Tutorial: Telnet

Telnet is an unencrypted bidirectional interactive text-oriented communication program creating a virtual terminal being widely used in the admin area. It is now substituted by ssh, hopefully…

This tutorial discusses the plugin telnetDecode and its features.

Preparation

Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$

Then compile the following plugins

$ t2build tranalyzer2 basicFlow tcpStates telnetDecode txtSink
...
BUILD SUCCESSFUL

$

If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:

$ mkdir ~/data ~/results
$

Download the sample pcap here: telnet-per-char-mode.pcap. Now you’re all set.

telnetDecode

Let’s look at the plugin configuration first. It looks like the other Data Carving plugins.

$ telnetDecode
$ vi src/telnetDecode.h

This plugin is data carving capable, so it extracts the content of the flows including user names and passwords. The latter are also printed in the flow file. If TEL_SAVE=1 all the content including commands, up and downloads are extracted under the path TEL_F_PATH.

Note that TEL_RMDIR=1 defines that the file directory is deleted for each new t2 execution. So if you want to keep earlier files, switch it to 0.

If TEL_SAVE_SPLIT is enabled content form the A/B flow are stored separately otherwise everything is dumped into the same file. TEL_SEQPOS controls the TCP sequence number controlled writing of the content files. As the echoing of password is switched off or might include positioning characters, it might not appear in the file. So it is switched off by default.

The lengths of the extracted usernames and PWs and the number of command and options can be configured as well as the form of the flow output type; here aggregated.

For the time being we leave everything as default. So execute t2 on the supplied pcap including packet mode.

$ t2 -r ~/data/telnet-per-char-mode.pcap -w ~/results/ -s
================================================================================
Tranalyzer 0.8.10 (Anteater), Tarantula. PID: 46473
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.10
    02: tcpStates, 0.8.10
    03: telnetDecode, 0.8.10
    04: txtSink, 0.8.10
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406077 (406.08 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51069 (51.07 K)
Processing file: /home/wurst/telnet-per-char-mode.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 944192088.255531 sec (Fri 03 Dec 1999 03:34:48 GMT)
Dump stop : 944192142.668467 sec (Fri 03 Dec 1999 03:35:42 GMT)
Total dump duration: 54.412936 sec
Finished processing. Elapsed time: 0.001917 sec
Finished unloading flow memory. Time: 0.001965 sec
Percentage completed: 100.00%
Number of processed packets: 272
Number of processed bytes: 19969 (19.97 K)
Number of raw bytes: 19969 (19.97 K)
Number of pcap bytes: 24345 (24.34 K)
Number of IPv4 packets: 272 [100.00%]
Number of A packets: 159 [58.46%]
Number of B packets: 113 [41.54%]
Number of A bytes: 10761 (10.76 K) [53.89%]
Number of B bytes: 9208 (9.21 K) [46.11%]
Average A packet load: 67.68
Average B packet load: 81.49
--------------------------------------------------------------------------------
telnetDecode: Aggregated telStat=0x01
telnetDecode: Number of Telnet packets: 272 [100.00%]
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 272 [100.00%]
Number of TCP bytes: 19969 (19.97 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 2
Number of processed A flows: 1 [50.00%]
Number of processed B flows: 1 [50.00%]
Number of request     flows: 1 [50.00%]
Number of reply       flows: 1 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed   packets/flows: 136.00
Number of processed A packets/flows: 159.00
Number of processed B packets/flows: 113.00
Number of processed total packets/s: 5.00
Number of processed A+B   packets/s: 5.00
Number of processed A     packets/s: 2.92
Number of processed   B   packets/s: 2.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.04
Average full raw bandwidth: 2936 b/s (2.94 Kb/s)
Average full bandwidth : 2936 b/s (2.94 Kb/s)
Max number of flows in memory: 2 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400900000004000
[WRN] Consecutive duplicate IP ID
[WRN] IPv4/6 payload length > framing length
[INF] IPv4 flows

telStat currently has only one bit which states that there is telnet, fine. The whole pcap consists of telnet traffic.

$ tawk -V telStat=0x01
The telStat column with value 0x01 is to be interpreted as follows:

   bit | telStat | Description
   =============================================================================
     0 | 0x01    | TELNET port found

In the flow file aggregated commands and options are listed including login names and passwords.

