Files
blog/src/content/notes/network/telnet.md
T
2026-06-03 23:39:40 +02:00

1.1 KiB

title, description, tags, publishDate
title description tags publishDate
Telnet Enumeration, exploitation and post-exploitation techniques for Telnet servers.
telnet
network
service
2026-05-04

Telnet runs on port 23 and transmits all data (including credentials) in cleartext. Common on embedded devices, legacy systems, routers, and IoT equipment.

Enumeration

Banner grabbing

nc -nv $IP 23
telnet $IP

The banner often reveals the OS, hostname, or device type.

Nmap

nmap -sV -p 23 $IP
nmap -p 23 --script telnet-* $IP

Key scripts:

  • telnet-ntlm-info: extracts NTLM info (Windows targets)
  • telnet-brute: brute-force credentials

Connect

telnet $IP
telnet $IP 23

Login with user / password. Session is fully interactive once authenticated.

Brute Force

hydra -l $user -P ~/wordlists/rockyou.txt telnet://$IP
medusa -h $IP -u $user -P ~/wordlists/rockyou.txt -M telnet

Try default credentials first. Routers and embedded devices commonly ship with admin:admin, root:root, or blank passwords.