Telnet
Cleartext remote shell on 23. The banner leaks the device, credentials cross the wire in plaintext, and weak/default logins are common on appliances and IoT.
Ports
| Port | Proto | Notes |
|---|---|---|
23 | tcp | Telnet |
Fingerprint
- Banner on connect names the device/OS
- nmap telnet scripts identify the service
Default / weak creds
default/weak appliance creds (admin/admin, root/root)
Exploitation primitives
- Grab the banner for device fingerprinting
- Brute force weak logins
- Sniff plaintext credentials if you are on-path
Overview
Telnet on 23 is plaintext, so it is both a login target and a sniffing opportunity. On appliances and IoT it frequently ships with default credentials.
Enumeration
Grab the banner:
nc <TARGET> 23Run nmap scripts:
nmap -p23 --script telnet-ntlm-info,telnet-encryption <TARGET>Exploitation
Brute force a login:
hydra -L users.txt -P rockyou.txt telnet://<TARGET>Hardening
Disable Telnet in favour of SSH; if unavoidable, restrict by source IP and change default credentials.