Telnet

Enumeration, exploitation and post-exploitation techniques for Telnet servers.

§ table of contents

Overview

Telnet runs on port 23 and transmits all data (including credentials) in cleartext. Common on embedded devices, legacy systems, routers, and IoT equipment.

Enumeration

nc -nv $IP 23
telnet $IP

The banner often reveals the OS, hostname, or device type.

Nmap

nmap -sV -p 23 $IP
nmap -p 23 --script telnet-* $IP

Key scripts:

telnet-ntlm-info: extracts NTLM info (Windows targets)
telnet-brute: brute-force credentials

Connect

telnet $IP
telnet $IP 23

Brute Force

hydra -l $user -P ~/wordlists/rockyou.txt telnet://$IP
medusa -h $IP -u $user -P ~/wordlists/rockyou.txt -M telnet

Try default credentials first. Routers and embedded devices commonly ship with admin:admin, root:root, or blank passwords.

← all notes ~/hadi

Overview

Enumeration

Banner grabbing

Nmap

Connect

Brute Force