logo

Port 23 – Telnet

Service:

telnetd

Protocol:

TCP

Port:

23

Used for:

Remote shell access over plaintext (legacy)

Why It’s Open

Before SSH, Telnet was the standard protocol for remote shell access on UNIX and network gear. It still shows up on legacy servers, network devices (Cisco, HP, Huawei, MikroTik), embedded systems, and a huge number of IoT devices that shipped with it enabled by default.

Common Risks

  • No encryption. Credentials, commands, and output are all transmitted in cleartext — anyone on the path can sniff the session.
  • Default or weak credentials. Most IoT compromises via Telnet are just root:root, admin:admin, or vendor defaults. The Mirai botnet scanned the entire IPv4 space for exactly this.
  • No rate limiting in most implementations. Makes brute-force trivial.
  • Known remote-exploitable bugs in older telnetd daemons (FreeBSD, Solaris, Inetutils).
  • Information disclosure via banners. Server banners frequently reveal OS, version, and sometimes device model.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Check if it’s open and grab the banner

Terminal window
nmap -sV -p 23 --script=banner,telnet-encryption,telnet-ntlm-info <target>

Raw banner grab with netcat

Terminal window
nc -nv <target> 23

Interactive connection

Terminal window
telnet <target> 23

Brute-force with Hydra

Terminal window
hydra -L users.txt -P passwords.txt telnet://<target> -t 4 -f

Brute-force with Ncrack

Terminal window
ncrack -p 23 --user root -P /usr/share/wordlists/rockyou.txt <target>

Metasploit modules

Terminal window
msfconsole -q
use auxiliary/scanner/telnet/telnet_version
set RHOSTS <target>
run


use auxiliary/scanner/telnet/telnet_login
set RHOSTS <target>
set USER_FILE users.txt
set PASS_FILE passwords.txt
set STOP_ON_SUCCESS true
run

What to Look For

CheckpointWhat it means
Successful banner grabService confirmed, version may be disclosed
No encryption negotiationAll traffic sniffable on the wire
Successful login with default credsHigh-severity: immediate shell
Telnetd version < 1.6 (Inetutils)Check for CVE-2020-10188
Any FreeBSD telnetd bannerCheck for CVE-2011-4862 encrypt_keyid overflow

Known CVEs

  • CVE-2011-4862 — Stack buffer overflow in encrypt_keyid in the Telnet daemon on FreeBSD, MIT Kerberos, and derivatives. Remote code execution before authentication on vulnerable builds.
  • CVE-2020-10188 — Buffer overflow in utility.c in GNU Inetutils telnetd through 1.9.4. Remote attackers can execute arbitrary code via short writes or urgent data.
  • CVE-2022-39028 — GNU Inetutils telnetd denial-of-service via crafted option negotiation.

Mitigation

  • Replace with SSH. There is almost never a legitimate reason to run Telnet on a modern network.
  • Disable telnetd entirely if the device supports an alternative management plane.
  • Firewall TCP/23 to management networks only.
  • Force change of all default credentials on any device where Telnet must remain enabled.
  • Monitor for Mirai-style scanning of port 23 on any exposed subnet.

Real-World Example

The Mirai botnet compromised hundreds of thousands of IoT devices in 2016 by scanning the IPv4 space for port 23 and trying a list of ~60 common default credentials. The resulting DDoS attacks took down Dyn, Krebs on Security, and OVH. Telnet with default creds remains the single most effective IoT compromise vector a decade later.

TL;DR

  • Service: Telnet (remote login)
  • Default port: 23/TCP
  • Biggest risk: cleartext credentials + default passwords
  • Mitigation: disable, replace with SSH, firewall to management networks