Telnet Explained [Part 1] By Abhisek Datta http://hackersclub.focusindia.com abhisekdatta@hotmail.com Note: I have decided to launch manuals about hacking using telnet in two parts. In the first part I'll explain basics of telnet and working with telnet and in the second part I'll show some advanced methods of hacking through telnet. Further this manual is in its BETA stage and I'll be grateful for suggestions for improvements. Part 1 Welcome to another hackersclub manual. In here I am going to figure out one the most kewl utility available under the TCP/IP set of protocols. Well I guess you peoples are familiar with TCP/IP protocols. Then also I am gonna tell you the basics of these sets of protocols. Well first of all, protocols means some rules for communication between systems over a network. TCP/IP is the most popular sets of protocols used in our current state for communication over the internet. There are various utilities under TCP/IP, some are command utilities, some are transfer utilities and some are printer utilities.. Command Base Utility : REXEC (Remote Execution) , RSH (Remote Shell) and Telnet Transfer Utilities : FTP , RCP, TFTP Printer Utilities : LPR, LPQ Well all these utilities works according to the TCP/IP and obeying the protocols of TCP/IP (Transmission Control Protocol/Internet Protocol). In this manual I'll lay stress mainly on Telnet, a command base utility available under the TCP/IP set of protocols. What is telnet? Basically telnet a.k.a(also know as) terminal emulator is a console based tool which enables an user to use the resources of another system by connection to it using its IP address and a valid shell in the target system. Well in simpler sense telnet also works like Trojans, in client server fashion. Using a telnet client an user connects to the telnet server of a remote system running on a specified port. The default port for telnet is port 23. Well these are all about telnet in the conventional sense of term. Now I think I should tell you more about telnet in hackers sense of term.. Well to start with I must say that telnet is the ultimate tool for hackers. All big big hackers use it in exploiting loopholes in systems.. You can start telnet by going to run and type telnet and press enter. Generally in win 95/98/Me a telnet window will pop up.. but in windows xp, windows 2000 telnet will start within a dos box ie. within console. To run telnet in console even in win 98/95,Me just copy the coding below save as i_wanna_be_a_hacker.reg and run it.. REGEDIT 4 [HKEY_USERS\S-1-5-21-1229272821-1563985344-1060284298-1003\Software\Microsoft\Telnet]"MODE"="CONSOLE" Well you can also use that telnet available in win 98 which opens up in a separate window. Click on connect and in the host field enter the target IP. In the terminal type write vt100. Or plain and simple way.. just open DOS box.. and type telnet without <> and the default settings will work as fine as mmmm.. cant find any words to compare.. sorry :( What can I do with telnet? Generally hackers aims at connecting to the daemon of a open port of a particular system and tries to get root on that system. First you need a good port scanner to scan down the open ports of a particular system. Then you may connect to an open port using telnet. For example once I port scanned the webserver of a friend of mine who happens to be a great web developer and found that port 25 is open along with SMTP daemon running in it. so using telnet I connected myself to his server on port 25 and using his SMTP service I send a couple of anonymous mails to my friends… mainly to him telling him that I am using his service :)) example: c:\telnet Welcome to Microsoft Telnet Client Escape Character is 'CTRL+]' Microsoft Telnet>open anisurrahman.net Connecting to anisurrahman.net.... Connected.. . . . well now what.. now the SMTP service is mine.. I just played around with it… well if you are not used with telnet commands just type HELP after your connected and you will get the list of all the commands supported by the webserver. Anyway I am going to show how I send a fake mail using simple commands supported by all ESMTP sever (ESMTP = Extended Simple Mail Transfer Protocol) Here we go : Telnet>open anisurrahman.net 25 Connecting…. Connected to anisurrahman.net 220 Welcome to anisurrahman.net ESMTP service 8.9.3 HELO Abhisek 220 Welcome to sendmail Abhisek MAIL FROM:abhisek@fakemail.com 240 Sender set to abhisek@fakemail.com RCPT TO:me@anisurrahman.net 240 Recipient set to me@anisurrahman.net DATA 220 End with "." Subject : Hello Rony Hey whats up boss… I am sending fake mail using you SMTP service… Don't be angry on me… Sorry.. . 240 CA55910 Message accepted for delivery.. Note: thinking what the values 240 , 220 or CA55910 is.. Don't think much.. the values 240 or 220 are just message code of the server. For example the server will response with 220 for displaying a banner in here.. see all the banners has come up with 220.. the server has denote confirmation with 240 in here… its not much important according to me.. And about CA55910..its the MSGID or Message ID… in the logs of the server this ID denotes the mail that you just send along. Note: This is my earnest request to each and everybody who reads this manual.. please do not send any fake mail at me@anisurrahman.net and please do not use the service at anisurrahman.net He is a very good friend of mine.. I have learnt many things regarding web designing and web programming from him.. Please note: sometimes you may get Relay Denied error on some server.. well I wont go into much details about this topic cause I guess I don't have enough knowledge about it.. Bingo !! I have send a fake mail !!! I am a hacker !!! yes !! Well nothing to think like that cause sending fake mails doesn't make you a hacker. Well it has nothing to do with hacking. Fake mails can also easily be traced down and your ISP can be found out easily. Then if the victim sends a mail at abuse@ISP.net and complains about your activity then sorry boy you may lose you ISP account.. Anyway try sending some fake mails to yourself