# 23 - Pentesting Telnet {{#include ../banners/hacktricks-training.md}} ## **Basic Information** Telnet is a network protocol that gives users a UNsecure way to access a computer over a network. **Default port:** 23 ``` 23/tcp open telnet ``` ## **Enumeration** ### **Banner Grabbing** ```bash nc -vn 23 ``` All the interesting enumeration can be performed by **nmap**: ```bash nmap -n -sV -Pn --script "*telnet* and safe" -p 23 ``` The script `telnet-ntlm-info.nse` will obtain NTLM info (Windows versions). From the [telnet RFC](https://datatracker.ietf.org/doc/html/rfc854): In the TELNET Protocol are various "**options**" that will be sanctioned and may be used with the "**DO, DON'T, WILL, WON'T**" structure to allow a user and server to agree to use a more elaborate (or perhaps just different) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, etc. **I know it is possible to enumerate this options but I don't know how, so let me know if know how.** ### [Brute force](../generic-hacking/brute-force.md#telnet) ## Config file ```bash /etc/inetd.conf /etc/xinetd.d/telnet /etc/xinetd.d/stelnet ``` ## HackTricks Automatic Commands ``` Protocol_Name: Telnet #Protocol Abbreviation if there is one. Port_Number: 23 #Comma separated if there is more than one. Protocol_Description: Telnet #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for t=Telnet Note: | wireshark to hear creds being passed tcp.port == 23 and ip.addr != myip https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-telnet.html Entry_2: Name: Banner Grab Description: Grab Telnet Banner Command: nc -vn {IP} 23 Entry_3: Name: Nmap with scripts Description: Run nmap scripts for telnet Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP} Entry_4: Name: consoleless mfs enumeration Description: Telnet enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit' ``` ### Recent Vulnerabilities (2022-2025) * **CVE-2024-45698 – D-Link Wi-Fi 6 routers (DIR-X4860)**: The built-in Telnet service accepted hard-coded credentials and failed to sanitise input, allowing unauthenticated remote RCE as root via crafted commands on port 23. Fixed in firmware ≥ 1.04B05. * **CVE-2023-40478 – NETGEAR RAX30**: Stack-based buffer overflow in the Telnet CLI `passwd` command lets an adjacent attacker bypass authentication and execute arbitrary code as root. * **CVE-2022-39028 – GNU inetutils telnetd**: A two-byte sequence (`0xff 0xf7` / `0xff 0xf8`) triggers a NULL-pointer dereference that can crash `telnetd`, resulting in a persistent DoS after several crashes. Keep these CVEs in mind during vulnerability triage—if the target is running an un-patched firmware or legacy inetutils Telnet daemon you may have a straight-forward path to code-execution or a disruptive DoS. ### Sniffing Credentials & Man-in-the-Middle Telnet transmits everything, including credentials, in **clear-text**. Two quick ways to capture them: ```bash # Live capture with tcpdump (print ASCII) sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)' # Wireshark display filter tcp.port == 23 && (telnet.data || telnet.option) ``` For active MITM, combine ARP spoofing (e.g. `arpspoof`/`ettercap`) with the same sniffing filters to harvest passwords on switched networks. ### Automated Brute-force / Password Spraying ```bash # Hydra (stop at first valid login) hydra -L users.txt -P rockyou.txt -t 4 -f telnet:// # Ncrack (drop to interactive session on success) ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 # Medusa (parallel hosts) medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f ``` Most IoT botnets (Mirai variants) still scan port 23 with small default-credential dictionaries—mirroring that logic can quickly identify weak devices. ### Exploitation & Post-Exploitation Metasploit has several useful modules: * `auxiliary/scanner/telnet/telnet_version` – banner & option enumeration. * `auxiliary/scanner/telnet/brute_telnet` – multithreaded bruteforce. * `auxiliary/scanner/telnet/telnet_encrypt_overflow` – RCE against vulnerable Solaris 9/10 Telnet (option ENCRYPT handling). * `exploit/linux/mips/netgear_telnetenable` – enables telnet service with a crafted packet on many NETGEAR routers. After a shell is obtained remember that **TTYs are usually dumb**; upgrade with `python -c 'import pty;pty.spawn("/bin/bash")'` or use the [HackTricks TTY tricks](/generic-hacking/reverse-shells/full-ttys.md). ### Hardening & Detection (Blue team corner) 1. Prefer SSH and disable Telnet service completely. 2. If Telnet is required, bind it to management VLANs only, enforce ACLs and wrap the daemon with TCP wrappers (`/etc/hosts.allow`). 3. Replace legacy `telnetd` implementations with `ssl-telnet` or `telnetd-ssl` to add transport encryption, but **this only protects data-in-transit—password-guessing remains trivial**. 4. Monitor for outbound traffic to port 23; compromises often spawn reverse shells over Telnet to bypass strict-HTTP egress filters. ## References * D-Link Advisory – CVE-2024-45698 Critical Telnet RCE. * NVD – CVE-2022-39028 inetutils `telnetd` DoS. {{#include ../banners/hacktricks-training.md}}