hacktricks/network-services-pentesting/pentesting-telnet.md

# 23 - Pentesting Telnet

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>

**Ottieni la prospettiva di un hacker sulle tue app web, rete e cloud**

**Trova e segnala vulnerabilità critiche e sfruttabili con un reale impatto sul business.** Usa i nostri oltre 20 strumenti personalizzati per mappare la superficie di attacco, trovare problemi di sicurezza che ti permettano di elevare i privilegi e utilizzare exploit automatizzati per raccogliere prove essenziali, trasformando il tuo duro lavoro in report persuasivi.

{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}

## **Informazioni di base**

Telnet è un protocollo di rete che offre agli utenti un modo NON sicuro per accedere a un computer tramite una rete.

**Porta predefinita:** 23
```
23/tcp open  telnet
```
## **Enumerazione**

### **Acquisizione del Banner**
```bash
nc -vn <IP> 23
```
Tutta l'enumerazione interessante può essere eseguita da **nmap**:
```bash
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
```
Lo script `telnet-ntlm-info.nse` otterrà informazioni NTLM (versioni di Windows).

Dalla [telnet RFC](https://datatracker.ietf.org/doc/html/rfc854): Nel Protocollo TELNET ci sono varie "**opzioni**" che saranno sanzionate e possono essere utilizzate con la struttura "**DO, DON'T, WILL, WON'T**" per consentire a un utente e a un server di concordare l'uso di un insieme più elaborato (o forse semplicemente diverso) di convenzioni per la loro connessione TELNET. Tali opzioni potrebbero includere la modifica del set di caratteri, la modalità di eco, ecc.

**So che è possibile enumerare queste opzioni, ma non so come, quindi fammi sapere se sai come.**

### [Brute force](../generic-methodologies-and-resources/brute-force.md#telnet)

## Config file
```bash
/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
```
## HackTricks Comandi Automatici
```
Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
Port_Number:  23     #Comma separated if there is more than one.
Protocol_Description: Telnet          #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for t=Telnet
Note: |
wireshark to hear creds being passed
tcp.port == 23 and ip.addr != myip

https://book.hacktricks.xyz/pentesting/pentesting-telnet

Entry_2:
Name: Banner Grab
Description: Grab Telnet Banner
Command: nc -vn {IP} 23

Entry_3:
Name: Nmap with scripts
Description: Run nmap scripts for telnet
Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}

Entry_4:
Name: consoleless mfs enumeration
Description: Telnet enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

```
<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>

**Ottieni la prospettiva di un hacker sulle tue app web, rete e cloud**

**Trova e segnala vulnerabilità critiche ed exploitabili con un impatto reale sul business.** Usa i nostri oltre 20 strumenti personalizzati per mappare la superficie di attacco, trovare problemi di sicurezza che ti permettano di elevare i privilegi e utilizzare exploit automatizzati per raccogliere prove essenziali, trasformando il tuo duro lavoro in report persuasivi.

{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}

{% hint style="success" %}
Impara e pratica Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Impara e pratica Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Supporta HackTricks</summary>

* Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)!
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos su github.