$ cd ~/results
$ tcol telnet-per-char-mode_flows.txt
%dir  flowInd  flowStat            timeFirst         timeLast          duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP        srcIPCC  srcIPOrg           srcPort  dstIP        dstIPCC  dstIPOrg           dstPort  l4Proto  tcpStatesAFlags  telStat  telCmdBF  telOptBF    telUsr  telPW  telCCnt  telCmdS                         telOCnt  telOptS
A     1        0x0400900000004000  944192088.255531  944192142.667102  54.411571  1           3        eth:ipv4:tcp  00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800              192.168.0.2  07       "Private network"  1254     192.168.0.1  07       "Private network"  23       6        0x00             0x01     0x7c00    0x810000ff  fake    user   5        "DO";"WILL";"WONT";"SB";"DONT"  13       "Suppr GA";"Term Type";"Window Size";"Term Speed";"Remote Flow";"Linemode";"New Env";"Opt Stat";"X Disp loc";"Auth";"Encryp opt";"Env";"Echo Data"
B     1        0x0400000000004001  944192088.257221  944192142.668467  54.411246  1           3        eth:ipv4:tcp  00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800              192.168.0.1  07       "Private network"  23       192.168.0.2  07       "Private network"  1254     6        0x00             0x01     0x6c00    0x810000ff                 4        "DO";"WILL";"SB";"DONT"         13       "Auth";"Suppr GA";"Term Type";"Window Size";"Term Speed";"Remote Flow";"Linemode";"New Env";"Opt Stat";"X Disp loc";"Encryp opt";"Env";"Echo Data"

The packet mode supplies the status, commands and options, the string based content can be seen in l7Content. You can see the char by char entry of the login and password. The password is not echoed, for obvious reasons.

