telnetrecon project
advanced telnet server fingerprinting
"telnetrecon is currently under development. Please check the news section or subscribe to the rss feed to get the latest news from the project." - Marc Ruef, telnetrecon Project Maintainer


Telnet is a traditional tcp service which is served by default on port 23. The initial specification is defined in RFC 854. Telnet stands for terminal emulation over a network. This means an user will be able to connect to a terminal remotely. This makes it possible to remote-conrol a server within the command-line.

The given implementations rose the need for further possibilities. This required the introduction of telnet options. The server and the client should be able to negotiate which techniques and features should be used and which should not. The negotiation of options are used by the keywords WILL, WONT, DO and DONT.

telnetrecon uses the following technique of fingerprinting the given telnetd implementation. After connecting to a host the server responds with the option demands and requests. These are dissected and compared to the values within the fingerprinting database. As more matches could be found as higher is the accuracy of the mapped fingerprint.

For example the following is the negotiaton the telnet server implementation on a Microsoft Windows XP sends back:

%'

Those characters will be translated to their ASCII representation which is easier to analyze and compare them. This will generate the following fingerprint string:

255-253-37-255-251-255-251-255-253-92-39-255-253-255-253-255-251

The different demands are dissected by the IAC data byte 255. Then follows the requirement. The first requirement is introduced with the symbol 253 which stands for the option code DO. The requirement itself is 37 which stands for "Authentication Option" as it is discussed in RFC 2941. Afterwards follows another 255 which introduces 251 which stands for the option code WILL. This indicates the desire to begin performing, or confirmation that you are now performing, the indicated option. And so on.

The currently known implementations of telnet fingerprinting, primarily telnetfp by Team Teso, is using a strong identification mechanism. This means the tool is gathering the telnet option negotiation and compare it to the known strings. The identification is only successful if the collected strings are identical. This is the easiest approach which does not require real measurement of fingerprint hits.

However, this introduces the possibility of missing some partially known implementations. For example if a well-known server has been configured to announce RSA (authentication type 6) instead of KERBEROS_V5 (type 2). This is the reason why telnetrecon uses a more modular approach which was already introduced in httprecon. The different negotiation aspects are handled seperately. This makes it possible to provide the accuracy of not exactly matching fingerprint scans.

For further details on telnet fingerprinting see the following documents:
- http://www.iana.org/assignments/telnet-options
- http://www.sans.org/resources/idfaq/fingerp_telnet.php
- http://md.hudora.de/presentations/2002-12-29-fingerprinting-21c3.pdf
- http://www.securiteam.com/tools/6J00L0K06U.html