</details>
{% endhint %}
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`# 23 - Pentesting Telnet`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`<summary>Support HackTricks</summary>`
arte 2024-01-02 18:28:27 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GITBOOK-3884: change request with no subject merged in GitBook 2023-04-30 21:54:03 +00:00			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['network-services-pentesting/512-pentesting-rexec.md', 'netw 2024-08-04 15:18:56 +00:00			`<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'generic-methodologies-and-resources/python/byp 2024-11-09 13:53:04 +00:00			`Ottieni la prospettiva di un hacker sulle tue app web, rete e cloud`
Translated ['README.md', 'binary-exploitation/format-strings/README.md', 2024-11-09 13:26:13 +00:00
Translated ['README.md', 'generic-methodologies-and-resources/python/byp 2024-11-09 13:53:04 +00:00			`Trova e segnala vulnerabilità critiche e sfruttabili con un reale impatto sul business. Usa i nostri oltre 20 strumenti personalizzati per mappare la superficie di attacco, trovare problemi di sicurezza che ti permettano di elevare i privilegi e utilizzare exploit automatizzati per raccogliere prove essenziali, trasformando il tuo duro lavoro in report persuasivi.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'network-services-pentesting/512-pentesting-rex 2024-07-29 09:26:42 +00:00			`{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`## Informazioni di base`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Italian 2024-02-10 13:03:23 +00:00			`Telnet è un protocollo di rete che offre agli utenti un modo NON sicuro per accedere a un computer tramite una rete.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Italian 2024-02-10 13:03:23 +00:00			`Porta predefinita: 23`
GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`23/tcp open telnet`
			```
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:26:31 +00:00			`## Enumerazione`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`### Acquisizione del Banner`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
			`nc -vn <IP> 23`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`Tutta l'enumerazione interessante può essere eseguita da nmap:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
			`nmap -n -sV -Pn --script "telnet and safe" -p 23 <IP>`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			Lo script `telnet-ntlm-info.nse` otterrà informazioni NTLM (versioni di Windows).
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'generic-methodologies-and-resources/python/byp 2024-11-09 13:53:04 +00:00			`Dalla [telnet RFC](https://datatracker.ietf.org/doc/html/rfc854): Nel Protocollo TELNET ci sono varie "opzioni" che saranno sanzionate e possono essere utilizzate con la struttura "DO, DON'T, WILL, WON'T" per consentire a un utente e a un server di concordare l'uso di un insieme più elaborato (o forse semplicemente diverso) di convenzioni per la loro connessione TELNET. Tali opzioni potrebbero includere la modifica del set di caratteri, la modalità di eco, ecc.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'generic-methodologies-and-resources/python/byp 2024-11-09 13:53:04 +00:00			`So che è possibile enumerare queste opzioni, ma non so come, quindi fammi sapere se sai come.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`### [Brute force](../generic-methodologies-and-resources/brute-force.md#telnet)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`## Config file`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```bash
			`/etc/inetd.conf`
			`/etc/xinetd.d/telnet`
			`/etc/xinetd.d/stelnet`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`## HackTricks Comandi Automatici`
GitBook: [#3160] No subject 2022-05-01 13:25:53 +00:00			```
HAC telnet 2021-08-12 13:37:00 +00:00			`Protocol_Name: Telnet #Protocol Abbreviation if there is one.`
			`Port_Number: 23 #Comma separated if there is more than one.`
			`Protocol_Description: Telnet #Protocol Abbreviation Spelled out`

23 Yaml 2021-08-15 17:54:03 +00:00			`Entry_1:`
Translated to Italian 2024-02-10 13:03:23 +00:00			`Name: Notes`
			`Description: Notes for t=Telnet`
			`Note: \|`
			`wireshark to hear creds being passed`
			`tcp.port == 23 and ip.addr != myip`
23 Yaml 2021-08-15 17:54:03 +00:00
Translated to Italian 2024-02-10 13:03:23 +00:00			`https://book.hacktricks.xyz/pentesting/pentesting-telnet`
23 Yaml 2021-08-15 17:54:03 +00:00
			`Entry_2:`
Translated to Italian 2024-02-10 13:03:23 +00:00			`Name: Banner Grab`
			`Description: Grab Telnet Banner`
			`Command: nc -vn {IP} 23`
23 Yaml 2021-08-15 17:54:03 +00:00
			`Entry_3:`
Translated to Italian 2024-02-10 13:03:23 +00:00			`Name: Nmap with scripts`
			`Description: Run nmap scripts for telnet`
			`Command: nmap -n -sV -Pn --script "telnet" -p 23 {IP}`

TireFire Telnet Syntax Update TireFire Telnet Syntax Update 2022-07-01 13:10:24 +00:00			`Entry_4:`
Translated to Italian 2024-02-10 13:03:23 +00:00			`Name: consoleless mfs enumeration`
			`Description: Telnet enumeration without the need to run msfconsole`
			`Note: sourced from https://github.com/carlospolop/legion`
			`Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'`
GitBook: [master] 7 pages and 16 assets modified 2021-08-14 09:02:12 +00:00
Translated to Italian 2024-02-10 13:03:23 +00:00			```
Translated ['network-services-pentesting/512-pentesting-rexec.md', 'netw 2024-08-04 15:18:56 +00:00			`<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'generic-methodologies-and-resources/python/byp 2024-11-09 13:53:04 +00:00			`Ottieni la prospettiva di un hacker sulle tue app web, rete e cloud`
Translated ['README.md', 'binary-exploitation/format-strings/README.md', 2024-11-09 13:26:13 +00:00
			`Trova e segnala vulnerabilità critiche ed exploitabili con un impatto reale sul business. Usa i nostri oltre 20 strumenti personalizzati per mappare la superficie di attacco, trovare problemi di sicurezza che ti permettano di elevare i privilegi e utilizzare exploit automatizzati per raccogliere prove essenziali, trasformando il tuo duro lavoro in report persuasivi.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'network-services-pentesting/512-pentesting-rex 2024-07-29 09:26:42 +00:00			`{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`{% hint style="success" %}`
Translated ['README.md', 'generic-methodologies-and-resources/python/byp 2024-11-09 13:53:04 +00:00			`Impara e pratica Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Impara e pratica Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`<summary>Supporta HackTricks</summary>`
arte 2024-01-02 18:28:27 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`* Controlla i [piani di abbonamento](https://github.com/sponsors/carlospolop)!`
			`* Unisciti al 💬 [gruppo Discord](https://discord.gg/hRep4RUj7f) o al [gruppo telegram](https://t.me/peass) o seguici su Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
Translated ['network-services-pentesting/512-pentesting-rexec.md', 'netw 2024-08-04 15:18:56 +00:00			`* Condividi trucchi di hacking inviando PR ai [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos su github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:34:23 +00:00			`{% endhint %}`