$ tcol telnet-per-char-mode_packets.txt
%pktNo  flowInd  flowStat            time              pktIAT    flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP        srcIPCC  srcIPOrg         srcPort  dstIP        dstIPCC  dstIPOrg         dstPort  l4Proto  tcpStatesAFlags  telStat  telCmdNm  telSubCmdNm  l7Content
1       1        0x0400000000004000  944192088.255531  0.000000  0.000000      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
2       1        0x0400000000004001  944192088.257221  0.000000  0.000000      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
3       1        0x0400000000004000  944192088.257272  0.001741  0.001741      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
4       1        0x0400000000004000  944192088.268704  0.011432  0.013173      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x01     WILL      X Disp loc   ........... ..!.."..'.....#
5       1        0x0400000000004001  944192088.405814  0.148593  0.148593      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     DO        Auth         ..%
6       1        0x0400000000004000  944192088.405882  0.137178  0.150351      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
7       1        0x0400000000004000  944192088.406059  0.000177  0.150528      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x01     WONT      Auth         ..%
8       1        0x0400000000004001  944192088.407439  0.001625  0.150218      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
9       1        0x0400000000004001  944192088.409133  0.001694  0.151912      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SB        Linemode     ........... ..!..".."....
10      1        0x0400000000004000  944192088.409347  0.003288  0.153816      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x01     SB        Window Size  ....P. ....".....b........b....\tB.\n........................"....
11      1        0x0400000000004001  944192088.410435  0.001302  0.153214      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
12      1        0x0400000000004001  944192088.410949  0.000514  0.153728      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     DO        Env          ..'.....#..&..&..$
13      1        0x0400000000004000  944192088.411027  0.001680  0.155496      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x01     WONT      Env          ..&..&..$
14      1        0x0400000000004001  944192088.412005  0.001056  0.154784      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
15      1        0x0400000000004001  944192088.414289  0.002284  0.157068      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SB        Term Speed   .. .....#.....'.........
16      1        0x0400000000004000  944192088.415029  0.004002  0.159498      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x01     SB        Term Speed   .. .9600,9600....#.bam.zing.org:0.0....'..DISPLAY.bam.zing.org:0.0......xterm-color..
17      1        0x0400000000004001  944192088.416185  0.001896  0.158964      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
18      1        0x0400000000004001  944192088.436701  0.020516  0.179480      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     DO        Echo Data    ...
19      1        0x0400000000004000  944192088.436781  0.021752  0.181250      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x01     WONT      Echo Data    ...
20      1        0x0400000000004001  944192088.437976  0.001275  0.180755      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
21      1        0x0400000000004001  944192088.451623  0.013647  0.194402      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SB        Remote Flow  .....!......
22      1        0x0400000000004000  944192088.451736  0.014955  0.196205      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x01     DONT      Echo Data    ......
23      1        0x0400000000004001  944192088.452921  0.001298  0.195700      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
24      1        0x0400000000004001  944192088.453777  0.000856  0.196556      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SB        Linemode     .."............
25      1        0x0400000000004000  944192088.468570  0.016834  0.213039      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
26      1        0x0400000000004001  944192088.469885  0.016108  0.212664      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SE        Bin Xmit     \r\nOpenBSD/i386 (oof) (ttyp1)\r\n\r\n
27      1        0x0400000000004000  944192088.488594  0.020024  0.233063      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
28      1        0x0400000000004001  944192089.563538  1.093653  1.306317      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SE        Bin Xmit     login:
29      1        0x0400000000004000  944192089.578585  1.089991  1.323054      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
30      1        0x0400000000004000  944192095.853357  6.274772  7.597826      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x05     DO        Echo Data    .."...
31      1        0x0400000000004001  944192095.854967  6.291429  7.597746      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
32      1        0x0400000000004001  944192095.856305  0.001338  7.599084      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     WILL      Echo Data    ...
33      1        0x0400000000004000  944192095.868575  0.015218  7.613044      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
34      1        0x0400000000004001  944192095.869634  0.013329  7.612413      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     DONT      Linemode     .."
35      1        0x0400000000004000  944192095.888568  0.019993  7.633037      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
36      1        0x0400000000004000  944192096.967298  1.078730  8.711767      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x05     SE        Bin Xmit     f
37      1        0x0400900000004000  944192096.968624  0.001326  8.713093      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
38      1        0x0400000000004001  944192096.970411  1.100777  8.713190      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SE        Bin Xmit     f
39      1        0x0400900000004000  944192096.988580  0.019956  8.733049      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
40      1        0x0400900000004000  944192097.189619  0.201039  8.934088      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x05     SE        Bin Xmit     a
41      1        0x0400900000004000  944192097.190838  0.001219  8.935307      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
42      1        0x0400000000004001  944192097.192133  0.221722  8.934912      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SE        Bin Xmit     a
43      1        0x0400900000004000  944192097.208580  0.017742  8.953049      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
44      1        0x0400900000004000  944192097.376353  0.167773  9.120822      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x05     SE        Bin Xmit     k
45      1        0x0400900000004000  944192097.377633  0.001280  9.122102      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
46      1        0x0400000000004001  944192097.378946  0.186813  9.121725      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SE        Bin Xmit     k
47      1        0x0400900000004000  944192097.398584  0.020951  9.143053      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
48      1        0x0400900000004000  944192097.473184  0.074600  9.217653      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x05     SE        Bin Xmit     e
49      1        0x0400900000004000  944192097.474450  0.001266  9.218919      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
50      1        0x0400000000004001  944192097.475838  0.096892  9.218617      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SE        Bin Xmit     e
51      1        0x0400900000004000  944192097.488584  0.014134  9.233053      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
52      1        0x0400900000004000  944192097.688646  0.200062  9.433115      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x01     SE        Bin Xmit     \r.
53      1        0x0400000000004001  944192097.689935  0.214097  9.432714      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
54      1        0x0400000000004001  944192097.702068  0.012133  9.444847      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SE        Bin Xmit     \r\n
55      1        0x0400900000004000  944192097.718590  0.029944  9.463059      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
56      1        0x0400000000004001  944192097.719739  0.017671  9.462518      3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SE        Bin Xmit     Password:
57      1        0x0400900000004000  944192097.738580  0.019990  9.483049      3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
58      1        0x0400900000004000  944192098.959909  1.221329  10.704378     3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x09     SE        Bin Xmit     u
59      1        0x0400000000004001  944192098.961247  1.241508  10.704026     3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
60      1        0x0400900000004000  944192099.399585  0.439676  11.144054     3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x09     SE        Bin Xmit     s
61      1        0x0400000000004001  944192099.400803  0.439556  11.143582     3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
62      1        0x0400900000004000  944192099.881157  0.481572  11.625626     3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x09     SE        Bin Xmit     e
63      1        0x0400000000004001  944192099.882702  0.481899  11.625481     3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
64      1        0x0400900000004000  944192100.186851  0.305694  11.931320     3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x09     SE        Bin Xmit     r
65      1        0x0400000000004001  944192100.188091  0.305389  11.930870     3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
66      1        0x0400900000004000  944192101.541494  1.354643  13.285963     3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00             0x01     SE        Bin Xmit     \r.
67      1        0x0400000000004001  944192101.542747  1.354656  13.285526     3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00
68      1        0x0400000000004001  944192101.815604  0.272857  13.558383     3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SE        Bin Xmit     \r\n
69      1        0x0400900000004000  944192101.828601  0.287107  13.573070     3        eth:ipv4:tcp             00:a0:cc:3b:bf:fa  00:00:c0:9f:a0:97  0x0800   192.168.0.2  07       Private network  1254     192.168.0.1  07       Private network  23       6        0x00
70      1        0x0400000000004001  944192103.076400  1.260796  14.819179     3        eth:ipv4:tcp             00:00:c0:9f:a0:97  00:a0:cc:3b:bf:fa  0x0800   192.168.0.1  07       Private network  23       192.168.0.2  07       Private network  1254     6        0x00             0x01     SE        Bin Xmit     Last login: Thu Dec  2 21:32:59 on ttyp1 from bam.zing.org\r\n
...

