The telnet command.

Recommended for you: Get network issues from WhatsUp Gold. Not end users.
1, What is Telnet?
  For the understanding of Telnet, different people hold different views, can think of the Telnet as a communication protocol, but for the invaders, Telnet is only a remote login tool. Once the intruders with the remote host to establish an Telnet connection, the intruder can use the soft, hardware resources on the target host, while the local machine is only equivalent to a terminal only the keyboard and display.
2, Telnet is used to do what.
  (1)Telnet is the first method to control the host
  If the intruder is trying to execute commands on a remote host, need to establish a IPC$connection, and then use the net time command to view the system time, finally use the at command to establish scheduled tasks to complete remote command execution. Although this method can remote command execution, but in contrast, the Telnet approach of intruders, would be much more convenient. The intruder once established with the remote host Telnet connection, you can control the local computer like as to control the remote computer. Visible, Telnet is a remote control to use the invaders, when they make every attempt to have administrator privileges of the remote host, will generally use Telnet to login.
  (2)Used to do the springboard
The invaders had used to stealth chicken called "springboard", they often use this method, from a "chicken" log into another "chicken", so in the process of invasion would not expose their IP address.
3 on the NTLM validation
Because the Telnet function is too strong, is also one of the most frequently used means of the log, so Microsoft Corp added authentication for Telnet, called NTLM verification, it requires the Telnet terminal in addition to the need for Telnet service host, username and password, also need to satisfy NTLM results. NTLM authentication enhances the security of Telnet host, as a way to shut sb. many intruders.
4, Telnet grammar
telnet [-a][-e escape char][-f log file][-l user][-t term][host [port]]
-a attempts to automatically log on. In addition to have been landed with the current username, the same with the -l option.
-e skipping characters to telnet customers tips.
The -f client log file name
-l specifies the user login the remote system name.
The remote system to support the TELNET ENVIRON option.
-t specifies the type of terminal.
Terminal type support is only: VT100, vt52, ANSI and vtnt.
Host name or IP address of the host specifies the remote computer to connect to.
Port specifies the port number or name of service.
5 using Telnet login
The login command: telnet HOST [PORT] example: telnet 61.152.158.132 23 (the default port)
Disconnect Telnet command: exit
  To successfully establish a Telnet connection, but requires knowledge of the remote computer account and password, also need the remote computer is opened "Telnet service", and the removal of NTLM verification. Can also use the special Telnet tools to make connections, such as STERM, CTERM etc.
6.Telnet typical intrusion (if not too to understand, the following can be simple to understand)
  1.Telnet typical intrusion steps
  Step one: to establish a IPC$connection. Where sysback is the back door account.
  Step two: open the Telnet service is disabled on the remote host.
  Step three: disconnect IPC$.
  Step four: remove the NTLM verification. If there is no removal of NTLM verification on a remote computer, will fail when logging on to the remote computer.
  But the intruder can use various methods to make the verification of NTLM exist in name only. There are many methods to remove NTLM, here are some of the common method, to have a look the how to remove the NTLM verification.
  (1)Method
  First, the establishment of a with the remote host on the same account on the local computer and password.
  Then, through the "start" and "program", "attachment" to find "command prompt", use the right mouse button click "command prompt", then select "properties"
  In "running as another user (U)" in front of "tick", then click "OK" button. Then, still in accordance with the path to find the "command prompt", open the click with the left mouse button, the dialog box as shown.
  As shown in the diagram, type "username" and "password".
  Click "OK" button, MS-DOS interface, and then log on using the MS-DOS Telnet.
  Type "telnet 192.168.27.128" and enter the command, type "in the interface of Y" said to send your password to log in, as shown in Fig.
  The last is the remote host to open the Telnet user Shell, input in the Shell command will execute directly on a remote computer.
  For example, a list of users type "net user" command to check on the remote host.
  (2)Methods two
  The method of using NTLM.EXE to remove the NTLM validation tool. First established with the remote host IPC$connection, and then copy the NTLM.EXE to a remote host, then the implementation of NTLM.EXE remote computer through the at command.
  Plan the task after the NTLM.EXE, then type "telnet 192.168.27.128" command to log on to the remote computer.
  The login interface
  In the login interface type the user name and password, if the correct user name and password, can login to the remote computer, remote computer Shell.
  Successful login.
  In addition, also can use NTLM verification, in conjunction with opentelnet.exe program resumetelnet.exe to restore the remote host command; formula"ResumeTelnet.exe \\server sername password".
  After the execution of the resumetelnet.exe echo, closed the target host Telnet services, to restore the NTLM verification.
  Telnet advanced intrusion.
