Penetration Testing on Telnet (Port 23)

Welcome to Internal penetration testing on telnet server where you will learn about telnet installation, configuration, enumeration and attack, system security and precaution.  

From Wikipedia

Telnet is a protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. This protocol is used to establish a connection to Transmission Control Protocol (TCP) port number 23, where a Telnet server application (telnetd) is listening.

Let’s start!!!


Telnet Server: Ubuntu

Attacker system: Kali Linux

Telnet Installation & Configuration in 3 steps

Installing telnet server is very simple, it will get activated by following three steps:

Open the terminal in ubuntu and type given below command with root access.

Open ineted.conf file add given below statement inside it, then save it.

gedit /etc/inetd.conf

Now open xibetd.conf and add following line to configure the settings and save it.

gedit /etc/xinetd.conf

Now execute following command to restart the service.

Now you can ensure whether telnet service is getting activated or not and for this we have scan our own system with nmap.

If service is activated in targeted server then nmap show open STATE for port 23.

SSH Banner grabbing through telnet

A telnet play an important role in banner grabbing of other service running on target system. Open the terminal in kali Linux and type following command for finding the version of SSH service running on target machine.

From given image you can observe that it has successfully shown the SSH version “2.0-openSSH_6.6.1p1”has been installed on target machine.

SMTP Banner grabbing through telnet

Similarly we can also find out version and valid user of SMTP server using telnet. Execute following command and find out its version and valid user.

From given image you can observe that it has successfully shown “220 mail.ignite.lab ESMTP Postfix” has been installed on target machine.

You can guess for valid user account through following command and if you receive response code 550 it means unknown user account:

vrfy [email protected]

If you received message code 250,251,252 which means server has accept the request and user account is valid.

But if you received message code 550 it means invalid user account as shown in given image

Telnet Banner Grabbing through Metasploit

An attacker always perform enumeration for finding important information such as software version which is known as Banner Grabbing and then identify its state of vulnerability against any exploit.

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for TELNET version.

From given image you can read the installed version of TELNET on target’s system.

Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Now type following command to Brute force TELNET login:

From given image you can observe that our TELNET server is not secure against brute force attack because it is showing matching combination of username: raj and password: 123 for login simultaneously it has opened victims command shell as session 1.

From given image you can see now we have unauthorized access on victim’s system as [email protected] and executed ifconfig to verify the network interface.

We can also convert command shell into meterpreter shell using following command

From given image you can see that now we are having two sessions; 1st for command shell session and 2nd for meterpreter session.

Stealing credential through sniffing

Telnet, by default, does not encrypt any data sent over the connection (including passwords), and so it is often feasible to eavesdrop on the communications and use the password later for malicious purposes; anybody who has access the network between the two hosts where Telnet is being used can intercept the packets passing between source and destination and obtain login, password and data information.

From given image you can observe that here the client is login into telnet server by submitting valid credential on other hand attacker is sniffing network packet using wireshark or other tools.

Here you can notice wireshark had captured telnet information by sniffing the network. It follow similar protocol as FTP where telnet users may authenticate themselves with a clear-text sign-in protocol for username and password. As result attacker can easily sniff login credential.

From given below image you can read the username: raj and password: 123 moreover complete information traveling through packet between source to destination.

Since Telnet implementations do not support Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication extensions. Therefore in favor of that the Secure Shell (SSH) protocol, first released in 1995 in replace of Telnet.

Secure Telnet through Port forwarding

In order to secure telnet server admin can forward port from default to specific port to run the service. Open services file using following command for making changes:

gedit /etc/services

From given image you can perceive that telnet default uses port 23 for its services; change the port number for telnet service.

From given below image you can compare that we had changed port 23 with 2323, now restart the service.

service xinetd restart

Verify it using nmap command as given below:

Secure telnet against brute force attack

You can secure telnet server against brute force and from unauthorized access by adding filter using Iptable. Allow only specific IP address to establish connection with telnet server and reject or drop the connection from other IP addresses.

Now type following command with root permission to add filter for telnet in iptables.

Above command will allow the traffic from IP address to access the telnet service on port 23.

Above command with drop the service for traffic coming from other IP addresses on port 23.

Restart the service once you add filter in iptables

sudo /etc/init.d/xinetd restart

Let verify the working of Ipatble by connecting to telnet server from client machine holding IP address

Great!! Connection established successfully.

You can confirm it from given below image.

Lets verify the working of Ipatble by connecting to telnet server from attacker machine holding different IP address.

From given below image you can see nothing is happening here because port 23 is down for all other IP addresses

Awesome!! It means if attacker sniff the valid credential even then wont be able to access the telnet server.

 Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *