maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-telnet.md

5.9 KiB
Raw Blame History

23 - Pentesting Telnet

{{#include ../banners/hacktricks-training.md}}

Basic Information

Telnet ni protokali ya mtandao inayowapa watumiaji njia isiyo salama ya kufikia kompyuta kupitia mtandao.

Default port: 23

23/tcp open  telnet

Uhesabu

Kuchukua Bango

nc -vn <IP> 23

Uchunguzi wote wa kuvutia unaweza kufanywa na nmap:

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>

The script telnet-ntlm-info.nse itapata taarifa za NTLM (matoleo ya Windows).

Kutoka kwenye telnet RFC: Katika Protokali ya TELNET kuna "chaguzi" mbalimbali ambazo zitaidhinishwa na zinaweza kutumika na muundo wa "DO, DON'T, WILL, WON'T" ili kumruhusu mtumiaji na seva kukubaliana kutumia seti ya makubaliano ya kina (au labda tofauti tu) kwa ajili ya muunganisho wao wa TELNET. Chaguzi hizo zinaweza kujumuisha kubadilisha seti ya wahusika, hali ya echo, n.k.

Ninajua inawezekana kuhesabu chaguzi hizi lakini sijui jinsi, hivyo nijulishe kama unajua jinsi.

Brute force

Config file

/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet

HackTricks Amri za Otomatiki

Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
Port_Number:  23     #Comma separated if there is more than one.
Protocol_Description: Telnet          #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for t=Telnet
Note: |
wireshark to hear creds being passed
tcp.port == 23 and ip.addr != myip

https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-telnet.html

Entry_2:
Name: Banner Grab
Description: Grab Telnet Banner
Command: nc -vn {IP} 23

Entry_3:
Name: Nmap with scripts
Description: Run nmap scripts for telnet
Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}

Entry_4:
Name: consoleless mfs enumeration
Description: Telnet enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

Recent Vulnerabilities (2022-2025)

  • CVE-2024-45698 D-Link Wi-Fi 6 routers (DIR-X4860): Huduma ya Telnet iliyojengwa ndani ilikubali akreditivu zilizowekwa kwa nguvu na ikashindwa kusafisha ingizo, ikiruhusu RCE isiyoidhinishwa kama root kupitia amri zilizoundwa kwenye bandari 23. Imefanyiwa marekebisho katika firmware ≥ 1.04B05.
  • CVE-2023-40478 NETGEAR RAX30: Overflow ya buffer inayotegemea stack katika amri ya Telnet CLI passwd inaruhusu mshambuliaji wa karibu kupita uthibitisho na kutekeleza msimbo wa kawaida kama root.
  • CVE-2022-39028 GNU inetutils telnetd: Mfuatano wa byte mbili (0xff 0xf7 / 0xff 0xf8) unachochea dereference ya pointer ya NULL ambayo inaweza kusababisha telnetd kuanguka, na kusababisha DoS ya kudumu baada ya kuanguka kadhaa.

Keep these CVEs in mind during vulnerability triage—if the target is running an un-patched firmware or legacy inetutils Telnet daemon you may have a straight-forward path to code-execution or a disruptive DoS.

Sniffing Credentials & Man-in-the-Middle

Telnet transmits everything, including credentials, in clear-text. Njia mbili za haraka za kuziteka:

# Live capture with tcpdump (print ASCII)
sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)'

# Wireshark display filter
tcp.port == 23 && (telnet.data || telnet.option)

Kwa MITM hai, changanya ARP spoofing (mfano arpspoof/ettercap) na vichujio vya kunusa sawa ili kukusanya nywila kwenye mitandao iliyowekwa.

Automated Brute-force / Password Spraying

# Hydra (stop at first valid login)
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>

# Ncrack (drop to interactive session on success)
ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>

# Medusa (parallel hosts)
medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f

Most IoT botnets (Mirai variants) bado zinachunguza port 23 kwa kamusi ndogo za akidi za default—kuakisi mantiki hiyo kunaweza kutambua haraka vifaa dhaifu.

Exploitation & Post-Exploitation

Metasploit ina moduli kadhaa za manufaa:

  • auxiliary/scanner/telnet/telnet_version uainishaji wa banner & chaguo.
  • auxiliary/scanner/telnet/brute_telnet bruteforce yenye nyuzi nyingi.
  • auxiliary/scanner/telnet/telnet_encrypt_overflow RCE dhidi ya Solaris 9/10 Telnet iliyo hatarini (usimamizi wa chaguo ENCRYPT).
  • exploit/linux/mips/netgear_telnetenable inaruhusu huduma ya telnet kwa pakiti iliyoundwa kwenye router nyingi za NETGEAR.

Baada ya kupata shell kumbuka kwamba TTYs kwa kawaida ni za kijinga; sasisha kwa python -c 'import pty;pty.spawn("/bin/bash")' au tumia HackTricks TTY tricks.

Hardening & Detection (Blue team corner)

  1. Prefer SSH na uondoe huduma ya Telnet kabisa.
  2. Ikiwa Telnet inahitajika, iunganishe tu na VLANs za usimamizi, enforce ACLs na ufunge daemon na TCP wrappers (/etc/hosts.allow).
  3. Badilisha utekelezaji wa zamani wa telnetd na ssl-telnet au telnetd-ssl kuongeza usimbaji wa usafirishaji, lakini hii inalinda tu data-in-transit—kukisia nywila bado ni rahisi.
  4. Fuata trafiki ya nje kuelekea port 23; makosa mara nyingi huzaa shells za kurudi kupitia Telnet ili kupita vichujio vya egress vya HTTP kali.

References

  • D-Link Advisory CVE-2024-45698 Critical Telnet RCE.
  • NVD CVE-2022-39028 inetutils telnetd DoS.

{{#include ../banners/hacktricks-training.md}}