0) What is Telnet?
Telnet is a simple, text-based protocol that provides bidirectional, interactive communication over TCP (historically defined by RFC 854). It commonly runs on port 23. Unlike SSH, Telnet transmits data — including credentials — in plaintext, making it insecure on untrusted networks. Telnet is still used on legacy devices (network gear, embedded systems, test consoles) and therefore appears in many penetration tests.
1) Recon Phase
- Quick port/service discovery: nmap -sV -p 23 <target>
- Banner grabbing to identify Telnet server and version (nc, nmap scripts)
- Passive recon: search for device types that commonly expose Telnet (routers, switches, IoT)
Start with a focused nmap scan to confirm Telnet is open and capture the banner. Banners often reveal device type, OS, or embedded console prompts that help guide enumeration.
2) Enumeration Phase
- Banner grab: nc <target> 23 # raw connection to view banner/prompt
- nmap scripts: nmap -sV -p 23 --script banner,telnet-encryption <target>
- Attempt common default credentials (authorized testing only) against device types
- Use Hydra for credential stuffing if permitted:
hydra -L users.txt -P passwords.txt telnet://<target>
- Look for exposed prompts that accept commands (interactive shells, router consoles)
During enumeration, identify whether the service is an interactive shell (router/switch console) or a simple login prompt. Note whether login attempts leak account validity via differing responses.
3) Exploitation Phase
- If credentials found: connect with telnet <target> and perform post-auth enumeration
- Capture configuration files, network settings, saved plaintext credentials
- Leverage known device-specific vulnerabilities (firmware exploits, command injection) where applicable
- If device uses Telnet for boot/console, consider recovery mode misconfigurations (only when authorized)
Telnet’s main impact is credential exposure and interactive access to devices. Download configs and search for plaintext secrets (SNMP community strings, admin passwords, keys). Use discovered creds to pivot to SSH or web admin interfaces.
Telnet Info — What to Look For
- Plaintext credentials transmitted over the network
- Default or well-known device credentials
- Interactive device consoles (routers, switches, embedded systems)
- Recovery/boot consoles that bypass normal authentication
- Old firmware or known CVEs for specific device models
Tools required
sudo apt install nmap netcat hydra telnet
# Optional:
# - Metasploit (for device exploits)
# - searchsploit / exploit-db for device-specific vulnerabilities
Quick copy-paste command cheatsheet
# discovery
nmap -sV -p 23 --script banner,telnet-encryption <target>
# raw banner grab
nc <target> 23
# list common default creds (manual testing)
telnet <target> # then try admin/admin, root/root, etc.
# brute-force (authorized)
hydra -L users.txt -P passwords.txt telnet://<target>
Citations
- RFC 854 — TELNET Protocol Specification
- Nmap NSE scripts & documentation
- HackTricks — Telnet pentesting
Disclaimer: Use these techniques only on systems you own or are explicitly authorized to test. Unauthorized access is illegal and unethical.