.md'] to s

Browse Source
This commit is contained in:
Translator 2025-07-13 21:25:20 +00:00
parent cea359482c
commit 553961b599
1 changed files with 61 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
src/network-services-pentesting/pentesting-telnet.md
View File

@ -3,15 +3,15 @@
{{#include ../banners/hacktricks-training.md}}
## **Taarifa za Msingi**
## **Msingi wa Taarifa**
Telnet ni protokali ya mtandao inayowapa watumiaji njia isiyo salama ya kufikia kompyuta kupitia mtandao.
**Bandari ya Kawaida:** 23
**Bandari ya kawaida:** 23
```
23/tcp open telnet
```
## **Uhesabu**
## **Uainishaji**
### **Kuchukua Bango**
```bash
@ -23,7 +23,7 @@ nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
```
The script `telnet-ntlm-info.nse` itapata taarifa za NTLM (matoleo ya Windows).
From the [telnet RFC](https://datatracker.ietf.org/doc/html/rfc854): Katika Protokali ya TELNET kuna "**options**" mbalimbali ambazo zitakubaliwa na zinaweza kutumika na muundo wa "**DO, DON'T, WILL, WON'T**" ili kumruhusu mtumiaji na seva kukubaliana kutumia seti ya makubaliano ya kina (au labda tofauti tu) kwa ajili ya muunganisho wao wa TELNET. Chaguzi hizo zinaweza kujumuisha kubadilisha seti ya wahusika, hali ya echo, n.k.
Kutoka kwenye [telnet RFC](https://datatracker.ietf.org/doc/html/rfc854): Katika Protokali ya TELNET kuna "**chaguzi**" mbalimbali ambazo zitasimamiwa na zinaweza kutumika na muundo wa "**DO, DON'T, WILL, WON'T**" ili kuruhusu mtumiaji na seva kukubaliana kutumia seti ya makubaliano ya kina zaidi (au labda tofauti tu) kwa ajili ya muunganisho wao wa TELNET. Chaguzi hizo zinaweza kujumuisha kubadilisha seti ya wahusika, hali ya echo, n.k.
**Ninajua inawezekana kuhesabu chaguzi hizi lakini sijui jinsi, hivyo nijulishe kama unajua jinsi.**
@ -67,4 +67,60 @@ Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'
```
{{#include ../banners/hacktricks-training.md}}
### Recent Vulnerabilities (2022-2025)
* **CVE-2024-45698 D-Link Wi-Fi 6 routers (DIR-X4860)**: Huduma ya Telnet iliyojengwa ndani ilikubali akauti za hard-coded na ikashindwa kusafisha ingizo, ikiruhusu RCE isiyo na uthibitisho kama root kupitia amri zilizoundwa kwenye bandari 23. Imefanyiwa marekebisho katika firmware ≥ 1.04B05.
* **CVE-2023-40478 NETGEAR RAX30**: Overflow ya buffer inayotegemea stack katika amri ya Telnet CLI `passwd` inaruhusu mshambuliaji wa karibu kupita uthibitisho na kutekeleza msimbo wa kawaida kama root.
* **CVE-2022-39028 GNU inetutils telnetd**: Mfuatano wa byte mbili (`0xff 0xf7` / `0xff 0xf8`) unachochea dereference ya NULL-pointer ambayo inaweza kusababisha `telnetd` kuanguka, na kusababisha DoS ya kudumu baada ya kuanguka kadhaa.
Hifadhi hizi CVEs akilini wakati wa uchambuzi wa udhaifu—ikiwa lengo linaendesha firmware isiyo na patch au daemon ya Telnet ya zamani ya inetutils unaweza kuwa na njia rahisi ya kutekeleza msimbo au DoS inayosababisha usumbufu.
### Sniffing Credentials & Man-in-the-Middle
Telnet inapeleka kila kitu, ikiwa ni pamoja na akauti, katika **clear-text**. Njia mbili za haraka za kuziteka:
```bash
# Live capture with tcpdump (print ASCII)
sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)'
# Wireshark display filter
tcp.port == 23 && (telnet.data || telnet.option)
```
Kwa MITM hai, changanya ARP spoofing (mfano `arpspoof`/`ettercap`) na vichujio vya kunusa sawa ili kukusanya nywila kwenye mitandao iliyopangwa.
### Automated Brute-force / Password Spraying
```bash
# Hydra (stop at first valid login)
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>
# Ncrack (drop to interactive session on success)
ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>
# Medusa (parallel hosts)
medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f
```
Most IoT botnets (Mirai variants) bado zinachunguza port 23 kwa kamusi ndogo za akidi za default—kuakisi mantiki hiyo kunaweza kubaini vifaa dhaifu haraka.
### Ukatili & Baada ya Ukatili
Metasploit ina moduli kadhaa za manufaa:
* `auxiliary/scanner/telnet/telnet_version` uainishaji wa banner & chaguo.
* `auxiliary/scanner/telnet/brute_telnet` bruteforce yenye nyuzi nyingi.
* `auxiliary/scanner/telnet/telnet_encrypt_overflow` RCE dhidi ya Solaris 9/10 Telnet iliyo hatarini (usimamizi wa chaguo ENCRYPT).
* `exploit/linux/mips/netgear_telnetenable` inaruhusu huduma ya telnet kwa pakiti iliyoundwa kwenye router nyingi za NETGEAR.
Baada ya kupata shell kumbuka kwamba **TTYs kwa kawaida ni za kijinga**; sasisha kwa `python -c 'import pty;pty.spawn("/bin/bash")'` au tumia [HackTricks TTY tricks](/generic-hacking/reverse-shells/full-ttys.md).
### Kuimarisha & Ugunduzi (Kona ya timu ya Blue)
1. Prefer SSH na uondoe huduma ya Telnet kabisa.
2. Ikiwa Telnet inahitajika, iunganishe tu na VLAN za usimamizi, enforce ACLs na ufunge daemon na TCP wrappers (`/etc/hosts.allow`).
3. Badilisha utekelezaji wa zamani wa `telnetd` na `ssl-telnet` au `telnetd-ssl` kuongeza usimbaji wa usafirishaji, lakini **hii inalinda tu data-in-transit—kukisia nywila bado ni rahisi**.
4. Fuata trafiki ya nje kuelekea port 23; makosa mara nyingi huzaa shell za kurudi kupitia Telnet ili kupita vichujio vya egress vya HTTP kali.
## Marejeleo
* D-Link Advisory CVE-2024-45698 Critical Telnet RCE.
* NVD CVE-2022-39028 inetutils `telnetd` DoS.
{{#include /banners/hacktricks-training.md}}