Image : JanBaby, via Pixabay CC0
The telnet network utility is a buzzword . It was at one time very actively used by the overwhelming majority of system administrators and other fans of remote server administration. The utility allows you to access the ports of a remote host, go through the authorization procedure and run commands on this machine.
But the telnet protocol does not use encryption. In today's realities, sacrificing security is an unaffordable luxury. However, there are a number of tasks that telnet can perform with varying degrees of success: network testing, port checking, and interacting with IoT devices and routers.
It would seem that the utility can be easily used as an advanced version of ping. By itself, the ping command, at best, only checks the availability of the host (sometimes this command will not work at all, for example, due to access policy restrictions). But the telnet command not only checks if the port is open, but can also communicate with network services through this port. But over time, we will increasingly face the need to use an encrypted connection, where telnet will again be powerless.
OpenSSL and the s_client command
So in most cases I use the s_client command from the OpenSSL library instead of telnet . The s_client command performs the functions of an SSL / TLS client for connecting to a remote host with various settings - encryption key, type of handshake, protocol, and so on. The command also allows you to check if the session is being resumed.
Installing OpenSSL
If the OpenSSL library is not yet installed on your OS, then it can be installed using the package manager:
$ sudo dnf install openssl Debian : $ sudo apt install openssl : $ openssl version OpenSSL x.y.z FIPS
Port access check
This is how the telnet command works to check access to port 25:
$ telnet mail.example.com 25
Trying 98.76.54.32...
Connected to example.com.
Escape character is '^]'.
In the example above, we opened an interactive session with a certain mail server listening on port 25. If we get access to it, we can exchange messages with it. If port 25 is not available, the connection will not be established.
Now let's see how a similar command from OpenSSL works:
$ openssl s_client -connect example.com:80
CONNECTED(00000003)
140306897352512:error:1408F10B:SSL [...]
no peer certificate available
No client certificate CA names sent
SSL handshake has read 5 bytes and written 309 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
As you can see, there was no sending of data about the SSL certificate, so the connection was interrupted, it was not possible to open a session. To establish a secure encrypted connection using the HTTPS protocol, you need to access a special port.
Opening an interactive session with an encrypted connection
In this case, browsers and web servers communicate in such a way that traffic directed to port 80 is actually redirected to port 443, which is reserved for HTTPS traffic. Knowing this, you can with any web service that listens on port 443.
First, let's connect to the port using SSL. We use the -showcerts option and the SSL certificate will be printed to your terminal:
$ openssl s_client -connect example.com:443 -showcerts
[...]
0080 — 52 cd bd 95 3d 8a 1e 2d-3f 84 a0 e3 7a c0 8d 87 R...=..-?...z...
0090 — 62 d0 ae d5 95 8d 82 11-01 bc 97 97 cd 8a 30 c1 b.............0.
00a0 — 54 78 5c ad 62 5b 77 b9-a6 35 97 67 65 f5 9b 22 Tx\.b[w..5.ge..»
00b0 — 18 8a 6a 94 a4 d9 7e 2f-f5 33 e8 8a b7 82 bd 94 ..j...~/.3......
Start Time: 1619661100
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
-
read R BLOCK
We were able to open an interactive session. Until it closes, we can send HTTP messages to the server:
[...] GET / HTTP/1.1 HOST: example.com
Press the Return key (for MacOS) or ENTER (for Windows) twice, and we will receive a response from the server in the form example.com/index.html:
[...]
<body>
<div>
<h1>Example Domain</h1>
<p>This domain is for use in illustrative examples in documents. You may use this
domain in literature without prior coordination or asking for permission.</p>
<p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>
Mail server
The s_client command can be used to test an encrypted connection to a mail server. For this to work, we need a username and password (in my case, for a test user) encoded in Base64.
You can encode them, for example, like this:
$ perl -MMIME::Base64 -e 'print encode_base64(«username»);'
$ perl -MMIME::Base64 -e 'print encode_base64(«password»);'
If everything goes well, you can proceed to the next step - connecting to the mail server via SSL. Port 587 is commonly used:
$ openssl s_client -starttls smtp \
-connect email.example.com:587
> ehlo example.com
> auth login
##paste your user base64 string here##
##paste your password base64 string here##
> mail from: noreply@example.com
> rcpt to: admin@example.com
> data
> Subject: Test 001
This is a test email.
.
> quit
I entered the email address admin@example.com, which I expect to receive a test message from the mail server.
Unjustified risk
Some people still use telnet, but it is no longer the indispensable tool it once was. It is now classified as a "legacy" package on many systems. Some system administrators wonder why it is excluded from the default installation. Telnet is gradually losing its relevance. This is an objective process.
Network security is vital for most systems, so it's worth getting to grips with the appropriate tools. It is important that they are capable of working with secure connections. So while testing or troubleshooting, you don't have to disable system protection and risk security.
Cloud servers from Macleod are fast and secure.
Register using the link above or by clicking on the banner and get a 10% discount for the first month of renting a server of any configuration!
