L1.

Telnet Lab
Networks & Communications II

1. Laboratory 2: Telnet

1.1. An introduction to the “PuTTY” program

During this lab, we will use a program that implements a Telnet client.
PuTTY is a free client program for the SSH, Telnet and Rlogin network protocols.
These protocols are all used to run a remote session on a computer, over a network. PuTTY implements the
client end of that session: the end at which the session is displayed, rather than the end at which it runs.
In really simple terms: you run PuTTY on a Windows machine, and tell it to connect to (for example, although
it is not the use we are going to do during this lab) a Unix machine. PuTTY opens a window. Then, anything
you type into that window is sent straight to the Unix machine, and everything the Unix machine sends back
is displayed in the window. So you can work on the Unix machine as if you were sitting at its console, while
actually sitting somewhere else.
The first step we will do is downloading the software from http://www.putty.org/ or directly from
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Among all the programs belonging to the PuTTY “family” we will work with the one called puttytel.exe

1.2. Using “PuTTY” program

Run puttytel.exe
Have a look to the “Session” window: “Basic options for your PuTTYtel session”
There, select “Telnet” as the program to be used (we discard “Raw”, Rlogin” and “Serial”).
We are working with a Telnet client, so the first think we need to open a session is … a Telnet Server.
There are some Telnet servers to be accessed in the Internet.
We will work for example with telehack.com
N OTE: During all this laboratory session, you will be required to give evidences of messages being
exchanged between client and server. To do that, combine Wireshark sniffing with PuTTYtel logging option.
You can configure the PuTTYtel logging option in the “Session/logging” screen, selecting “Session logging:
all session output” or “Printable output” and choosing a Log file name.

1.2.1. First steps

Type the host name (or IP address) in the main window and enter the program. You will only have to follow
the instructions.
Is there any login request to access the client? Do you think that it is secure? Why or why not?

To access the main client there is no login request and you can access several different
tools that Telehack provide you, but you cannot access some user-oriented features, such
as chat or mail.

Regarding the security we can assure that this method is not secure at all since no security
measures have been taken. However, the features to which you are allowed by simply
entering the client are not private or classify (because as we explained before those that

-1-
 L1. Telnet Lab
Networks & Communications II

are user-oriented are not permitted to be used without login in), so there is actually no
need for security.

Type newuser and follow the instruction. Do you think that it is secure? Why or why not?

When following the instructions, we come up with this result:

As we can see some “security” means have been taken (like asking is the user is over 13,
asking the user to read the privacy policy, cyphering the password and needing it to be
over 5 letters and the e-mail password reset possibility), but all these measures are quite
easy to trick, highly lowering the security level.

However, the most alarming problem we find is when analyzing the Wireshark packets
on the password input (we will talk about the letters input and processing on the next
point), as each character of the password is sent as plain text, making it really unsecure
as any packet sniffer would be able to get our password immediately.

Does a message is sent every time you type a keystroke? Give evidences to your answer. Does the user
interface react slowly to your keystrokes? Why?

Yes, whenever a key is pressed a message is sent with the keystroke, which is then
processed and a responding packet makes the output characters update, showing which
letter you pressed. This is the reason the writing is quite slow, as two different messages
need to be sent and processed in order to see any interface interaction. The same occurs
with the long sentences’ messages, they are sent as a block, which explains why they are

-2-
 L1. Telnet Lab
Networks & Communications II

formed so rapidly in comparison to the input. Here we can see the two messages being
exchanged:

This is what the one sent to the server carries:

This is the response:

In this case the response is not exactly the same as the sent char because this is part of the
password (so it can be used as an example of the previous point also), but it works the
same way.

Try to explain in a few lines the behaviour (from the user point of view) of this Telnet server (to do that,
surf on its pages)

After surfing for a while testing different commands it is easy to see the strange and full
of different gizmos to entertain himself.
Some of the utilities of the server work as the most classic Internet services we are used
to see, like mail, date, etc. However, there are others -most of them, actually- that have
no other intention further than entertainment and as some kind of show-off of what is
possible to be done in a simple DOS console.

