Telnet

Port:TCP 23
Service: Linux Telnet

Vulnerability: Telnet is a program used to establish a connection between two computers. It is inherently insecure, because it transmits data in clear text, leaving open several security holes.

Mitigation: Disable the use of telnet, and use SSH.

Proof of Concept
From our earlier Nmap scan, we found that TCP port 23 (telnet) was open. We could just connect using the account we gathered from the VSFTP exercise, but I want to show you one of the flaws with telnet, and how an attacker can take advantage.

In this scenario, we’re going to look at the Metasploitable VM as a machine we’ve found on the network, and discovered that the telnet port was in a listening state. We don’t have an account to log in with, so we’re going to see if we can get that information by sniffing traffic on the network. Our hope is, we’ll catch a user, preferably an administrator, logging in via telnet, exposing their account credentials.

1. First thing we’ll do is open Wireshark on our Kali machine, and have it start sniffing network traffic. Select your network interface, then click on the “Start” button to begin capturing packets.

telnet-wiresharksetup

2. On the Kali box, open a terminal, and telnet to the Metasploitable VM. Login with the ‘msfadmin:msfadmin’ credentials.

telnet-connectkali

3. Go back to Wireshark, and stop the packet capture. You should now see that it has captured packets traveling across the wire, including those for telnet.

telnet-wireshark-pcap

4. Click on the “Protocol” column to sort them by name. This will group all the telnet packets together.

telnet-wireshark-sorttelnet

5. Now, right click one of the telnet lines, and select “Follow TCP Stream”.

telnet-wireshark-followtcpstream

6. What do you see?? The password in plain text!

telnet-wireshark-passwordreveal

This is why it isn’t a good idea to use telnet on your network. If an attacker has compromised a machine, they could be running a sniffer, and would be able to grab passwords off the wire. Always use SSH as much as possible.

Leave a Reply

Your email address will not be published. Required fields are marked *