The telnet command uses a detailed

1. What is Telnet?
for the understanding of Telnet, different people hold different views, can be used as a communication protocol telnet, but for intruders, Telnet is only a remote login tool. Once the intruder establishes a Telnet connection with the remote host, the intruder can use the hardware and software resources on the target host, and the intruder's local machine is only the equivalent of a keyboard and display terminal.
2.What telnet is used by intruders to do
(1) Telnet is the first means of controlling the host
If an intruder wants to execute a command on a remote host, it needs to establish a ipc$ connection, then use the net TIME command to view the system times, and finally use the AT command to establish a scheduled task to complete the remote execution command. While this method can execute commands remotely, the Telnet approach is much more convenient for intruders. Once the intruder establishes a Telnet connection to the remote host, it can control the remote computer as if it were a local computer. It can be seen that Telnet is used by intruders to use remote control mode, when they try to get the remote host administrator permissions, usually use Telnet method to log in.
(2) to make a springboard
Intruders call stealth chickens a "springboard," which they often use to log into another "broiler" from a "broiler" so that their IP address is not exposed during the invasion.
3. About NTLM authentication
because the Telnet feature is too powerful and is one of the most frequently used logons by intruders, Microsoft has added authentication to telnet, called NTLM authentication, which requires that Telnet terminal, in addition to the user name and password of the Telnet service host, NTLM validation relationships also need to be met. NTLM authentication greatly enhances the security of the Telnet host, like a stumbling block that shuts down many intruders.
4.telnet syntax
telnet [-a][-e escape char][-f log file][-l user][-t term][host [Port]]
-a attempts to log on automatically. The same as the-l option, except with the currently logged in user name.
-E Skips characters to enter the Telnet client prompt.
-F Client logon file name
-l Specifies the user name to log on to the remote system.
requires the remote system to support the TELNET ENVIRON option.
-t specifies the terminal type.
the supported terminal types are: VT100, VT52, ANSI, and VTNT.
Host Specifies the hostname or IP address of the remote computer to which you want to connect.
Port Specifies the port number or service name.
5. Log in using Telnet
login command: Telnet HOST [port] For example: Telnet 61.152.158.132 23 (default port)
command to disconnect telnet connection: Exit
successfully establishing a Telnet connection requires the remote computer to turn on the Telnet service and remove the NTLM authentication, in addition to the need to master the account and password on the remote computer. You can also use a dedicated Telnet tool to connect, such as Sterm,cterm tools.
6.Telnet typical intrusion (simple to understand if you don't know the following)
1.Telnet typical intrusion steps
Step One: Establish a ipc$ connection. Where Sysback is the backdoor account created earlier.
Step Two: Turn on the Telnet service that is disabled on the remote host.
Step Three: Disconnect the ipc$ connection.
Step four: Remove NTLM authentication. If you do not remove NTLM authentication on the remote computer, you will fail when you log on to the remote computer.
However, the intruder will use various methods to make the NTLM verification form a dummy. There are a number of ways to unblock NTLM, and here are some common ways to see how intruders can remove NTLM authentication.
(1) method one
First, create an account and password on the local computer that is the same as the remote host.
then, from start → programs → accessories, locate the command prompt, right-click Command Prompt, and then select Properties
in front of "Run as other user (U)", "tick", and then click the "OK" button. Next, still follow the above path to find "command Prompt", left mouse click Open, Get dialog box.
, type "user name" and "password".
After you click the OK button, you get the MS-DOS interface, and then you telnet in with that MS-DOS.
after you type "telnet 192.168.27.128" command and enter, type "Y" in the resulting interface to send the password and log in.
Finally, the remote host is the shell opened by the Telnet end user, and the command entered in the shell will be executed directly on the remote computer.
For example, type the "net User" command to view a list of users on a remote host.
(2) method two
This method uses the tool NTLM.EXE to remove NTLM authentication. First establish a ipc$ connection with the remote host, then copy the NTLM.EXE to the remote host, and finally make the remote computer perform the NTLM.EXE with the AT command.
after the scheduled task executes NTLM.EXE, you can type the telnet 192.168.27.128 command to log on to the remote computer.
finally get login interface
Type the user name and password in the login interface, and if the user name and password are correct, log on to the remote computer and get the remote computer's shell.
successfully logged in.
In addition, you can use the program Resumetelnet.exe with Opentelnet.exe to recover NTLM authentication from the remote host, which is in the form "ResumeTelnet.exe \\server sername password".
after performing the Echo, Resumetelnet.exe shuts down the target host's Telnet service and restores NTLM authentication.
Telnet advanced intrusion all Raiders
As you can see from the previous introduction, even if the computer uses NTLM authentication, the intruder can easily remove NTLM authentication to implement Telnet logins. If an intruder logs on with Port 23rd, the administrator can easily find them, but unfortunately, the intruder usually does not telnet through the default port number 23rd. So how exactly does the intruder modify the Telnet port, and how do I modify the Telnet service to conceal its whereabouts? Here are some common examples to illustrate the process and describe the tools needed to complete the process.
X-scan: Used to sweep out a host that has a weak password for NT.
opentelnet: Used to go to NTLM authentication, turn on the Telnet service, modify the Telnet service port.
Aproman: Used to view processes, kill processes.
instsrv: Used to install services to the host.
(1) Aproman Introduction
Aproman on the command line to view the process, kill the process, not by antivirus software Avira. For example, if an intruder discovers that antivirus software is running on the target host, it will cause the uploaded tool to be killed by anti-virus software, then they will have to close the antivirus firewall before uploading the tool. Here's how to use it:
c:\AProMan.exe-a Show All Processes
c:\AProMan.exe-p Show Port process affinity (requires Administrator permissions)
c:\AProMan.exe-t [PID] kills the process that specifies the process number
c:\AProMan.exe-f [FileName] depositing process and module information into a file
(2) instsrv Introduction
Instsrv is a program that can install and uninstall services using the command line, and you can freely specify the service name and the program that the service executes. The usage of INSTSRV is as follows:
Installation Services: INSTSRV < service name > < where to execute the program >
Uninstall Service: Instsrv < service name > REMOVE
There is another excellent remote service Management tool SC. It is a command-line tool that allows you to query, start, stop, and delete services on a remote computer locally. It is very simple to use and is not introduced here. Here is an example of how an intruder can implement Telnet login and leave a telnet backdoor.
Step one: Sweep out the host with the NT weak password. Select "Nt-server weak password" in X-scan's "scan module".
then, in the scan parameters, specify a scan range of "192.168.27.2 to 192.168.27.253".
wait for a period of time to get the scan results.
Step Two: Open the remote host Telnet service with Opentelnet, modify the destination host port, and remove the NTLM authentication.