If you are interested to see all telnet communication in an extra file, the Data Carving mode must be enabled.

Data carving with telnetDecode

In order to enable the Data Carving mode TEL_SAVE has to be switched on. Use t2conf and t2build to reconfigure, recompile telnetDecode and rerun t2 on the pcap.

$ t2conf telnetDecode -D TEL_SAVE=1 && t2build telnetDecode
...
$ t2 -r ~/test_data/data/telnet-per-char-mode.pcap -w ~/results
...
--------------------------------------------------------------------------------
telnetDecode: Aggregated telStat=0x03
telnetDecode: Number of Telnet packets: 272 [100.00%]
--------------------------------------------------------------------------------
...
$

The status confirms that files were successfully extracted.

$ tawk -V telStat=0x03
The telStat column with value 0x03 is to be interpreted as follows:

   bit | telStat | Description
   =============================================================================
     0 | 0x01    | TELNET port found
     1 | 0x02    | Successful files extraction

Move to the TEL_F_PATH and look into it. As configured two files are generated for the A and the B flow separately. The A flow may contain non printable characters, so try the command strings to look at the direct keyboard entries of the user. Oups the login and the password.

The B file contains all server replies and the echo of the user input. So you see the login but not the password.

$ cd /tmp/TELFILES/
$ ls
telnet_flow_1_A  telnet_flow_1_B
$ strings telnet_flow_1_A
fake
user
ls -a
/sbin/ping www.yahoo.com
exit
$ strings telnet_flow_1_B
OpenBSD/i386 (oof) (ttyp1)
login: fake
Password:
Last login: Thu Dec  2 21:32:59 on ttyp1 from bam.zing.org
Warning: no Kerberos tickets issued.
OpenBSD 2.6-beta (OOF) #4: Tue Oct 12 20:42:32 CDT 1999
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
$ ls
$ ls -a
.         ..        .cshrc    .login    .mailrc   .profile  .rhosts
$ /sbin/ping www.yahoo.com
PING www.yahoo.com (204.71.200.74): 56 data bytes
64 bytes from 204.71.200.74: icmp_seq=0 ttl=239 time=73.569 ms
64 bytes from 204.71.200.74: icmp_seq=1 ttl=239 time=71.099 ms
64 bytes from 204.71.200.74: icmp_seq=2 ttl=239 time=68.728 ms
64 bytes from 204.71.200.74: icmp_seq=3 ttl=239 time=73.122 ms
64 bytes from 204.71.200.74: icmp_seq=4 ttl=239 time=71.276 ms
64 bytes from 204.71.200.74: icmp_seq=5 ttl=239 time=75.831 ms
64 bytes from 204.71.200.74: icmp_seq=6 ttl=239 time=70.101 ms
64 bytes from 204.71.200.74: icmp_seq=7 ttl=239 time=74.528 ms
64 bytes from 204.71.200.74: icmp_seq=9 ttl=239 time=74.514 ms
64 bytes from 204.71.200.74: icmp_seq=10 ttl=239 time=75.188 ms
64 bytes from 204.71.200.74: icmp_seq=11 ttl=239 time=72.925 ms
--- www.yahoo.com ping statistics ---
13 packets transmitted, 11 packets received, 15% packet loss
round-trip min/avg/max = 68.728/72.807/75.831 ms
$ exit

If you prefer to merge both flows into one file switch TEL_SAVE_SPLIT off, recompile the plugin and rerun t2.

$ t2conf telnetDecode -D TEL_SAVE_SPLIT=0 && t2build telnetDecode
...
$ t2 -r ~/test_data/data/telnet-per-char-mode.pcap -w ~/results
...
$

Now there is only one file and you see the command and the echo sequentially, therefore all user commands are echoed, which can be annoying.

