Penetration Testing on Telnet (Port 23)

Welcome to Internal penetration testing on telnet server where you will learn about telnet installation, configuration, enumeration and attack, system security and precaution.  

From Wikipedia

Telnet is a protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. This protocol is used to establish a connection to Transmission Control Protocol (TCP) port number 23, where a Telnet server application (telnetd) is listening.

Let’s start!!!

Requirements

Telnet Server: Ubuntu

Attacker system: Kali Linux

Telnet Installation & Configuration in 3 steps

Installing telnet server is very simple, it will get activated by following three steps:

Open the terminal in Ubuntu and type given below command with root access.

Open ineted.conf file adds given below statement inside it, then save it.

Now open xibetd.conf and add the following line to configure the settings and save it.

gedit /etc/xinetd.conf

Now execute the following command to restart the service.

Now you can ensure whether telnet service is getting activated or not and for this we have scanned our own system with nmap.

If service is activated in the targeted server then nmap show open STATE for port 23.

SSH Banner grabbing through telnet

Telnet plays an important role in the banner grabbing of other service running on the target system. Open the terminal in Kali Linux and type following command for finding the version of SSH service running on the target machine.

From the given image, you can observe that it has successfully shown the SSH version “2.0-openSSH_6.6.1p1” has been installed on the target machine.

SMTP Banner grabbing through telnet

Similarly, we can also find out version and valid user of SMTP server using telnet. Execute the following command and find out its version and valid user.

From the given image you can observe that it has successfully shown “220 mail.ignite.lab ESMTP Postfix” has been installed on the target machine.

You can guess for valid user account through the following command and if you receive response code 550 it means unknown user account:

vrfy [email protected]

If you received a message code 250,251,252 which means the server has accepted the request and user account is valid.

But if you received a message code 550 it means invalid user account as shown in given image

Telnet Banner Grabbing through Metasploit

An attacker always performs enumeration for finding important information such as software version which is known as Banner Grabbing and then identifies its state of vulnerability against any exploit.

Open the terminal in your Kali Linux and Load Metasploit framework; now type the following command to scan for TELNET version.

From the given image you can read the installed version of TELNET on the target’s system.

Brute Force Attack

An attacker always tries to make a brute force attack for stealing credential for unauthorized access.

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Now type the following command to Brute force TELNET login:

From given image you can observe that our TELNET server is not secure against brute force attack because it is showing a matching combination of username: raj and password: 123 for login simultaneously it has opened victims command shell as session 1.

From the given image you can see now we have unauthorized access on the victim’s system as [email protected] and executed ifconfig to verify the network interface.

We can also convert command shell into the meterpreter shell using the following command

From the given image you can see that now we are having two sessions; 1st for command shell session and 2nd for the meterpreter session.

Stealing credential through sniffing

Telnet, by default, does not encrypt any data sent over the connection (including passwords), and so it is often feasible to eavesdrop on the communications and use the password later for malicious purposes; anybody who has access the network between the two hosts where Telnet is being used can intercept the packets passing between source and destination and obtain login, password and data information.

From the given image, you can observe that here the client is login into telnet server by submitting valid credential on the other hand attacker is sniffing network packet using Wireshark or other tools.

Here you can notice Wireshark had captured telnet information by sniffing the network. It follows a similar protocol as FTP where telnet users may authenticate themselves with a clear-text sign-in protocol for username and password. As result attacker can easily sniff login credential.

From given below image you can read the username: raj and password: 123 moreover complete information traveling through packet between source to destination.

Since Telnet implementations do not support Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication extensions. Therefore in favor of that the Secure Shell (SSH) protocol, first released in 1995 in replace of Telnet.

Secure Telnet through Port forwarding

In order to secure telnet server, admin can forward port from default to specific port to run the service. Open services file using the following command for making changes:

From the given image you can perceive that telnet default uses port 23 for its services; change the port number for telnet service.

From given below image you can compare that we had changed port 23 with 2323, now restart the service.

Verify it using nmap command as given below:

Secure telnet against brute force attack

You can secure telnet server against brute force and from unauthorized access by adding a filter using Iptable. Allow only specific IP address to establish a connection with the telnet server and reject or drop the connection from other IP addresses.

Now type the following command with root permission to add the filter for telnet in iptables.

Above command will allow the traffic from IP address 192.168.0.104 to access the telnet service on port 23.

Above command with drop the service for traffic coming from other IP addresses on port 23.

Restart the service once you add a filter in iptables

Let verify the working of Ipatble by connecting to telnet server from client machine holding IP address 192.168.0.104.

Great!! Connection established successfully.

You can confirm it from given below image.

Let’s verify the working of Ipatble by connecting to the telnet server from attacker machine holding different IP address.

From given below image you can see nothing is happening here because port 23 is down for all other IP addresses

Awesome!! It means if the attacker sniffs the valid credential even then won’t be able to access the telnet server.

 Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *