aex.red

23 Telnet

Notes

Alternative Ports
23 TCP (default)
2323, 2223

Service Description
Telnet is a legacy protocol that provides plaintext remote access over TCP port 23. It offers shell access without encryption, making it highly insecure by modern standards. Still found on legacy systems, embedded devices, industrial control systems, and misconfigured appliances.

Telnet transmits everything in cleartext — including usernames, passwords, and commands.

Attacks

Cleartext Credential Sniffing
Credentials and sessions can be captured easily with MITM or passive sniffing.

Default or Weak Credentials
Common on embedded or forgotten infrastructure (e.g., admin:admin, root:toor).

Unauthenticated Banners / Leaks
Many devices expose OS info, firmware, model numbers pre-login.

Command Injection / Misconfigured Shells
Limited command environments may still allow for escaping to a full shell or running dangerous commands.

Tools & Exploits

Enumeration

nmap
Scan and run version/banner grabbing.

nmap -sV -p23 --script telnet-ntlm-info,telnet-encryption <target>

telnet / netcat
Basic interaction and manual login testing.

telnet <target>
nc <target> 23

hydra / medusa / ncrack
Bruteforce login (only when permitted).

hydra -l root -P rockyou.txt telnet://<target>

msfconsole (consoleless)
Run useful Telnet scanners via command-line only:

msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit'
 
msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit'
 
msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit'
 
msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

Exploitation or Post-Enum

Credential Reuse / Lateral Movement
Telnet access may expose credentials used elsewhere (e.g., SSH, SMB).

Manual Shell Interaction
Once in, enumerate the box manually:

whoami
uname -a
cat /etc/passwd
ls -la /home

Escape Restricted Shells

/bin/sh
python -c 'import pty; pty.spawn("/bin/bash")'

Sniffing Telnet with Wireshark or tcpdump

tcpdump -i eth0 port 23 -A

Credential Harvesting (passive)

  • Capture login prompts and responses during live Telnet sessions.
tcpdump -i eth0 port 23 -A

Look for login:, password:, or raw keystrokes in ASCII.

Session Replay

  • Capture session for review or scripted interaction.
tcpdump -i eth0 -w telnet_session.pcap port 23
  • Replay with tcpreplay, or script interactions with telnetlib in Python.

Wireshark Analysis Tips

Filters

tcp.port == 23
telnet

What to look for:

  • USER / PASS prompt responses
  • Command history
  • Hostnames, usernames, or device models

References

Graph View