and get used with telnet. Hey guys [and gals if any] don't get excited and get going to hack with telnet cause things are not that easy as it seems to be. I have made myself in only to the SMTP service of anisurrahman.net I haven't yet got root on it. Well there are many more games which you can play using telnet. For example you can start a raw session of IRC using telnet. I guess you all are familiar with IRC(internet relay chat). You may use mIRC, Pirc etc softwares to start an IRC session. But there you don't have to do much as the software will do things for you. Well I think here I need to explain some basics of IRC and how IRC servers works. Well for starting an IRC session you need to connect to an IRC server on the port running the IRC daemon. The default ports are 7000,6667 etc. in mIRC when you wish to connect to a server the default port used is 6667. Type /server irc.dal.net [port] in mIRC window. Note : in place of port type the port number without [] If you leave it blank then the default port will be taken as 6667. This command will connect to irc.dal.net server then by typing /join #channelname you can join any channel and start you IRC session. Tip : To know the IP address or the host name of a person in IRC session is the easiest. Just type /whois in the channel window and you will get his/her IP address (some types this IP is resolved into host name…it depends on the server) Now I guess your familiar with basic IRC command which you can use in mIRC. Now lets come to our point..ie. starting a raw IRC session using telnet. Generally many IRC warfare technique writers or others have written many manuals on starting a raw IRC session using telnet but I think they are not really intended for newbies. In here I am going to explain things in a simple easy to understand way. When you connect to an IRC server it authenticates you only by your username and host address and asks for a nick. While using mIRC these infos are provided by the software itself as provided by the user. But while connecting to an IRC server in raw mode.. ie. using telnet you need to provide these infos. Note : Some servers doesn't support raw IRC session as it is quite a bit insecure.. Now to start.. telnet in to an IRC server on port 7000 or 6667 Tip: In raw mode you don't need to give a / before commands as in mIRC. Telnet>open irc.servername.net 6667 sign.. I have used these signs only to distinguish the commands that I have to type in to the terminal. you are now connected to an IRC server using telnet.. you can use mIRC commands here but without / to send a private message the command is : PRIVMSG NICK MESSAGE : Now I guess you are quite familiar with the workings and usage of telnet. With telnet you can know surely use the resources of a remote computer provided that you are allowed the access the resources…. If not… then what else but to hack into it. Brief idea of telnet hacking (basics) Generally telnet is used to connect to a particular daemon running on a particular port on a target system. Well the very aim of using telnet to connect to the daemons is to get root on the system. But if you are thinking that you'll connect to the SMTP server of your ISP and will get root in your ISP's system then forget it pal. What hackers do is first port scan the target system and find out the open ports and the daemons running the open ports. Note: you can use nMAP. It is a very fast and so called SYN Stealth port scanner available for download with source file at http://www.insecure.org but remember if your ISP kick your ass for port scanning their system then don't get flamed on me.. Now as you have found an open port say port 21 running an ftp server. Well all you need to do is to telnet in to the port. But things are not that easy and you wont get root easily.. some ftp servers or better to say 98% of the daemons running on a server allow access only to valid users thus asking for user name and password. In such case when your facing an username and password prompt either you have to make the sysadmin's daughter you girl friend and then trick her to know the password or you have to play around with other methods like brute force hacking.. etc. Well another vulnerability existing on various daemons is the trust-relationship. Well often servers authenticates an user only by his IP considering that the server has trust-relationship with the client and the clients IP is already in the database of the trusted IP's. Now if you can spoof your IP according to one of the trusted IP's of the server then you can get yourself inside a system. Spoofing IP is a complicated subject though apparently its definition stands as "Faking the actual IP with some other". Its not really easy to spoof your IP and exploit a trust-relationship as you have to block the trusted client with DoS attack so that it cannot reply to the SYN/ACK packets send by the server to it. If it receives the SYN/ACK packets from the sever unexpectedly then surely it will reply with a FIN packet so as to end the connection. Anyway I wont go into much details about IP Spoofing since it's a very complicated subject and you have to understand it thoroughly in order to execute it. Note: Please don't get angry on me for using terms like SYN/ACK packets FIN Packets in the above paragraph if you are not familiar with it.. well its common terms in IP spoofing.. I just came across a very good IP Spoofing manual.. you can come across it.. "IP Spoofing Demystified" available for download in the books section of http://blacksun.box.sk Well that's it for now.. the second part of this manual will be up soon.. if anybody of you know about some more fun with telnet do let me know about it or write an article by yourself and I'll be glad to publish it on HC Abhisek Datta http://hackersclub.focusindia.com abhisekdatta@hotmail.com "But did you, in your three- piece psychology and 1950's techno brain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him trick, what forces shaped him, what may have molded him? I am a hacker, enter my world..." ("The Conscience of a Hacker", The Mentor)