There is a built in script for brute forcing Telnet - telnet-brute. To use the script you must create a text file with usernames and a text file with passwords. Note that the script works on any server that is running telnet, not just a switch or router.
In this example I am using:
user.txt for the usernames to test
pw4.txt for the password file
Switch IP: 192.168.10.50
As Always, DO NOT use this on a switch you don't own or have explicit written permission to work on. This script was run against a Cisco switch in my test lab. It wasn't connected to anything except my laptop.
Once you create your text files, open a command window in the directory with the files and enter
nmap -p 23 --script telnet-brute --script-args userdb=users.txt,passdb=pw4.txt 192.168.10.50
When the script completes you will see something like this if it was successful:
_________________________________________
Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-26 10:10 Pacific Standard Time
Nmap scan report for 192.168.10.50
Host is up (0.0088s latency).
PORT STATE SERVICE
23/tcp open telnet
| telnet-brute:
| Accounts
| cisco:cisco1
| Statistics
|_ Performed 15 guesses in 4 seconds, average tps: 3
MAC Address: 00:1B:90:9F:FF:C0 (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 39.25 seconds
__________________________________________
If it wasn't successful:
Host is up (0.00s latency).
PORT STATE SERVICE
23/tcp open telnet
| telnet-brute:
| Accounts
| No valid accounts found
| Statistics
| Performed 44 guesses in 52 seconds, average tps: 1
|
|_ ERROR: Too many retries, aborted ...
Nmap done: 1 IP address (1 host up) scanned in 83.33 seconds
Trouble Shooting
I have found a couple reasons for failure when running the script. The first one, line endings, is easy to fix. I haven't found a work around for the PPP issue.Line Endings
If you are testing the script and know for sure that the username and password should work but don't, verify that the text file has line terminations that match your OS.In my case I use Windows, MAC and Linux. I have found that if I edit my username or password file in Windows and then run the script in Linux or MAC it fails. I end up having to open it in Gedit and save it with Linux line terminations. Wouldn't it be nice if MS could follow 30 year old industry standards for anything!
VPN
If you are connected over an SSL VPN that creates a PPP connection you will not be able to run the script. On Linux, using a Fortigate firewall, it looks like this:ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1354 qdisc fq_codel state UNKNOWN group default qlen 3
link/ppp
inet 172.16.100.1 peer 1.1.1.1/32 scope global ppp0
valid_lft forever preferred_lft forever
Here is a link to an nmap development page explaining the issue: Nmap not working with ppp0 interface