Enumerating Telnet

Lets Get Started

Before we begin, make sure to deploy the room and give it some time to boot. Please be aware, this can take up to five minutes so be patient!

Enumeration

We've already seen how key enumeration can be in exploiting a misconfigured network service. However, vulnerabilities that could be potentially trivial to exploit don't always jump out at us. For that reason, especially when it comes to enumerating network services, we need to be thorough in our method.

Port Scanning

Let's start out the same way we usually do, a port scan, to find out as much information as we can about the services, applications, structure and operating system of the target machine. Scan the machine with nmap and the tag -A and -p-.

Tag

-A : Enables OS Detection, Version Detection, Script Scanning and Traceroute all in one

-p- : Enables scanning across all ports, not just the top 1000

Output

Let's see what's going on on the target server... How many ports are open on the target machine?

What port is this?

This port is unassigned, but still lists the protocol it's using, what protocol is this?

Now re-run the nmap scan, without the -p- tag, how many ports show up as open?

Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It's important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.

Based on the title returned to us, what do we think this port could be used for?

Who could it belong to? Gathering possible usernames is an important step in enumeration.

Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.