The intruder can be resolved with the tool opentelnet regardless of whether the remote host is turning on the Telnet service. For example, the IP address is 192.168 through the "Opentelnet \\192.168.27.129 Administrator" "1 66" command. 27.129 of the host to remove NTLM authentication, turn on Telnet service, while the default Telnet 23rd login port is changed to port number 66th.
Step Three: Copy the required files (Instsrv.exe, AProMan.exe) to the remote host.
first establish the ipc$, and then by mapping the network hard disk method to copy and paste the required files into the C:\Winnt folder of the remote computer.
after the copy is successful.
Step four: Telnet login.
in MS-DOS, type the command "Telnet 192.168.27.129 66" to log on to the remote host 192.168.27.129.
Step five: Kill the firewall process.
if the intruder needs to copy the Trojan-like program to the remote host and execute it, then they will shut down the antivirus firewall in the remote host in advance. Although there is no copy of the Trojan horse-like program to the remote host, but still want to introduce this process. When the intruder logs in successfully, they go to the C:\Winnt directory to use the Aproman program. First through the command aproman–a view all processes, and then find the anti-virus firewall process PID, and finally use Aproman–t [PID] to kill the antivirus firewall.
Step Six: Install a more covert Telnet service in addition.
In order to still be able to log on to the computer afterwards, the intruder will leave the back door after the first login. Here's how intruders can make the Telnet service run forever by installing system services. Before installing the service, it is necessary to understand how the Windows operating system provides the "Telnet service". Open Computer Management, and then view the Telnet service property.
in the Properties for Telnet window, you can see that the path to the executable file points to C:\WINNT\ System32\tlntsvr.exe. As can be seen, the program Tlntsvr.exe is specifically used in Windows systems to provide "Telnet service". That is, if a service points to the program, the service provides a Telnet service. As a result, intruders can customize a new service, By pointing the service to Tlntsvr.exe, which is logged on through the Telnet service provided by the service, even if the Telnet service on the remote host is disabled, the intruder can log on to the remote computer without hindrance, which is called the Telnet backdoor. Here's how this process is implemented. First enter the directory where the Instsrv is located.
then use Instsrv.exe to create a service called "Syshealth" and point this service to C:\WINNT Z\system32\tlntsvr.exe, and, depending on the usage of Instsrv.exe, type the command " Instsrv.exe syshealth C:\WINNT\SYSTEM32\tlntsvr.exe ".
a service called "Sysheahth" was built to succeed. Although it appears from the surface that there is no relationship between the service and the remote connection, the service is actually a Telnet backdoor service left by the intruder.
with Computer Management, you can see that the service has been added to the remote computer. The intruder typically sets the startup type of the service to "automatic", stopping and disabling the original Telnet service.
it is verified that although the Telnet service on the remote host has been stopped and disabled, the intruder is still able to control the remote host via Telnet. With these modifications, even if the administrator uses the "netstat–n" command to view the open port number, it is not possible to see that Port 66 is providing a Telnet service, which can usually be used to determine the port connection.

The telnet command uses a detailed