Banner Grabbing and Emailing via Telnet

logo

Telnet is a old network protocol which has been around longer then the internet. It was created for the purpose of remote access for network resources. It sends its data in plain text and is therefore highly insecure. Nowadays it has largely been replaced by the encrypted Secure Shell (SSH). Telnet can however be a useful tool for debugging purposes.

Other protocols which were developed in the early days of the Internet is also quite insecure, because their details is send in plain text as well. Known protocols such as HTTP, FTP, SMTP all does this. This does also mean that there is nothing stopping you from using Telnet to communicate via these protocols. It might be impractical – but in a debugging situation, it is nice to be able to fire up telnet and, for instance, check if you mail server is responding correctly.

This tutorial will show how to do Banner Grabbing and how use telnet to send an email via the SNMP Protocol. Since the default telnet client in Windows has been disabled since Windows Vista, the first thing you got do is enable it.

 

Banner Grabbing with telnet

Telnet can be uses to get information about a server. By sending a request via telnet to an open port on the server, it will give back relevant information about itself. This information can be OS, services and application versions. From an intruder’s point of view, this information can be used to find systems running OS or services with known exploits. this is also known as Banner Grabbing

Note that when using Windows Telnet client there is no cursor caret, so you will not be able to see what you are typing. Furthermore, you needed to execute your command by hitting the Enter key twice. This tutorial can also be done with software such as Putty, which is a little easier to navigate.

1. Open a command prompt and type the following commands one by one followed by pressing Enter


telnet ifconfig.dk 80
HEAD / HTTP/1.0

bannergrabbing

What we did was telnet to the server, which hosts ifconfig.dk on port 80. Then send a HEAD request to get a HTTP header from the server. Here we can see it is running Apache 2.2.16 on a Debian OS. For the fun of it, let’s try requesting the site itself.

2. Type the following commands one by one followed by pressing Enter


telnet ifconfig.dk 80
GET / HTTP/1.1
Host: ifconfig.dk

bannergrabbing2

Again we telnet to the server hosting ifconfig.dk on port 80. But this time we use the GET command, also we define that it’s the host ifconfig.dk we are requesting. I spared you for a bunch of HTML, but it is there.

 

Sending mails via telnet

First we need to find the name of the mail server. This can be done with the tool nslookup.

1. Open a command prompt and type the following commands one by one followed by pressing Enter


nslookup
set type=mx
gmail.com

nslookup_edited

Here we defined that we would like to see the MX records for the domain google.com. This means the mail servers used for the domain. They are defined by priority where the lowest number means the highest priority. For this tutorial, we will use the mail server address alt1.gmail-smtp-in.l.google.com.

2. Type the following commands one by one followed by pressing Enter


Telnet alt1.gmail-smtp-in.l.google.com 25
helo mx.google.com
mail from:<tets@test.com>
rcpt to:<mads.hegelund@gmail.com>
data
subject: testmail
This is just a test
.

telnetMail_edited

What we just did was to telnet to one of googles mailservers on port 25, which is the port SMTP uses. We greed the server helo, and it responds at your service. Then we tell the server what mail address the mail is coming from and which address to send it too. The server responds OK. Then we tell the server we would like to input data – it responds Go ahead. We enter the text for the mail and finally sends the mail with a . Let’s check our mailbox and see if we received the mail.

telnetmail2_edited

Credit goes here and here.

Share Button

Comments

comments

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *