Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Guide to telnet


Guide to telnet

By n3w7yp3 avatarn3w7yp3 | 9112 Reads |
0     0

Telnet is probablay one of the most confusing things for a newbie. You see alot of guides on it, but then still newbies post questions. Hopefully, I've created a guide that will explain telnet and aleviate the need for questions to be asked (although i doubt it). okay enough talk, lets get to it!

+{TELNET}+

Telnet is a terminal emulation program. You see once upon a time, terminals were hardwired next to a console. Then with the rise of the PC and the Internet, a standard was needed. so they made telnet. nowadays telnet is pretty much obsolete. with the world wide web, you just use a browser, and SSH is used to login to shell accounts. but telnet is still a good thing to know.

+{USING TELNET}+

there are several ways to start your telnet client. if your on windows 9x click start then programs, and then MS-DOS Prompt. once in the DOS prompt type telnet at the prompt. there that GUI windows is your telnet screen. or you can just click start>run and then type telnet and press . either way it will be the same. on Win2K/XP you can start telnet 2 ways. the first is to start a shell (start>run and type cmd and press ) and then type telnet at the prompt. the prompt will change to somthing like: Microsoft telnet>
or you can do the start>run and type telnet and press method. either way will work. on Linux start a shell and type telnet. okay now that the telnet client is open we're ready to connect. well, almost. if you're on windows we need to make some configuration changes first. for windows 9x click prefrences and check "Localecho on". on widows 2K/XP type the following at the prompt:

Microsoft telnet> set term vt100 Microsoft telnet> set localecho

there now we're ready to go. what we just did was turn on the localecho. there is a bug(?) in MS telnet that won't display the text you type unless localecho is on. and also the telnet client in Win 2K/XP ships with the deafult term type as ANSI. but vt100 is the preferrerd term type. Linux telnet clients ship all set up and ready to go. now lets connect. for the Win 9x useres click connect>remote system. then in the host box type www.google.com. in the port box type 80. for the rest of us, just type the following (NOTE: in this part of the guide to telnet we're using the HTTP port. this port is used for the Internet. its number is 80. the deamon that runs on it is called the HTTPD):

telnet> open www.google.com 80

now hit connect or press and wait to connect. when your connected you will see a message like:

Trying 64.233.161.104… Connected to www.google.com. Escape character is '^]'.

it may be a little different. now what this all mean? well, 64.233.161.104 is google's IP. the thing about the escape character means that if you push ctrl+] it will cump you back in the shell on you machine at the telnet prompt. you can then type close to close the connection. the reason for this is because sometimes the service you connected to wont do anything when you type a command, co you need to close the connection, but quit, close, exit, and kill don't bring about a reply. so thats when you hit the escape character (win 9x useres: you dont have an escape character. to close your connection connect>disconnect). now by this time the connection will have probably timed out, do we have co connect again. after connecting again let's try out some HTTP requests. the first HTTP request to learn is the GET request (NOTE: HTTP is case sensitive). to issue a GET request type the following:

GET / HTTP/1.0

now press twice. whoa look at all that stuff!! that is the codee to google's main page, just like we would get if we did a right click>view source. now why did google close our connection? well its because HTTP is a stateless protocal (like UDP). so since there is no actual connection between you and the site (accept at the moment of transfer) your browser needs to reconnect every time you request a new page. however, there is a way to stay connected. did you know why you had to press twice after you connected? well, its because after the request (that was the GET) you are supposed to issue HTTP commands. there tell the server many things, including your user agent, browser type, and conection type (and alot more!). but before we get into those, lets take a closer look at that HTTP request we just issued:

GET = The request type. there are many of these. (i've included a list later in the guide) / = the page. now when you tpye in a site name (http://www.google.com/) the computer connects to that site. now even if you dont type the / after .com its still the same site. you see the / is the sites homepage. HTTP/1.0 = this is the protocal type. a GET request is a HTTP/1.0 request, so thats what you type.

heres a list of some common requests:

name usage what it does


CONNECT CONNECT proxy-server HTTP/1.1 sets up a tunnel through proxys (useful to avoid web-filters) Host: site.to.connect.to

DELETE DELETE /uri HTTP/1.1 deletes the file specified by /uri

GET GET /uri HTTP/1.0 gets the file specified by /uri

HEAD HEAD /uri HTTP/1.0 returns the header of /uri. used in a technique called a banner grab; which is used to identify the OS being ran on the server.

