hacktricks/network-services-pentesting/pentesting-telnet.md

# 23 - Pentesting Telnet

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>

## **Basic Information**

Telnet is a network protocol that gives users a UNsecure way to access a computer over a network.

**Default port:** 23

```
23/tcp open  telnet
```

## **Enumeration**

### **Banner Grabbing**

```bash
nc -vn <IP> 23
```

All the interesting enumeration can be performed by **nmap**:

```bash
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
```

The script `telnet-ntlm-info.nse` will obtain NTLM info (Windows versions).

In the TELNET Protocol are various "**options**" that will be sanctioned and may be used with the "**DO, DON'T, WILL, WON'T**" structure to allow a user and server to agree to use a more elaborate (or perhaps just different) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, etc. (From the [telnet RFC](https://tools.ietf.org/html/rfc854))\
**I know it is possible to enumerate this options but I don't know how, so let me know if know how.**

### [Brute force](../generic-methodologies-and-resources/brute-force.md#telnet)

## Config file

```bash
/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
```

## HackTricks Automatic Commands

```
Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
Port_Number:  23     #Comma separated if there is more than one.
Protocol_Description: Telnet          #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for t=Telnet
  Note: |
    wireshark to hear creds being passed
    tcp.port == 23 and ip.addr != myip

    https://book.hacktricks.xyz/pentesting/pentesting-telnet

Entry_2:
  Name: Banner Grab
  Description: Grab Telnet Banner
  Command: nc -vn {IP} 23

Entry_3:
  Name: Nmap with scripts
  Description: Run nmap scripts for telnet
  Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}
  
  
 Entry_4:
  	Name: consoleless mfs enumeration
  	Description: Telnet enumeration without the need to run msfconsole
  	Note: sourced from https://github.com/carlospolop/legion
  	Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'
  
```

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
GitBook: [#3160] No subject 2022-05-01 15:25:53 +02:00			`# 23 - Pentesting Telnet`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`

GitBook: [#3160] No subject 2022-05-01 15:25:53 +02:00			`## Basic Information`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			`Telnet is a network protocol that gives users a UNsecure way to access a computer over a network.`

			`Default port: 23`

GitBook: [#3160] No subject 2022-05-01 15:25:53 +02:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			`23/tcp open telnet`
			```

GitBook: [#3160] No subject 2022-05-01 15:25:53 +02:00			`## Enumeration`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3160] No subject 2022-05-01 15:25:53 +02:00			`### Banner Grabbing`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			```bash
			`nc -vn <IP> 23`
			```

			`All the interesting enumeration can be performed by nmap:`

			```bash
			`nmap -n -sV -Pn --script "telnet and safe" -p 23 <IP>`
			```

GitBook: [#3160] No subject 2022-05-01 15:25:53 +02:00			The script `telnet-ntlm-info.nse` will obtain NTLM info (Windows versions).
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3160] No subject 2022-05-01 15:25:53 +02:00			`In the TELNET Protocol are various "options" that will be sanctioned and may be used with the "DO, DON'T, WILL, WON'T" structure to allow a user and server to agree to use a more elaborate (or perhaps just different) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, etc. (From the [telnet RFC](https://tools.ietf.org/html/rfc854))\`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			`I know it is possible to enumerate this options but I don't know how, so let me know if know how.`

GitBook: [#3160] No subject 2022-05-01 15:25:53 +02:00			`### [Brute force](../generic-methodologies-and-resources/brute-force.md#telnet)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3160] No subject 2022-05-01 15:25:53 +02:00			`## Config file`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			```bash
			`/etc/inetd.conf`
			`/etc/xinetd.d/telnet`
			`/etc/xinetd.d/stelnet`
			```

GitBook: [#3160] No subject 2022-05-01 15:25:53 +02:00			`## HackTricks Automatic Commands`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3160] No subject 2022-05-01 15:25:53 +02:00			```
HAC telnet 2021-08-12 15:37:00 +02:00			`Protocol_Name: Telnet #Protocol Abbreviation if there is one.`
			`Port_Number: 23 #Comma separated if there is more than one.`
			`Protocol_Description: Telnet #Protocol Abbreviation Spelled out`

23 Yaml 2021-08-15 19:54:03 +02:00			`Entry_1:`
			`Name: Notes`
			`Description: Notes for t=Telnet`
			`Note: \|`
			`wireshark to hear creds being passed`
			`tcp.port == 23 and ip.addr != myip`

			`https://book.hacktricks.xyz/pentesting/pentesting-telnet`

			`Entry_2:`
			`Name: Banner Grab`
			`Description: Grab Telnet Banner`
			`Command: nc -vn {IP} 23`

			`Entry_3:`
			`Name: Nmap with scripts`
			`Description: Run nmap scripts for telnet`
			`Command: nmap -n -sV -Pn --script "telnet" -p 23 {IP}`
consoleless mfs enumeration Description: Telnet enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion 2021-10-20 20:47:01 +02:00

Fixing type O Fat fingered typeO 2021-10-27 15:09:33 +02:00			`Entry_4:`
consoleless mfs enumeration Description: Telnet enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion 2021-10-20 20:47:01 +02:00			`Name: consoleless mfs enumeration`
			`Description: Telnet enumeration without the need to run msfconsole`
			`Note: sourced from https://github.com/carlospolop/legion`
			`Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'`

HAC telnet 2021-08-12 15:37:00 +02:00			```
GitBook: [master] 7 pages and 16 assets modified 2021-08-14 11:02:12 +02:00
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`