Home | Articles | About | Contact | Forum |
Friday, October 18, 2019

Lunarpages.com Web Hosting

Mailing List

By Joining the mailing list you will be notified of site updates.

Show Your Support For
This Site By Donating:

Audience: Newbies - Self Leaners
Last Updated: 03/21/2011 1:50 AM
Original Creation Date: 2/05/04 3:51 AM
**All times are EST**

Telnet Hacking Part 2

By Erik Rodriguez

I am not responsible for misuse of this information.

This article describes how telnet servers are used as resources for hacking.


If don't know what telnet is here. The content of this article is based on this concept. Most telnet servers give you the ability to "telnet out." This means that you are using the telnet server as an access point to reach your destination or target.

Remember that telnet can run on all different devices. Regular Windows boxes like 2000 & XP both have telnet pre-installed as a service. Linux boxes can run telnet or SSH. Most servers are now using SSH instead of telnet because it is more secure. In my opinion, the best source for telnet "hopping" is a router or switch. This is because routers and switches are usually not monitored as closely as servers or workstations. The logging system of a server can be complicated. In some cases, logging systems can span across multiple machines and backup devices on a network. Generally, there is a much greater chance someone will notice you logged into a server than a router or switch. All high-end routers like Cisco, 3com, Nortel and even some lower-end products run telnet. The easy way to find these devices is to port scan. If you conduct a scan of a network and find port 23 active, it's a telnet server.

Telnet Capabile Devices

From the results of my research I found a somewhat popular modem/router combination that runs a telnet server with a huge security issue. They are produced by a company called Netopia. I have owned a few of their products at one time or another over the years. Even worse than the default Linksys passwords, these routers are shipped from the factory with NO PASSWORD PROTECTION AT ALL. These models run without passwords by default:

Click For Images

Cayman DSL modem/router*
Netopia R910 modem/router

*Cayman is a product line of Netopia.

The Cayman model is slightly better than the Netopia model because it offers a full CLI (command line interface). The netopia is menu-driven but still offers most of the features the Cayman does. If you are wondering how you would ever find one with the number of people using broadband, its basically the luck of the draw. Randomly scanning IP's to find such devices can take a while. However, if you find one or two, you may be able to find more. These are generally 2 or 3 times the price of the more commonly used equipment. Someone using one of these devices may have received it from their ISP as a part of a service agreement. This means there may be more on the same IP range. Believe me when I say plenty of them are password protected because some cable/DSL companies have realized this and sent notices to their customers. Although, with the size of the Internet there are still plenty open devices out there.

Now What?

The idea behind using a telnet server to connect to other systems is to hide your real IP address. The IP addresses used in this article are not real, but still represent the concept accurately. If you connect to your target (, the address logged would be the telnet server (, not your real IP address ( Remember, the more telnet servers you hop through, the better. Using 1 telnet server does next to nothing because your ISP most likely has a record of what telnet sessions you have connected to and could make a match from both ends. Believe me you would be surprised what your ISP can find out. Some say that they only track your bandwidth usage, but with Carnivore working at most ISP's they can dig up almost anything. The safest way to connect to devices is to establish a connection to an SSH server first. From there, any connections made from an SSH server would be undetectable by an ISP because SSH uses secure channels. Your ISP would only be able to tell that you were connected to an SSH server, and not what you were actually doing with that server. High-profile hacks are very complicated and can span across multiple devices (as many as hundreds) making it impossible to track the source IP address. Often times a hacker will use a dial-up account (that isn't theirs) or a public location, hop through telnet devices and make their attack. The image below shows a digram of the connections I discussed above.

Public Telnet Servers

There are public telnet servers available for many different reasons. Some are for chatting, news, email, etc. They are not as common now because we have better ways of doing things now (HTTP, FTP, AIM, etc). Most of the public servers will not allow you to telnet out. However, there are still some out there. I have found a few route-servers that allow you to telnet out. Although, using a route-server is a really bad idea because an ISP has the ability to log EVERYTHING! Some route-servers even advertise the fact that they log everything.


Remember that all these devices have logging capabilities. Logs are the easiest way to track someone. However, a good hacker will know how to manipulate or clear the logs to "clean up." Also, using a telnet device to remotely access a target is not the same as a DoS attack. While they are both viewed as malicious activity, they are not synonymous. For information on DoS attacks click here.

Juniper SRX anti-spam filtering config
Windows Server 2008 Clustering Configuration
Windows 2008 R2 Network Load Balancing (NLB)
Extreme Networks: Downloading new software image
Juniper SRX save config to USB drive
Juniper SRX logout sessions
Extreme Networks Syslog Configuration
Command line drive mapping
Neoscale vs. Decru
Data Security vs. Data Protection
Juniper SRX Cluster Configuration
HOWTO - Create VLAN on Extreme Switch
Using a Non-local Colocation Facility
Linux Server Administration
IT Chop Shops
Flow Viewers: SFLOW, NetFLOW, and JFLOW
Exchange 2007 Back Pressure
IPtables open port for specific IP
Politics in IT Departments
HOWTO - Block Dropbox
Cisco IOS Cheat Sheet
Subnet Cheat Sheet
Design a DMZ Network
How DNS works
Firewall Configuration
Juniper SSG Firewalls
Server Management
Configuring VLANs
Runlevels in Linux
Server Clustering
SONET Networks
The Red Hat Network
Server Colocation
Complicated Linux Servers
Dark Fiber
Data Center Network Design
Firewall Types
Colocation Bandwidth

Copyright © 2002-2016 Skullbox.Net All Rights Reserved.
A division of Orlando Tech Works, LLC
By using this site you agree to its Terms and Conditions.
Contact Erik Rodriguez