Brute Forcing Telnet Passwords with NMAP

NMAP is a free open source tool for network scanning available at www.insecure.org. It has a powerful scripting engine that can be used to add capability to NMAP. There is a brand new book on NMAP scripting from Packt publishing available at Amazon.com Mastering the Nmap Scripting Engine [Kindle Edition].

There is a built in script for brute forcing Telnet - telnet-brute. To use the script you must create a text file with usernames and a text file with passwords. Note that the script works on any server that is running telnet, not just a switch or router.

In this example I am using:
user.txt for the usernames to test
pw4.txt for the password file
Switch IP: 192.168.10.50

As Always, DO NOT use this on a switch you don't own or have explicit written permission to work on. This script was run against a Cisco switch in my test lab. It wasn't connected to anything except my laptop.

Once you create your text files, open a command window in the directory with the files and enter
nmap -p 23 --script telnet-brute --script-args userdb=users.txt,passdb=pw4.txt 192.168.10.50

When the script completes you will see something like this if it was successful:

_________________________________________

Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-26 10:10 Pacific Standard Time
Nmap scan report for 192.168.10.50
Host is up (0.0088s latency).
PORT   STATE SERVICE
23/tcp open  telnet
| telnet-brute:
|   Accounts
|     cisco:cisco1
|   Statistics
|_    Performed 15 guesses in 4 seconds, average tps: 3
MAC Address: 00:1B:90:9F:FF:C0 (Cisco Systems)

Nmap done: 1 IP address (1 host up) scanned in 39.25 seconds
__________________________________________


If it wasn't successful:
Host is up (0.00s latency).
PORT   STATE SERVICE
23/tcp open  telnet
| telnet-brute:
|   Accounts
|     No valid accounts found
|   Statistics
|     Performed 44 guesses in 52 seconds, average tps: 1
|
|_ ERROR: Too many retries, aborted ...

Nmap done: 1 IP address (1 host up) scanned in 83.33 seconds

Trouble Shooting

I have found a couple reasons for failure when running the script. The first one, line endings, is easy to fix. I haven't found a work around for the PPP issue.

Line Endings

If you are testing the script and know for sure that the username and password should work but don't, verify that the text file has line terminations that match your OS.

In my case I use Windows, MAC and Linux. I have found that if I edit my username or password file in Windows and then run the script in Linux or MAC it fails. I end up having to open it in Gedit and save it with Linux line terminations. Wouldn't it be nice if MS could follow 30 year old industry standards for anything!

VPN

If you are connected over an SSL VPN that creates a PPP connection you will not be able to run the script. On Linux, using a Fortigate firewall, it looks like this:

ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1354 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp
    inet 172.16.100.1 peer 1.1.1.1/32 scope global ppp0
       valid_lft forever preferred_lft forever


Here is a link to an nmap development page explaining the issue: Nmap not working with ppp0 interface