  It can be seen from the front, even if the computer use NTLM verification, the intruder can easily remove the NTLM verification to achieve Telnet login. If an intruder using 23 port login, the administrator can easily find them, but unfortunately, the intruder does not usually connected via Telnet port 23 by default. So how to modify the Telnet port, and how to modify the Telnet service to conceal the whereabouts? Here are some common examples to illustrate this process, and introduce the needed to complete this process tool.
  X-Scan: To sweep out the existence of NT weak password host.
  opentelnet: Used to NTLM verification, open Telnet service, modify the Telnet service port.
  AProMan: To view the process, kill process.
  instsrv: Used to install the service to the host.
  (1)Introduction to AProMan
  AproMan from the command line to see the process, kill the process, will not be killing antivirus software. For example, if an intruder is detected on the target host running antivirus software, can lead to upload tool is killing antivirus software, then they will be shut down antivirus firewall in the upload tool before. Method of use are as follows:
  C:\AProMan.exe -a display all processes
  C:\AProMan.exe -p display port process relationship (Administrator permissions)
  c:\AProMan.exe -t [PID] Kill the specified process, process
  c:\AProMan.exe -f [FileName] The process and module information stored in the file
  (2)Introduction to instsrv
  Instsrv is a command line can be installed, uninstall service program, are free to specify the execution of the service name and service program. The use of instsrv as follows:
  Installation services: instsrv <the service name > <executive position>
  Uninstall service: instsrv <the service name> REMOVE
  Another excellent remote service management tool SC. It belongs to the command line tool, can be locally on the remote computer service query, start, stop and delete. It is easy to use, is not introduced here. Below through the examples to introduce how to realize the process of intruders Telnet login and leave the back door of Telnet.
  Step one: sweep out a weak password host NT. In the X-Scan "scanning module" select "NT-SERVER weak passwords".
  Then specify the scan range "192.168.27.2 to 192.168.27.253" scanning parameters "".
  For a period of time, get the scan results.
  Step two: use opentelnet to open the remote host Telnet service, modify the target host port, the removal of NTLM verification.

  Whether the remote host is open "Telnet service", the intruder can be solved by opentelnet tools. For example, the "opentelnet \192.168.27.129 administrator " " 166" command for the IP address for the 192.168. 27.129 host removal of NTLM certification, open the Telnet service, and the Telnet default 23 login port to port 66.
  Step three: the required documents (instsrv.exe, AProMan.exe) copy to the remote host.
  First set up IPC$, then to the required documents copy, paste to the remote computer c:\winnt folder by mapping a network drive.
  Copy success.
  Step four: Telnet login.
  Type in the MS-DOS command "telnet 192.168.27.129 66" to login to the remote host 192.168.27.129.
  Step five: kill firewall process.
  If an intruder to class like Trojan program copy to the remote host and executive, then they will be closed for antivirus firewall remote host. Although there is no copy like Trojan program to the remote host, but still want to introduce this process. When the login is successful, they will enter into the use of AProMan program in the c:\winnt directory. The command AProMan - A view all processes, and then find the antivirus firewall process PID, and finally the use of AProMan – t [PID] to kill antivirus firewall.
  Step six: install another more subtle Telnet service.
  In order to later still can log on to the computer, the intruder will leave the back door after the first login. Here to introduce how to make Telnet the service will always run through the method of installing the system service. In the installation services before, it is necessary to learn about the Windows operating system is to provide "Telnet service". Open "computer management", and then view the "Telnet" attribute.
  In the "Telnet properties" window, you can see the "path" of the executable file to"C:\WINNT\ SYSTEM32\tlntsvr.exe". Visible, application tlntsvr.exe is in the Windows system is designed to provide "Telnet service". That is to say, if a service to the program, then the service will provide the Telnet service. Therefore, the intruder can customize a new service, the service point to tlntsvr.exe, and the services provided by the Telnet service registry, after doing this, even if the remote host Telnet service is disabled, the intruder can also be no obstacle to log on to the remote computer, this method is called Telnet back door. Here is how to achieve the above process. First into the instsrv directory.
  Then using instsrv.exe to establish a "SYSHEALTH" service, and the service to the C:\WINNT z\SYSTEM32\tlntsvr.exe, according to the usage of instsrv.exe, enter the command"instsrv.exe SYSHEALTH C:\WINNT\SYSTEM32\tlntsvr.exe".
  A "SYSHEAHTH" service that establishment success. Although on the surface looks the services and remote connection does not exist any relationship, but the service is the invaders left backdoor Telnet service.
  Through the "computer management" can see the service had been added to the remote computer. The invader will make the service startup type is set to "automatic", the original "Telnet service" stop and disable.
  The results show that, although on the remote host Telnet service has been stopped and disabled, but the intruder can still through the Telnet to control the remote host. With these modifications, even if the administrator to use the "netstat - n" to see the open port number can not see the 66 port is to provide Telnet services, this command can be used to judge the usual connection port.
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Posted by Angelina at December 18, 2013 - 1:16 AM