📟

Telnet Honeypot

Detect unauthorized access attempts targeting Telnet services.

Default Port

TCP

Protocol

Username

Detection

About Telnet

Telnet is a legacy remote access protocol still commonly found on network equipment, industrial control systems, and IoT devices. Despite being unencrypted, Telnet remains active on many internal networks, making Telnet credentials valuable targets for lateral movement.

What Gets Captured

When an attacker attempts to connect using your Telnet honeypot credentials, Tripwires captures:

Username - The username entered during login
Source IP - The attacker's IP address
Timestamp - Exact time of the connection
Password attempt - The password entered (transmitted in cleartext)

Connection String Formats

Telnet credentials can be planted in various formats depending on your tech stack:

Telnet Command

telnet telnet-xxx.gettripwires.com 23

Expect Script

#!/usr/bin/expect
spawn telnet telnet-xxx.gettripwires.com
expect "login:"
send "user\r"
expect "Password:"
send "password\r"

Python (telnetlib)

import telnetlib
tn = telnetlib.Telnet('telnet-xxx.gettripwires.com', 23)
tn.read_until(b"login: ")
tn.write(b"user\n")
tn.read_until(b"Password: ")
tn.write(b"password\n")

Strategic Placement Ideas

Network Equipment Docs

Include as 'switch management' credentials in network documentation.

IoT Device Inventories

Add as 'factory default' access info for IoT/SCADA devices.

Legacy System Runbooks

Leave in runbooks for 'legacy terminal server' access.