OPTIONS OPTIONS * HTTP/1.1 returns info about the target host. if "*" is specified it Host: localhost returns info abouit the server it self. other wise it return -=OR=- info associated with the specified /uri OPTIONS /uri HTTP/1.1 Host: localhost

POST POST /uri HTTP/1.1 adds data to /uri. the request defines content length. it may Host: localhost include binary data. Content-length: N \n \n

PUT PUT /uri HTTP/1.1 adds data in the path specified by /uri (data like a new page Host: localhost etc) Content-Length: N \n \n

TRACE TRACE / HTTP/1.1 causes a server to respond with all the headers contained in Host: localhost the original request.

TRACK TRACK / HTTP/1.1 an alias for TRACE. its only used in IIS. Host: localhost

okay now you should be able to do alot of stuff but just using telnet to connect to the site. okay lets get on to those HTTP commands that i mentioned. now as i stated earlier, these comamnds do lost of stuff. the most useful would probably be the Connection: keep-alive command. this makes the connection stay alive so you can pump through command after comamnd. lets try it:

telnet> open www.google.com 80 Trying 64.233.161.99… Connected to www.google.com. Escape character is '^]'.

oaky, now lets try out the HEAD request combined with the Connection: Keep-alive command:

HEAD / HTTP/1.0 Connection: Keep-alive

HTTP/1.0 200 OK Cache-Control: private Content-Type: text/html Set-Cookie: PREF=ID=752b22c0c0526756:TM=1109357543:LM=1109357543:S=ntZTEgMD7QQDP6cP; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com Server: GWS/2.1 Content-Length: 0 Date: Fri, 25 Feb 2005 18:52:23 GMT Connection: Keep-Alive

kewl, the connection didn't drop. so now we can issue more requests with out having to reconnect. however to keep the connection alive, we need to specifiy this after every request. another common HTTP command sets your user-agent. the user-agent is used to identify the OS and browser that the client (you) is running. heres a log of a telnet session to google in which I issue a full HTTP request and specify all the parameters:

telnet> open www.google.com 80 Trying 64.233.161.99… Connected to www.google.com. Escape character is '^]'. HEAD / HTTP/1.0 Connectiion: Keep-Alive Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, / Accept-Charset: iso-8859-1,*,utf-8 Accept-Language: en Host: localhost User-Agent: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913

HTTP/1.0 200 OK Cache-Control: private Content-Type: text/html Set-Cookie: PREF=ID=2e727971cb330368:TM=1109358158:LM=1109358158:S=IpSi5XsS1Eqo7hby; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com Server: GWS/2.1 Content-Length: 0 Date: Fri, 25 Feb 2005 19:02:38 GMT Connection: Keep-Alive

okay there, that was a proper session, just like your browser would do. but we mostly dont bother with all that stuff, just a Connection: Keep-Alive will do just fine ;). anyways; here are some HTTP response headers:

name what it means


Accept-Ranges The server indicates it will accept partial requests (requests within the accepted range) for the resource.

Age the servers guess in seconds of how old the cached object is

ETag Entity Tag. Used in cache control when the server doesnt track time-stamps. a strong validator when the browser is deciding if it should refresh a cached object

Location Redirects the client to a different source to a URI

Proxy-Authenticate carrys authentication creditals for proxy servers

Referer Specifies the URI from which the request was generated. it shouldnt be relied upon for security testing.