Exit the program (type exit). What have you done to leave the server? Can you explain what kinds of
messages have been exchanged in this case?

When typing exit the connection is closed. No more messages can be sent to the server,
leaving us a “dead” console.

Apart from the usual character input messages we also send a TCP message in which we
end the connection:

-3-
 L1. Telnet Lab
Networks & Communications II

1.2.2. Going deeper.

Now, start a Wireshark recording and test the following sequence, trying to explain every message you see
in the Wireshark file and the behavior of the program:
1. Start PuTTYtel
2. Enter Host name (not the IP address, but the name)
3. Click “open” to start the Telnet session
a. Explain DNS messages
b. Identify the TCP handshake
c. Explain the better you can the negotiation process (identify the different commands
you see and the contain of those bytes)
4. Type login and follow the instructions
a. Explain the messages you see and the previous commands
5. Press <ENTER> to continue
6. Type ?
7. Type pig learning the Pig Latin language
8. Type starwars
9. Go back to the main menu (press Ctrl+C)
10. Type rain
11. Change the window size with your mouse and analyze the negotiation process.
12. Go back to the main menu (press Ctrl+C)
13. Check other commands
14. Exit the program (type exit).

3) a) No DNS messages are changed on connection.

b) This is the TCP handshake that means the beginning of the connection.

c) User sends the SYN package, with a Seq value of 0, in this case. Once the server
receives it a response message (SYN, ACK) is sent with an Ack value of 1 (Seq+1) and
Seq of whatever (0 in this case). Finally, the user responds to that message with a last
ACK message in which the Ack value is again the prior Seq value plus 1, so 1 in our case.

4-5) The messages are those that we already expected. The classic input ones and the final
sentence that proves that we are logged in.

-4-
 L1. Telnet Lab
Networks & Communications II

6) When using the “?” command we receive a message with all the possible commands
that we can use as users.

7) The pig language is a constructed language in which all letters before the first vowel
are placed at the end and followed by “ay”. If the word begins with a vowel we add “way”
at the end.

-5-
 L1. Telnet Lab
Networks & Communications II

8) The command “starwars” begins an ascii re-creation of the original Star Wars film. A
new message is sent from the server for each photogram.

10) The “rain” command simulates falling raindrops once they reach the floor. Again, a
new message is received for each photogram. However, in this case the data is not directly
the ascii code but instead coordinates to the position of the raindrops -looks like.

-6-
 L1. Telnet Lab
Networks & Communications II

11) When the window is resized a message is sent to the server specifying the actual
dimensions of the window.

13) Some of the tried commands are:

• clock: An ascii composed clock. A message is received every second.

• cowsay: An ascii image of a cow saying the message you

• roll: A simulation of rolling two dices. Again, a message is received whenever

the dices simulate being rolled.

• 2048: The game with the same name.

-7-
 L1. Telnet Lab
Networks & Communications II

1.2.3. Optional.
What is the information in option “Window”/”Translation”/”Character set translation on received data”
about? Try to give an explanation to this option and to relate this with the topic NVT.

As we know there are some commands sent by Telnet that are reserved by itself. In some
cases, some of the messages may contain some of these reserved commands and
characters and Telnet could fail or have some unexpected behavior.
To avoid this, it is important for PuTTY to understand what characters are being entered
as output and avoid using reserved characters. That is why the character set is important,
so that PuTTY is able to receive whatever message and translate it to our own character
set to avoid failures.

Research about the behaviour of the PuTTYtel option “Connection”/”Telnet”/”Telnet negotiation mode”
(running the program in “passive” mode, instead of “Active”.
What are the changes in this case?

Passive mode makes PuTTY wait until the server starts the negotiation instead of starting
the negotiation itself -which is what happens in active mode.
However, this can be problem because if the server is also on passive mode the
communication will never start.

-8-