Guide to Telnet

Guide to Telnet

Telnet is probablay one of the most confusing things for a newbie. You see alot of guides on it, but then still newbies post questions. Hopefully, I've created a guide that will explain telnet and aleviate the need for questions to be asked (although i doubt it). okay enough talk, lets get to it!
Telnet is a terminal emulation program. You see once upon a time, terminals were hardwired next to a console. Then with the rise of the PC and the Internet, a standard was needed. so they made telnet. nowadays telnet is pretty much obsolete. with the world wide web, you just use a browser, and SSH is used to login to shell accounts. but telnet is still a good thing to know.
there are several ways to start your telnet client. if your on windows 9x click start then programs, and then MS-DOS Prompt. once in the DOS prompt type telnet at the prompt. there that GUI windows is your telnet screen. or you can just click start>run and then type telnet and press . either way it will be the same. on Win2K/XP you can start telnet 2 ways. the first is to start a shell (start>run and type cmd and press ) and then type telnet at the prompt. the prompt will change to somthing like: Microsoft telnet> or you can do the start>run and type telnet and press method. either way will work. on Linux start a shell and type telnet. okay now that the telnet client is open we're ready to connect. well, almost. if you're on windows we need to make some configuration changes first. for windows 9x click prefrences and check "Localecho on". on widows 2K/XP type the following at the prompt:
Microsoft telnet> set term vt100
Microsoft telnet> set localecho
there now we're ready to go. what we just did was turn on the localecho. there is a bug(?) in MS telnet that won't display the text you type unless localecho is on. and also the telnet client in Win 2K/XP ships with the deafult term type as ANSI. but vt100 is the preferrerd term type. Linux telnet clients ship all set up and ready to go. now lets connect. for the Win 9x useres click connect>remote system. then in the host box type www.google.com. in the port box type 80. for the rest of us, just type the following (NOTE: in this part of the guide to telnet we're using the HTTP port. this port is used for the Internet. its number is 80. the deamon that runs on it is called the HTTPD):
telnet> open www.google.com 80

now hit connect or press and wait to connect. when your connected you will see a message like:

Trying 64.233.161.104...Connected to www.google.com.Escape character is '^]'.

it may be a little different. now what this all mean? well, 64.233.161.104 is google's IP. the thing about the escape character means that if you push ctrl+] it will cump you back in the shell on you machine at the telnet prompt. you can then type close to close the connection. the reason for this is because sometimes the service you connected to wont do anything when you type a command, co you need to close the connection, but quit, close, exit, and kill don't bring about a reply. so thats when you hit the escape character (win 9x useres: you dont have an escape character. to close your connection connect>disconnect). now by this time the connection will have probably timed out, do we have co connect again. after connecting again let's try out some HTTP requests. the first HTTP request to learn is the GET request (NOTE: HTTP is case sensitive). to issue a GET request type the following:
GET / HTTP/1.0
now press twice. whoa look at all that stuff!! that is the codee to google's main page, just like we would get if we did a right click>view source. now why did google close our connection? well its because HTTP is a stateless protocal (like UDP). so since there is no actual connection between you and the site (accept at the moment of transfer) your browser needs to reconnect every time you request a new page. however, there is a way to stay connected. did you know why you had to press twice after you connected? well, its because after the request (that was the GET) you are supposed to issue HTTP commands. there tell the server many things, including your user agent, browser type, and conection type (and alot more!). but before we get into those, lets take a closer look at that HTTP request we just issued:
GET = The request type. there are many of these. (i've included a list later in the guide)/ = the page. now when you tpye in a site name (http://www.google.com/) the computer connects to that site. now even if you dont type the / after .com its still the same site. you see the / is the sites homepage.HTTP/1.0 = this is the protocol type. a GET request is a HTTP/1.0 request, so thats what you type.
heres a list of some common requests:
name usage what it does
---- ----- ------------
CONNECT CONNECT proxy-server HTTP/1.1 sets up a tunnel through proxys (useful to avoid web-filters)
Host: site.to.connect.to
DELETE DELETE /uri HTTP/1.1 deletes the file specified by /uri
GET GET /uri HTTP/1.0 gets the file specified by /uriHEAD HEAD /uri HTTP/1.0 returns the header of /uri. used in a technique called a banner grab; which is used to identify the OS being ran onthe server.
OPTIONS OPTIONS * HTTP/1.1 returns info about the target host. if "*" is specified it Host: localhost returns info abouit the server it self. other wise it return-=OR=- info associated with the specified /uriOPTIONS /uri HTTP/1.1Host: localhost
POST POST /uri HTTP/1.1 adds data to /uri. the request defines content length. it mayHost: localhost include binary data.Content-length: N
n
n