Server identify the server product, OS, and other info. usually modded to block unsofisticated attacks and incompetent attackers.

Vary used to control the caching of objects

WWW-Authenticate Get user Authentication

so now you know what all that stuff in the servers reply means. now you may wonder what the "HTTP/1.0 200 OK" means. well this is called the status code. 200 indicates a successful transfer. heres what the ranges mean:

1xx: i'm not sure what this means; its rarley used 2xx: successful completion of the HTTP request 3xx: unsuccessful due to moving of ducuments (URIs) 4xx: client side error (an error on your end) 5xx: server side error

the 2 most common status codes returned are 200 OK (you get this every time a connection works and you successfuly retreive a page) and 404 which means file not found (you clicked on a bad link, etc). well now that you know a good deal about HTTP and port 80 in general, lets duscuss the most common use of these commands proxy tunneling. have you ever been at school and you try to show your friend a cool website and its blocked for sum bogus reason? wouldn't you like to get around that damn web-content filter? well trust me you can. the first thing to do is open up internet explorer. then click tools>>internet options>>LAN settings. (or sumthing similar) now you should see somthing like 'Address: webproxy Port: 80'. this is the arddress of your web proxy that the school makes you pipe all your requests through. but what if it wont let you access the tools tab in IE? what then? the first thing to do in that case is to open a shell (use you imagination on how to do this). later i will make a paper on how to get command line access when your not supposed to have it ;). now type netstat -n at the prompt. you should get some results. one of them will look something like this:

10.1.44.5:80 ESTABLISHED

the IP will probably not be the same at your school as it is at mine, but it does not matter. the important part is what comes after the colon. thats the port number. in this case it is the standard HTTP port (80). but what if you dont see one that has the port as 80? well look for 8080. thats a common proxy port. if you are absolutly stumped, you can simply telnet yo all the ports on all the computers that you are connected to under the netstat -n screen and issue a HEAD request. when you get a positive reply, you're in business! now that we have identified the webproxy lets tunnel out. issue the follow commands after connection:

CONNECT http://www.blockedsite.com HTTP/1.1 Host: localhost

now press enter.

you should see "HTTP/1.1 200 OK Connection established" from the proxy. and boom we're connected to www.blockedsite.com. now just use the different requests discussed earlier to get the HTML source code of the site and its various pages and compy and paste them into notepad. save it as a .html file, open up 'My Computer' and click on the newly created .html file to view the site as you normally would. when you want to click on a link (lets say its called 'hacking') reconnect to the proxy, tunnel out and request the source of the hacking link (for instance: GET /hacking HTTP/1.0). there, now that annoying web filter cant stop us!! of course we can connect to any port on a computer not just 80. so lets look at another one of my personal favorites, port 25 (SMTP). port 25 is the port used to send email. it runs the Simple Mail Transfer Protocal Deamon (SMTPD). with this port we can do lots of kewl stuff, including:

  1. verifying user accounts on the system
  2. preforming a banner grab to determin the OS being run on the system
  3. sending forged email

now the most exciting one for you right now would be sending forged email. haven't you ever wanted to send an email to someone but wanted to use a fake name? well its pretty easy to do! the first thing to do is to connect to a mail server over port 25 (NOTE: because most sysadmins don't like people abuing thier mail servers to send fake email, i'm not using any real mail servers in this section. you'll have to find some on your own. [well, i'll tell you in a minuet how to find a vulnerable mail server]. also don't even consider using hotmail.com or gmail.google.com or another big company for this purpose. if you do you will get into deep dark shit! period). the hard part is finding a mail server to connect to. however there are ways: the first thing to do is to type nslookup at the prompt. then type "set type=all". okay now consider your friend email addres. it is split up into 2 parts the user name and the host. say you wanna send a fake email to buddy@yahoo.com . so now we know that we wanna goto yahoo.com over port 25 (NOTE: that warning i gave earlier was just my attempt at getting you tto read the part on nslookup. you can relax now :) . but seriously, pls dont use the expan and verfy commands! they get logged as suspicious!) so now type "yahoo.com" (no quotes). see all those entries? well if you see one like: mx1.yahoo.com thats a mail server. generally if its mail.example.com or mx.example.com its a mail server.

