Introduction¶
Telnet is a protocol used for remote text-based communication over a network. While it provides terminal access similar to SSH, Telnet transmits data in plaintext, making it inherently insecure and prone to interception.
Telnet Enumeration Techniques¶
Use following commands to discover and inspect Telnet services:
| Command | Description |
|---|---|
telnet [IP-ADDRESS] [PORT] |
Starts a Telnet session for banner grabbing and initial reconnaissance. |
nmap -p 23 [TARGET-IP] |
Checks if the default Telnet port (23) is open. |
nmap -n -sV -Pn --script "*telnet*" -p 23 [TARGET-IP] |
Detects service version and runs Telnet-specific NSE scripts for deeper analysis. |
Brute-Forcing Telnet Credentials¶
Hydra can be used to test credentials under various scenarios:
| Scenario | Command |
|---|---|
| Unknown User | hydra -L user.txt -p "Password" -f [TARGET-IP] telnet |
| Unknown Password | hydra -l user -P /opt/rockyou.txt -f [TARGET-IP] telnet |
| Unknown User and Password | hydra -L user.txt -P /opt/rockyou.txt -f [TARGET-IP] telnet |
| Different Port | hydra -l user -P /opt/rockyou.txt -f [TARGET-IP] telnet -s 9999 |
Automating Exploitation with Metasploit¶
Metasploit offers modules for both scanning and exploiting Telnet services:
| Command | Description |
|---|---|
msfconsole, search telnet, use exploit/[MODULE-PATH], set RHOSTS [TARGET-IP], run |
Runs a Telnet exploit module from Metasploit’s library. |
msfconsole, use auxiliary/scanner/telnet/telnet_version, set RHOSTS [TARGET-IP], run |
Identifies Telnet service version and potential vulnerabilities. |
Key Configuration Files¶
These files control how Telnet operates on a system:
| File Path | Description |
|---|---|
/etc/inetd.conf |
Configuration file for services controlled by inetd, including Telnet. |
/etc/xinetd.d/telnet |
Telnet-specific config for systems using xinetd as the service manager. |
/etc/xinetd.d/stelnet |
Configuration for "secure Telnet" (stelnet), if present. Used for encrypted connections. |