Telnet is an application protocol which allows you, with the use of a telnet client, to connect to and execute commands on a remote machine that's hosting a telnet server.The telnet client will establish a connection with the server. The client will then become a virtual terminal- allowing you to interact with the remote host.Telnet sends all messages in clear text and has no specific security mechanisms. Thus, in many applications and services, Telnet has been replaced by SSH in most implementations.User connects to the server by using the Telnet protocol, which means entering "telnet" into a command prompt. The user then executes commands on the server by using specific Telnet commands in the Telnet prompt. You can connect to a telnet server with the following syntax: "telnet [ip] [port]"
Vulnerabilities that could be potentially trivial to exploit don't always jump out at us. For that reason, especially when it comes to enumerating network services, we need to be thorough in our method . We usually do, a port scan, to find out as much information as we can about the services, applications, structure and operating system of the target machine. Scan the machine with nmap and the tag -A and -p-. Tag -A : Enables OS Detection, Version Detection, Script Scanning and Traceroute all in one
-p- : Enables scanning across all ports, not just the top 1000
Telnet, being a protocol, is in and of itself insecure for the reasons we talked about earlier. It lacks encryption, so sends all communication over plaintext, and for the most part has poor access control. There are CVE's for Telnet client and server systems, however, so when exploiting you can check for those on:https://www.cvedetails.com/https://cve.mitre.org/A CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they usually mean the CVE ID number assigned to a security flaw.However, you're far more likely to find a misconfiguration in how telnet has been configured or is operating that will allow you to exploit it.Method BreakdownSo, from our enumeration stage, we know:
- There is a poorly hidden telnet service running on this machine
- We have possible username of "Skidy" implicated
Using this information, let's try accessing this telnet port, and using that as a foothold to get a full reverse shell on the machine!Connecting to TelnetYou can connect to a telnet server with the following syntax:
"telnet [ip] [port]"
We're going to need to keep this in mind as we try and exploit this machine.
What is a Reverse Shell?
A "shell" can simply be described as a piece of code or program which can be used to gain code or command execution on a device.
A reverse shell is a type of shell in which the target machine communicates back to the attacking machine.