hacktricks/src/network-services-pentesting/pentesting-telnet.md

# 23 - Pentesting Telnet

{{#include ../banners/hacktricks-training.md}}


## **Basic Information**

Telnet is a network protocol that gives users a UNsecure way to access a computer over a network.

**Default port:** 23

```
23/tcp open  telnet
```

## **Enumeration**

### **Banner Grabbing**

```bash
nc -vn <IP> 23
```

All the interesting enumeration can be performed by **nmap**:

```bash
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
```

The script `telnet-ntlm-info.nse` will obtain NTLM info (Windows versions).

From the [telnet RFC](https://datatracker.ietf.org/doc/html/rfc854): In the TELNET Protocol are various "**options**" that will be sanctioned and may be used with the "**DO, DON'T, WILL, WON'T**" structure to allow a user and server to agree to use a more elaborate (or perhaps just different) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, etc.

**I know it is possible to enumerate this options but I don't know how, so let me know if know how.**

### [Brute force](../generic-hacking/brute-force.md#telnet)

## Config file

```bash
/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
```

## HackTricks Automatic Commands

```
Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
Port_Number:  23     #Comma separated if there is more than one.
Protocol_Description: Telnet          #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for t=Telnet
  Note: |
    wireshark to hear creds being passed
    tcp.port == 23 and ip.addr != myip

    https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-telnet.html

Entry_2:
  Name: Banner Grab
  Description: Grab Telnet Banner
  Command: nc -vn {IP} 23

Entry_3:
  Name: Nmap with scripts
  Description: Run nmap scripts for telnet
  Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}

Entry_4:
  Name: consoleless mfs enumeration
  Description: Telnet enumeration without the need to run msfconsole
  Note: sourced from https://github.com/carlospolop/legion
  Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

```

### Recent Vulnerabilities (2022-2025)

* **CVE-2024-45698 – D-Link Wi-Fi 6 routers (DIR-X4860)**: The built-in Telnet service accepted hard-coded credentials and failed to sanitise input, allowing unauthenticated remote RCE as root via crafted commands on port 23. Fixed in firmware ≥ 1.04B05.
* **CVE-2023-40478 – NETGEAR RAX30**: Stack-based buffer overflow in the Telnet CLI `passwd` command lets an adjacent attacker bypass authentication and execute arbitrary code as root.
* **CVE-2022-39028 – GNU inetutils telnetd**: A two-byte sequence (`0xff 0xf7` / `0xff 0xf8`) triggers a NULL-pointer dereference that can crash `telnetd`, resulting in a persistent DoS after several crashes.

Keep these CVEs in mind during vulnerability triage—if the target is running an un-patched firmware or legacy inetutils Telnet daemon you may have a straight-forward path to code-execution or a disruptive DoS.

### Sniffing Credentials & Man-in-the-Middle

Telnet transmits everything, including credentials, in **clear-text**. Two quick ways to capture them:

```bash
# Live capture with tcpdump (print ASCII)
sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)'

# Wireshark display filter
 tcp.port == 23 && (telnet.data || telnet.option)
```
For active MITM, combine ARP spoofing (e.g. `arpspoof`/`ettercap`) with the same sniffing filters to harvest passwords on switched networks.

### Automated Brute-force / Password Spraying

```bash
# Hydra (stop at first valid login)
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>

# Ncrack (drop to interactive session on success)
ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>

# Medusa (parallel hosts)
medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f
```
Most IoT botnets (Mirai variants) still scan port 23 with small default-credential dictionaries—mirroring that logic can quickly identify weak devices.

### Exploitation & Post-Exploitation

Metasploit has several useful modules:

* `auxiliary/scanner/telnet/telnet_version` – banner & option enumeration.
* `auxiliary/scanner/telnet/brute_telnet` – multithreaded bruteforce.
* `auxiliary/scanner/telnet/telnet_encrypt_overflow` – RCE against vulnerable Solaris 9/10 Telnet (option ENCRYPT handling).
* `exploit/linux/mips/netgear_telnetenable` – enables telnet service with a crafted packet on many NETGEAR routers.

After a shell is obtained remember that **TTYs are usually dumb**; upgrade with `python -c 'import pty;pty.spawn("/bin/bash")'` or use the [HackTricks TTY tricks](/generic-hacking/reverse-shells/full-ttys.md).

### Hardening & Detection (Blue team corner)

1. Prefer SSH and disable Telnet service completely.  
2. If Telnet is required, bind it to management VLANs only, enforce ACLs and wrap the daemon with TCP wrappers (`/etc/hosts.allow`).  
3. Replace legacy `telnetd` implementations with `ssl-telnet` or `telnetd-ssl` to add transport encryption, but **this only protects data-in-transit—password-guessing remains trivial**.  
4. Monitor for outbound traffic to port 23; compromises often spawn reverse shells over Telnet to bypass strict-HTTP egress filters.

## References

* D-Link Advisory – CVE-2024-45698 Critical Telnet RCE.  
* NVD – CVE-2022-39028 inetutils `telnetd` DoS.





{{#include ../banners/hacktricks-training.md}}