Telnet Attacks – Ways to compromise remote connection

In this article I am going to explain some of the reasons why we should switch from Telnet to SSH to get our device management secure.

But first few words about Telnet?

More than once we were in the situation where we needed to configure couple of switches and routers in the same time. More precisely, almost every time we are in a situation where we must configure or troubleshoot more devices in the same time.

Of course that we don’t want to reconnect console cable to every other switch every time we want to make a show command on it.

We want to be able to connect to all the devices in the same time and then just use multiple command prompts one for each device. In this manner we are faster in the troubleshooting process and we can make configurations steps without loosing time on transferring the console cable. Furthermore we have better overview on the configuration as we make troubleshooting commands and we can easily compare different configurations just by opening two command prompts one close to other.

But what protocol do we use for this kind of operation? Telnet? Really? Are you sure?

To get rid of all below mentioned attacks, just use SSH instead. More and more new boxes does not even support telnet protocol anymore (Like F5 devices etc..)

Telnet Attacks

Telnet attacks are:

  • Telnet communication sniffing
  • Telnet brute force attack
  • Telnet DoS – Denial of Service

Telnet communication sniffing

This article is all about telnet and attacks that are mostly directed to his functionality. The biggest security issue in telnet protocol is surely lack of encryption. Every communication from remote device to networking device that we are configuring is sent in plain text. Of course, that is big security issue and in situations where we use telnet we are making our command vulnerable to frame sniffing. Attacker can easily se what are we configuring on that device and furthermore he can se the password that we have used to connect to device and enter configuration mode.

For this reason today the telnet is used only in closed lab environments because it is simpler to configure telnet that SSH. In all other environments SSH is these days used as default. By using SSH instead of telnet we have in a way solved the biggest security issue but this doesn’t mean that we must not speak about other attacks that can be used to compromise telnet.

Telnet brute force attack

Telnet protocol can be used by an attacker to gain remote access to a Cisco network switch or other vendors to of course. If we configure a login password for the vty lines and set the lines to require password authentication to have permission to access the switch we are still not secure. This vty password on the telnet lines provides only an essential and basic level of security to help protect the switch from unauthorized access. However, it is not a secure method of securing access to the vty lines. There are a lot of tools available that are able to launch a brute force password cracking attack against the vty lines on the switch.

What is Brute Force Password Attack?

Brute force password attack starts with the attacker using a list of common passwords and a program designed to try to establish a Telnet session using each word on the dictionary list. You can imagine attacker sitting on the computer all day and trying to guess your switch or router password. He is to smart to do this. Instead he has the programming skills and makes a program that can make this for him and maybe hundreds of times faster. He simply tells the program to use English dictionary and try all the words inside. If you use word “bird” for your telnet access the program will need a couple of second to get to this word in the dictionary and try it on the telnet connection. (First will try all the words that begin with A, then B and so on…).

Luckily, you are smart enough not to use a dictionary word, so you are safe for now just by putting password like this: “p@ssw0rd”. Look at this as a good practice, not use dictionary words for your passwords and use combination of letters, numbers, and other signs to compile a strong password. Just don’t make so complicated one that even you will forget.

In the second phase of a brute force attack, the attacker uses a program that creates sequential character combinations in an attempt to “guess” the password. Given enough time, a brute force password attack can crack almost all passwords used. Let’s put it this way: first word is letter A, then B, then C and when all letter are tried program tries with AA, then AB, then AC… and in this manner it will eventually try all the words that exist and all the combination of letters and numbers and signs that you can possibly make.

DoS Attack

Another type of Telnet attack is the DoS – denial of service attack. DoS attacks in general is simply a way to disrupt the communication of two network devices by using all the bandwidth that they connection has to offer. To do so attacker sends many not useful and irrelevant data frames and in this manner suffocate the connection. The genuine communication will not be able to get across this connection and will not function. This sort of attack can be also used to prevent network administrators to telnet into their devices.

2 Comments

  1. osssman September 12, 2015

Leave a Reply