PUT PUT /uri HTTP/1.1 adds data in the path specified by /uri (data like a new pageHost: localhost etc)Content-Length: N
n
n

TRACE TRACE / HTTP/1.1 causes a server to respond with all the headers contained in Host: localhost the original request.
TRACK TRACK / HTTP/1.1 an alias for TRACE. its only used in IIS.Host: localhost
okay now you should be able to do a lot of stuff but just using telnet to connect to the site. okay lets get on to those HTTP commands that i mentioned. now as i stated earlier, these comamnds do lost of stuff. the most useful would probably be theConnection: keep-alive command. this makes the connection stay alive so you can pump through command after comamnd. lets try it:
telnet> open www.google.com 80
Trying 64.233.161.99...
Connected to www.google.com.
Escape character is '^]'.
oaky, now lets try out the HEAD request combined with the Connection: Keep-alive command:
HEAD / HTTP/1.0
Connection: Keep-alive
HTTP/1.0 200 OK
Cache-Control: private
Content-Type: text/html
Set-Cookie:
PREF=ID=752b22c0c0526756:TM=1109357543:LM=1109357543:S=ntZTEgMD7QQDP6cP; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com
Server: GWS/2.1
Content-Length: 0
Date: Fri, 25 may 2007 18:52:23 GMT
Connection: Keep-Alive
kewl, the connection didn't drop. so now we can issue more requests with out having to reconnect. however to keep the connection alive, we need to specifiy this after every request. another common HTTP command sets your user-agent. the user-agent is used to identify the OS and browser that the client (you) is running. heres a log of a telnet session to google in which I issue a full HTTP request and specify all the parameters:
telnet> open www.google.com 80
Trying 64.233.161.99...
Connected to www.google.com.
Escape character is '^]'.
HEAD / HTTP/1.0
Connectiion: Keep-Alive
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Charset: iso-8859-1,*,utf-8
Accept-Language:en
Host: localhost
User-Agent: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913
HTTP/1.0 200 OK
Cache-Control: private
Content-Type: text/html
Set-Cookie: PREF=ID=2e727971cb330368:TM=1109358158:LM=1109358158:S=IpSi5XsS1Eqo7hby; expires=Sun, 17-Jan-2038 19:14:07 GMT;
path=/; domain=.google.com
Server: GWS/2.1
Content-Length: 0
Date: Fri, 25 May 2007 19:02:38 GMT
Connection: Keep-Alive
okay there, that was a proper session, just like your browser would do. but we mostly dont bother with all that stuff, just a Connection: Keep-Alive will do just fine ;). anyways; here are some HTTP response headers:
name what it means---- -------------
Accept-Ranges The server indicates it will accept partial requests (requests within the accepted range) for the resource.
Age the servers guess in seconds of how old the cached object is
ETag Entity Tag. Used in cache control when the server doesnt track time-stamps. a strongvalidator when the browser is deciding if it should refresh a cached object
Location Redirects the client to a different source to a URI
Proxy-Authenticate carrys authentication creditals for proxy servers
Referer Specifies the URI from which the request was generated. it shouldnt be relied upon forsecurity testing.
Server identify the server product, OS, and other info. usually modded to block unsofisticated attacks and incompetent attackers.
Vary used to control the caching of objects
WWW-Authenticate Get user Authentication
so now you know what all that stuff in the servers reply means. now you may wonder what the "HTTP/1.0 200 OK" means. well this is called the status code. 200 indicates a successful transfer. heres what the ranges mean:
1xx: i'm not sure what this means; its rarley used
2xx: successful completion of the HTTP request
3xx: unsuccessful due to moving of ducuments (URIs)
4xx: client side error (an error on your end)
5xx: server side error
the 2 most common status codes returned are 200 OK (you get this every time a connection works and you successfuly retreive a page) and 404 which means file not found (you clicked on a bad link, etc). well now that you know a good deal about HTTP and port 80 in general, lets duscuss the most common use of these commands proxy tunneling. have you ever been at school and you try to show your friend a cool website and its blocked for sum bogus reason? wouldn't you like to get around that damn web-content filter? well trust me you can. the first thing to do is open up internet explorer. then click tools>>internet options>>LAN settings. (or sumthing similar) now you should see somthing like 'Address: webproxy Port: 80'. this is the arddress of your web proxy that the school makes you pipe all your requests through. but what if it wont let you access the tools tab in IE? what then? the first thing to do in that case is to open a shell (use you imagination on how to do this). later i will make a paper on how to get command line access when your not supposed to have it ;). now type netstat -n at the prompt. you should get some results. one of them will look something like this:
10.1.44.5:80 ESTABLISHED
