DO NOT SEND YOUR PASSWORT WITH TELNET!

people might capture those unencrypted passwords on backbone-level… the NSA is the largest state-sponsored hacking organization on this planet.

with telnet you can test what service and even it’s version number is running

just in case you want to scan the internet for a specific version of a software that has a specific bug that you want to exploit:

DON’T TO THIS IN YOUR COMPANY NET UNLESS YOU ARE PERMITTED TO!

scanning local network

# scan local network for alive hosts and open ports (range 20-200)
nmap -v -p 20-100 -sS 192.168.1.0/24

scanning specific host

nmap -v dwaves.de; # shows
Not shown: 988 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
143/tcp  open  imap
443/tcp  open  https
465/tcp  open  smtps
587/tcp  open  submission
993/tcp  open  imaps
2525/tcp open  ms-v-worlds -> no, it is debian-exim
8083/tcp open  us-srv
9001/tcp open  tor-orport

telnet dwaves.de 25
Trying 78.46.249.71...
Connected to dwaves.de.
Escape character is '^]'.
220 dwaves.de ESMTP Exim 4.84_2 Thu, 04 May 2017 11:48:10 +0200
help
214-Commands supported:
214 AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
QUIT
221 dwaves.de closing connection
Connection closed by foreign host.

telnet dwaves.de 587
Trying 78.46.249.71...
Connected to dwaves.de.
Escape character is '^]'.
220 dwaves.de ESMTP Exim 4.84_2 Thu, 04 May 2017 12:38:02 +0200
HELP
214-Commands supported:
214 AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
QUIT
221 dwaves.de closing connection
Connection closed by foreign host.

telnet dwaves.de 2525; # exim is also listening on port 2525
Trying 78.46.249.71...
Connected to dwaves.de.
Escape character is '^]'.
220 dwaves.de ESMTP Exim 4.84_2 Thu, 04 May 2017 12:24:50 +0200
QUIT
221 dwaves.de closing connection
Connection closed by foreign host.

telnet dwaves.de 143
Trying 78.46.249.71...
Connected to dwaves.de.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
1 LOGOUT
* BYE Logging out
1 OK Logout completed.
Connection closed by foreign host.

telnet dwaves.de 443
Trying 78.46.249.71...
Connected to dwaves.de.
Escape character is '^]'.
HELLO
HTTP/1.1 400 Bad Request
Server: nginx
Date: Thu, 04 May 2017 10:31:04 GMT
Content-Type: text/html
Content-Length: 166
Connection: close
<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx</center>
</body>
</html>
Connection closed by foreign host.

telnet dwaves.de 53
Trying 78.46.249.71...
Connected to dwaves.de.
Escape character is '^]'.
Connection closed by foreign host.

telnet dwaves.de 465
Trying 78.46.249.71...
Connected to dwaves.de.
Escape character is '^]'.
QUIT
Connection closed by foreign host.

telnet dwaves.de 993
Trying 78.46.249.71...
Connected to dwaves.de.
Escape character is '^]'.
HELP
QUIT
Connection closed by foreign host.

so now you know my server is running:

  • 25, 587: SMTP: EXIM in the version 4.84_2
    • email can be received and you have external network access on one of the following ports – 23, 25, 26, 2525
    • does dislose info about used mail-service and version
  • 465: SMTPS: EXIM: Mail-Message Submission from server to server RFC 4409
    • for backward compatibility still served on port 465
    • should be 587 – new IANA designeated port
    • does not dislose info about used mail-service and version
  • 2525: EXIM again:
      # This transport is used for delivering messages over SSH-tunneled SMTP
      # connections to port 2525 on localhos
  • 143: IMAP: Dovecot – version unkown
  • 993: IMAPS: Dovecot – version unkown
    • does not dislose info about used mail-service and version
    • dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server deployments worldwide. The audit was performed by Cure53.The team found the following problems:
      • 3 Low

      The Cure53 team were extremely impressed with the quality of the dovecot code. They wrote: „Despite much effort and thoroughly all-encompassing approach, the Cure53 testers only managed to assert the excellent security-standing of Dovecot. More specifically, only three minor security issues have been found in the codebase, thus translating to an exceptionally good outcome for Dovecot, and a true testament to the fact that keeping security promises is at the core of the Dovecot development and operations.“ (Dates: October 2016 – January 2017)

  • 443: HTTPS: nginx – version unkown
  • 53: DNS: binary protocol – not possible to interact with it with telnet? https://tools.ietf.org/html/rfc1035#section-4

links:

list open ports: dwaves.de/2015/06/16/linux-list-all-open-ports/

bug-track: keep an eye on: https://www.debian.org/Bugs/

advanced search: https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=

https://lists.exim.org/lurker/list/exim-announce.en.html

http://users.informatik.uni-halle.de/~beckmann/Firewall/

https://securingthehuman.sans.org/blog

https://securingthehuman.sans.org/blog/2017/04/12/game-on-2017-security-awareness-summit

https://securingthehuman.sans.org/blog/2017/04/04/sigh-the-goal-of-security-is-good-enough

http://sectools.org/tag/vuln-scanners/

http://sectools.org/tag/web-scanners/

https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed

https://jon.oberheide.org/

https://www.qualys.com/research/top10/

https://threatpost.com/ – by Kaspersky Lab Security News Service

http://pwnies.com/about/

admin