NOTE: for those of us who use linux, our nslookup uses different commands to get the right resource record use the type "set type=any" and then yahoo.com

okay so now we know the mail server. time to fire up telnet. this time though point it at port 25.

NOTE: theres an even eaiser way to telnet. just open up a shell and type "telnet www.site.com XX" where www.site.com is a hostname or IP and XX is a port number to connect to.

So to telnet to the mail server using our new method we would type the following at the prompt: telnet mx1.yahoo.com 25 yay now we're connected. so now the kewl thing about the SMTP deamon is that you can ask it for help (unlike the HTTPD). for this paper i set up a sendmail server on my home LAN (its not connected to the internet!!). sendmail is probably the buggiest deamon, and one of the most helpful. nowadays, sendmail isnt that common, but hey just look around and you might find a sendmail deamon around. okay so after connection, we see somthing like:

220-localhost.localdomain sendmail 8.6.12/8.9.6 ready at Fri, 25Feb 2005 19:34:53 GMT 220 ESMTP spoken here

what is all this? it is called the deamon banner. it tells us what version of sendmail the server is running and with a littel hunting on google we can use this info to identify the OS of the server. okay lets ask it for help:

HELP 214- Commands: 214- HELO EHLO MAIL RCPT DATA 214- RSET NOOP QUIT HELP VRFY 214- EXPN VERB 214- for more info use "HELP " 214- to report bugs 214- for 214- end of help info

there now we no what commands are avalible. the second to last and the third to last lines i snipped their output, because i felt like it :). oaky again heres the commands along with what they do:

SMTP command				What it does
------------ 				------------
HELO/EHLO				greets the server
RCPT					specifies the recipent of the mail
MAIL					specifies the sender of mail
DATA					body of email
VERB					turn on verbose mode
EXPN					expand and email alias to full list of recipents
VRFY					verify that the account exists
HELP					display a help message
QUIT					exit the server
NOOP					do nothing

now that we kno the commands faking the email should be easy as pie. heres a sample session in which i'll forge an email:

HELO whitehouse.gov MAIL FROM: dhs@whitehouse.gov RCPT TO: n3w7yp3@localhost.localdomain DATA We're on to you you punk kid!! . QUIT

there that was really choppy. i cut off all the server replies because i felt like it :) (seriously though it's late and i'm tired ;) ). now when i check my mail box on my computer sure enough, an email for dhs@whitrhouse.gov (DHS is an acronym for Department of Homeland Security)! however sometime the header wil give it away. but mostly the email client doesnt show the full hader so it does not really matter. plus, normal people don't/can't red email headers. well, good luck and stay outta trouble! ;).

+{CLOSING}+

well, i hope that somebody out there learned something from this guide. also, please dont be a black-hat/cracker and mess up stuff with the knowledge you will obtain in the future. well, good luck and happy hacking! –n3w7yp3

                                                    -=EOF=- 

Comments
ghost's avatar
ghost 18 years ago

not bad a little rough on the edges for the ppl who dont understand what you just wrote.

n3w7yp3's avatar
n3w7yp3 18 years ago

yea it needs to be reformatted. when i typed it i type key strokes and a few other things between HTML tags by accident :/ . also i did it in vim, so everything was all nice and even…<BR><BR>hack4u and Grindordie, thanks for your input ;)

ghost's avatar
ghost 17 years ago

When i try to connect to "www.google.com 80" telnet just seems to hang…… ive left it for over 5 minuites so far… is it meant to take this long?

Anyone care to clarify?

ghost's avatar
ghost 16 years ago

sometimes servers hang when you try to open a HTTP connection through telnet, dont ask me why :S