nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
脚本`telnet-ntlm-info.nse`将获取NTLM信息(Windows版本)。
从[telnet RFC](https://datatracker.ietf.org/doc/html/rfc854)中:在TELNET协议中有各种“**选项**”,这些选项将被批准,并可以与“**DO, DON'T, WILL, WON'T**”结构一起使用,以允许用户和服务器同意使用更复杂(或者可能只是不同)的TELNET连接约定集。这些选项可能包括更改字符集、回显模式等。
**我知道可以枚举这些选项,但我不知道如何操作,所以如果您知道,请告诉我。**
### [暴力破解](../generic-methodologies-and-resources/brute-force.md#telnet)
## 配置文件
/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
Protocol_Name: Telnet #Protocol Abbreviation if there is one.
Port_Number: 23 #Comma separated if there is more than one.
Protocol_Description: Telnet #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for t=Telnet
Note: |
wireshark to hear creds being passed
tcp.port == 23 and ip.addr != myip
https://book.hacktricks.xyz/pentesting/pentesting-telnet
Entry_2:
Name: Banner Grab
Description: Grab Telnet Banner
Command: nc -vn {IP} 23
Entry_3:
Name: Nmap with scripts
Description: Run nmap scripts for telnet
Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}
Entry_4:
Name: consoleless mfs enumeration
Description: Telnet enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'
