Principles and prevention of telnet attacks

In remote services, we can get a lot of convenience benefits. But security has always been a big problem. In particular, Telnet attacks are often used to control hosts. Now let's analyze the specific content of the Telnet attack.

1. What is Telnet?

Different people have different ideas about Telnet. Telnet can be considered as a communication protocol, but for intruders, Telnet is just a remote login tool. Once an attacker establishes a Telnet connection with a remote host, the attacker can use the software and hardware resources on the target host. The attacker's local host is only equivalent to a terminal with only a keyboard and a display.

2. What is Telnet used by intruders?

1) Telnet attacks are the first method to control hosts.

As described in the previous sections, if intruders want to execute commands on a remote host, they need to establish an IPC $ connection and then use the net time command to view the system time, finally, you can use the at command to create a scheduled task to remotely execute the command. Although this method can remotely execute commands, Telnet is much more convenient for intruders. Once an attacker establishes a Telnet connection with a remote host, the attacker can control the remote computer just like a local computer. It can be seen that Telnet is a remote control method used by intruders. When they do everything they can to obtain the administrator privilege of the remote host, they usually use Telnet to log on.

2) used as a stepping stone

Intruders call bots used for stealth a stepping stone. They often use this method to log on from a zombie to another zombie ", in this way, the IP address is not exposed during the intrusion process. This process will be detailed in chapter 5th.

3. About NTLM Verification

Due to the powerful Telnet function and frequent attacks, we often encounter Telnet attacks by hackers. Therefore, Microsoft adds authentication for Telnet, called NTLM authentication. It requires that the Telnet terminal not only have the username and password of the Telnet service host, but also meet the NTLM authentication relationship. NTLM verification greatly enhances the security of the Telnet host, just like blocking a lot of intruders.

4. Use Telnet to log on to the logon command: telnet HOST [PORT]

Disconnecting Telnet is one of the effective measures to prevent Telnet attacks.

Command for disconnecting Telnet: exit

To successfully establish a Telnet connection, in addition to understanding the account and password on the remote computer, the remote computer must have enabled the "Telnet Service" and removed NTLM verification. You can also use dedicated Telnet tools, such as STERM and CTERM.