Transcript The TELNET Protocol

The TELNET protocol
TELNET vs. telnet
• TELNET is a protocol that provides “a
general, bi-directional, eight-bit byte
oriented communications facility”.
• telnet is a program that supports the
TELNET protocol over TCP.
• Many application protocols are built upon
the TELNET protocol.
The TELNET Protocol
•
•
•
•
TCP connection
data and control over the same connection.
Network Virtual Terminal
negotiated options
NVT - Network Virtual Terminal
• intermediate representation of a generic
terminal.
• provides a standard language for
communication of terminal control
functions.
Negotiated Options
• All NVT’s support a minimal set of
capabilities.
• Some terminals have more capabilities than
the minimal set.
• The 2 endpoints negotiate a set of mutually
acceptable options (character set, echo
mode, etc).
Negotiated Options
• The protocol for requesting optional
features is well defined and includes rules
for eliminating possible negotiation “loops”.
• The set of options is not part of the
TELNET protocol, so that new terminal
features can be incorporated without
changing the TELNET protocol.
Control Functions
• TELNET includes support for a series of
control functions commonly supported by
servers.
• This provides a uniform mechanism for
communication of (the supported) control
functions.
Control Functions
• Interrupt Process (IP)
– suspend/abort process.
• Abort Output (AO)
– process can complete, but send no more output to user’s terminal.
• Are You There (AYT)
– check to see if system is still running.
• Erase Character (EC)
– delete last character sent
– typically used to edit keyboard input.
• Erase Line (EL)
– delete all input in current line.
Command Structure
• All TELNET commands and data flow through the
same TCP connection.
• Commands start with a special character called the
Interpret as Command escape character (IAC).
e.g. IAC,<type of operation>,<option>
• The IAC code is 255.
• If a 255 is sent as data - it must be followed by
another 255.
Commands cont.
• Each receiver must look at each byte that
arrives and look for IAC.
• If IAC is found and the next byte is IAC - a
single byte is presented to the
application/terminal (a 255).
• If IAC is followed by any other code - the
TELNET layer interprets this as a
command.
Option negotiation
Sender Sent
Receiver Responds
Implication
WILL
DO
The sender would like to use a certain option if the
receiver can handle it. The receiver says it can
support the option. Option is now in effect
WILL
DONT
The sender would like to use a certain option if the
receiver can handle it. The receiver says it cannot
support the option. Option is not in effect.
DO
WILL
The sender requests that the receiver use a certain
option. The receiver says it can support the option.
Option is now in effect.
DO
WONT
The sender requests that the receiver use a certain
option. The receiver says it cannot support the
option. Option is not in effect.
WONT
DONT
The sender will not use a certain option. Option
disabled. DONT is only valid response.
DONT
WONT
The sender requests that the receiver does not use a
certain option. Option disabled. WONT is only
valid response.
Playing with TELNET
• You can use the telnet program to play with the
TELNET protocol.
• telnet is a generic TCP client.
• Not all TCP servers talk TELNET (most don't)
• Many Unix systems have these servers running
(by default):
–
–
–
–
echo
discard
daytime
chargen
port 7
port 9
port 13
port 19
TELNET & Fingerprinting
• The Theory of Passive Fingerprinting with
Telnet Data suggested that each telnet client
has a unique way it negotiates with a telnet
daemon. This is even the case between two
different telnet clients running on the same
source system
TELNET & Fingerprinting
• As said “each telnet client…” ,so it bit
limited fingerprint technique because apart
of the OS default client one can use a thirdparty client which will make the
fingerprinting impossible.
Some examples
• FreeBSD - specifically the only one that requests
Encryption Option, also it uses a Do followed by a
Will telnet command on this option.
• Linux Mandrake 7.2 - specifically the options used
with the addition option of Will X Display
Location
• Windows NT4 - specifically the use of only the
Will Terminal Type option
• Windows 2000 - specifically the use of the two
options, Will Terminal Type and Will Negotiate
about Window Size
Some points to consider
• What telnet command options wont a client accept ?
• How does the telnet client respond to multiply requests ?
(e.g. the Cisco client seems to send a separate response
(i.e. packet) for each telnet command option requested).
• Can we fingerprint telnet clients by defaults in sub-options.
i.e. default Window Sizes (Negotiate about Window Size
option), or Terminal Speed?
References
•
•
•
•
http://www.sans.org/resources/idfaq/fingerp_telnet.php
http://www.ietf.org/rfc/rfc854.txt
http://www.ietf.org/rfc/rfc855.txt
http://www.scit.wlv.ac.uk/~jphb/comms/telnet.html