$ cd /tmp/TELFILES/
$ ls
telnet_flow_1_AB
$ cat /tmp/TELFILES/telnet_flow_1_AB
OpenBSD/i386 (oof) (ttyp1)
login: ffaakkee
Password:user
Last login: Thu Dec  2 21:32:59 on ttyp1 from bam.zing.org
Warning: no Kerberos tickets issued.
OpenBSD 2.6-beta (OOF) #4: Tue Oct 12 20:42:32 CDT 1999
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
$ llss
$ llss  --aa
.         ..        .cshrc    .login    .mailrc   .profile  .rhosts
$ //ssbbiinn//ppiinngg  wwwwww..yyaahhoooo..ccoomm
PING www.yahoo.com (204.71.200.74): 56 data bytes
64 bytes from 204.71.200.74: icmp_seq=0 ttl=239 time=73.569 ms
64 bytes from 204.71.200.74: icmp_seq=1 ttl=239 time=71.099 ms
64 bytes from 204.71.200.74: icmp_seq=2 ttl=239 time=68.728 ms
64 bytes from 204.71.200.74: icmp_seq=3 ttl=239 time=73.122 ms
64 bytes from 204.71.200.74: icmp_seq=4 ttl=239 time=71.276 ms
64 bytes from 204.71.200.74: icmp_seq=5 ttl=239 time=75.831 ms
64 bytes from 204.71.200.74: icmp_seq=6 ttl=239 time=70.101 ms
64 bytes from 204.71.200.74: icmp_seq=7 ttl=239 time=74.528 ms
64 bytes from 204.71.200.74: icmp_seq=9 ttl=239 time=74.514 ms
64 bytes from 204.71.200.74: icmp_seq=10 ttl=239 time=75.188 ms
64 bytes from 204.71.200.74: icmp_seq=11 ttl=239 time=72.925 ms
--- www.yahoo.com ping statistics ---
13 packets transmitted, 11 packets received, 15% packet loss
round-trip min/avg/max = 68.728/72.807/75.831 ms
$ eexxiitt

In order to remove the unnerving issue, switch on sequence number positioning:

$ t2conf telnetDecode -D TEL_SEQPOS=1 && t2build telnetDecode
...
$ t2 -r ~/test_data/data/telnet-per-char-mode.pcap -w ~/results
...
$

Now all the echos are gone, including the password, as chars are now written to the same position and the last one is overwritten with a \r.

$ cat /tmp/TELFILES/telnet_flow_1_AB
OpenBSD/i386 (oof) (ttyp1)
login:
fake
Password:
Last login: Thu Dec  2 21:32:59 on ttyp1 from bam.zinls
ls -a
/sbin/ping www.yahoo.com
exit
OpenBSD 2.6-beta (OOF) #4: Tue Oct 12 20:42:32 CDT 1999
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
$ ls
$ ls -a
.         ..        .cshrc    .login    .mailrc   .profile  .rhosts
$ /sbin/ping www.yahoo.com
PING www.yahoo.com (204.71.200.74): 56 data bytes
64 bytes from 204.71.200.74: icmp_seq=0 ttl=239 time=73.569 ms
64 bytes from 204.71.200.74: icmp_seq=1 ttl=239 time=71.099 ms
64 bytes from 204.71.200.74: icmp_seq=2 ttl=239 time=68.728 ms
64 bytes from 204.71.200.74: icmp_seq=3 ttl=239 time=73.122 ms
64 bytes from 204.71.200.74: icmp_seq=4 ttl=239 time=71.276 ms
64 bytes from 204.71.200.74: icmp_seq=5 ttl=239 time=75.831 ms
64 bytes from 204.71.200.74: icmp_seq=6 ttl=239 time=70.101 ms
64 bytes from 204.71.200.74: icmp_seq=7 ttl=239 time=74.528 ms
64 bytes from 204.71.200.74: icmp_seq=9 ttl=239 time=74.514 ms
64 bytes from 204.71.200.74: icmp_seq=10 ttl=239 time=75.188 ms
64 bytes from 204.71.200.74: icmp_seq=11 ttl=239 time=72.925 ms
--- www.yahoo.com ping statistics ---
13 packets transmitted, 11 packets received, 15% packet loss
round-trip min/avg/max = 68.728/72.807/75.831 ms
$ exit

Experiment a bit with your own traffic.

Don’t forget to reset the plugin configuration for the next tutorial.

$ t2conf telnetDecode --reset && t2build telnetDecode
...
$

Have fun analyzing.