the IP will probably not be the same at your school as it is at mine, but it does not matter. the important part is what comes after the colon. thats the port number. in this case it is the standard HTTP port (80). but what if you dont see one that has the port as 80? well look for 8080. thats a common proxy port. if you are absolutly stumped, you can simply telnet yo all the ports on all the computers that you are connected to under the netstat -n screen and issue a HEAD request. when you get a positive reply, you're in business! now that we have identified the webproxy lets tunnel out. issue the follow commands after connection:
CONNECT http://www.blockedsite.com HTTP/1.1
Host: localhost
now press enter.
you should see "HTTP/1.1 200 OK Connection established" from the proxy. and boom we're connected to www.blockedsite.com. now just use the different requests discussed earlier to get the HTML source code of the site and its various pages and compy and paste them into notepad. save it as a .html file, open up 'My Computer' and click on the newly created .html file to view the site as you normally would. when you want to click on a link (lets say its called 'hacking') reconnect to the proxy, tunnel out and request the source of the hacking link (for instance: GET /hacking HTTP/1.0). there, now that annoying web filter cant stop us!! of course we can connect to any port on a computer not just 80. so lets look at another one of my personal favorites, port 25 (SMTP).port 25 is the port used to send email. it runs the Simple Mail Transfer Protocal Deamon (SMTPD). with this port we can do lots of kewl stuff, including
1) verifying user accounts on the system
2) preforming a banner grab to determin the OS being run on the system
3) sending forged email
now the most exciting one for you right now would be sending forged email. haven't you ever wanted to send an email to someone but wanted to use a fake name? well its pretty easy to do! the first thing to do is to connect to a mail server over port 25 (NOTE: because most sysadmins don't like people abuing thier mail servers to send fake email, i'm not using any real mail servers in this section. you'll have to find some on your own. [well, i'll tell you in a minuet how to find a vulnerable mail server]. also don't even consider using hotmail.com or gmail.google.com or another big company for this purpose. if you do you will get into deep dark shit! period). the hard part is finding a mail server to connect to. however there are ways:the first thing to do is to type nslookup at the prompt. then type "set type=all". okay now consider your friend email addres. it is split up into 2 parts the user name and the host. say you wanna send a fake email to buddy@yahoo.com . so now we know that we wanna goto yahoo.com over port 25 (NOTE: that warning i gave earlier was just my attempt at getting you tto read the part on nslookup. you can relax now :) . but seriously, pls dont use the expan and verfy commands! they get logged as suspicious!) so now type "yahoo.com" (no quotes). see all those entries? well if you see one like: mx1.yahoo.com thats a mail server. generally if its mail.example.com or mx.example.com its a mail server.
NOTE: for those of us who use linux, our nslookup uses different commands to get the right resource record use the type
"set type=any" and then yahoo.com
okay so now we know the mail server. time to fire up telnet. this time though point it at port 25.
NOTE: theres an even eaiser way to telnet. just open up a shell and type "telnet www.site.com XX" where www.site.com is a hostname or IP and XX is a port number to connect to.
So to telnet to the mail server using our new method we would type the following at the prompt: telnet mx1.yahoo.com 25
yay now we're connected. so now the kewl thing about the SMTP deamon is that you can ask it for help (unlike the HTTPD). for this paper i set up a sendmail server on my home LAN (its not connected to the internet!!). sendmail is probably the buggiest deamon, and one of the most helpful. nowadays, sendmail isnt that common, but hey just look around and you might find a sendmail deamon around. okay so after connection, we see somthing like:
220-localhost.localdomain sendmail 8.6.12/8.9.6
ready at Fri, 25May 2007 19:34:53 GMT
220 ESMTP spoken here
what is all this? it is called the deamon banner. it tells us what version of sendmail the server is running and with a littel hunting on google we can use this info to identify the OS of the server. okay lets ask it for help:
HELP
214- Commands:
214- HELO HELO MAIL RCPT DATA
214- RSET NOOP QUIT HELP VRFY
214- EXPN VERB
214- for more info use "HELP "
214- to report bugs
214- for
214- end of help info
there now we no what commands are avalible. the second to last and the third to last lines i snipped their output, because i felt like it :). oaky again heres the commands along with what they do:
SMTP command What it does------------ ------------
HELO/HELO greets the server
RCPT specifies the recipent of the mail
MAIL specifies the sender of mail
DATA body of email
VERB turn on verbose mode
EXPN expand and email alias to full list of recipents
VRFY verify that the account exists
HELP display a help message
QUIT exit the server
NOOP do nothing