Claude
Skills
Sign in
Back

telnetshell

Included with Lifetime
$97 forever

Use telnet to interact with IoT device shells for pentesting operations including device enumeration, vulnerability discovery, credential testing, and post-exploitation. Use when the user needs to interact with network-accessible shells, IoT devices, or telnet services.

Security

What this skill does


# IoT Telnet Shell (telnetshell)

This skill enables interaction with IoT device shells accessible via telnet for security testing and penetration testing operations. It supports unauthenticated shells, weak authentication testing, device enumeration, and post-exploitation activities.

## Prerequisites

- Python 3 with pexpect library (`pip install pexpect` or `sudo pacman -S python-pexpect`)
- telnet client installed on the system (`sudo pacman -S inetutils` on Arch)
- Network access to the target device's telnet port

## Recommended Approach: Telnet Helper Script

**IMPORTANT**: This skill includes a Python helper script (`telnet_helper.py`) that provides a clean, reliable interface for telnet communication. **This is the RECOMMENDED method** for interacting with IoT devices.

### Default Session Logging

**ALL commands run by Claude will be logged to `/tmp/telnet_session.log` by default.**

To observe what Claude is doing in real-time:
```bash
# In a separate terminal, run:
tail -f /tmp/telnet_session.log
```

This allows you to watch all telnet I/O as it happens without interfering with the connection.

### Why Use the Telnet Helper?

The helper script solves many problems with direct telnet usage:
- **Clean output**: Automatically removes command echoes, prompts, and ANSI codes
- **Prompt detection**: Automatically detects and waits for device prompts
- **Timeout handling**: Proper timeout management with no arbitrary sleeps
- **Easy scripting**: Simple command-line interface for single commands or batch operations
- **Session logging**: All I/O logged to `/tmp/telnet_session.log` for observation
- **Reliable**: No issues with TTY requirements or background processes
- **JSON output**: For programmatic parsing and tool chaining

### Quick Start with Telnet Helper

**Single Command:**
```bash
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "uname -a"
```

**Custom Port:**
```bash
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --command "ls /"
```

**With Custom Prompt (recommended for known devices):**
```bash
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --prompt "^/ [#\$]" --command "ifconfig"
```

**Interactive Mode:**
```bash
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --interactive
```

**Batch Commands from File:**
```bash
# Create a file with commands (one per line)
echo -e "uname -a\ncat /proc/version\nifconfig\nps" > commands.txt
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --script commands.txt
```

**JSON Output (for parsing):**
```bash
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "uname -a" --json
```

**Debug Mode:**
```bash
python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "ls" --debug
```

**Session Logging (for observation):**
```bash
# Terminal 1 - Run with logging
python3 .claude/skills/telnetshell/telnet_helper.py \
  --host 192.168.1.100 \
  --port 2222 \
  --logfile /tmp/session.log \
  --interactive

# Terminal 2 - Watch the session in real-time
tail -f /tmp/session.log
```

**Note:** See `OBSERVING_SESSIONS.md` for comprehensive guide on monitoring telnet sessions.

See [examples.md](examples.md) for full worked walkthroughs: initial device identification, BusyBox detection, full system enumeration, SUID hunting, and hardcoded-credential discovery.

### Telnet Helper Options

```
Required (one of):
  --command, -c CMD         Execute single command
  --interactive, -i         Enter interactive mode
  --script, -s FILE         Execute commands from file

Connection Options:
  --host, -H HOST           Target host IP or hostname (required)
  --port, -P PORT           Telnet port (default: 23)
  --timeout, -t SECONDS     Command timeout (default: 3.0)
  --prompt, -p PATTERN      Custom prompt regex pattern

Output Options:
  --raw, -r                 Don't clean output (show echoes, prompts)
  --json, -j                Output in JSON format
  --logfile, -l FILE        Log all I/O to file (default: /tmp/telnet_session.log)
  --debug                   Show debug information
```

### Common Prompt Patterns

The helper script includes common prompt patterns, but you can specify custom ones:

```bash
# BusyBox shell (common on IoT)
--prompt "/\s*[#\$]\s*$"

# Standard root/user prompts
--prompt "^[#\$]\s*$"

# Custom device
--prompt "^MyDevice>\s*$"

# Uniview cameras
--prompt "^User@[^>]+>\s*$"
```

### Device Enumeration Example with Telnet Helper

Here's a complete example of safely enumerating a device:

```bash
# Set variables for convenience
HELPER="python3 .claude/skills/telnetshell/telnet_helper.py"
HOST="192.168.1.100"
PORT="2222"
LOGFILE="/tmp/telnet_session.log"

# System information
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "uname -a"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "cat /proc/version"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "cat /proc/cpuinfo"

# Check for BusyBox
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "busybox"

# Network configuration
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "ifconfig"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "route -n"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "netstat -tulpn"

# Process listing (may need longer timeout)
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --timeout 5 --command "ps aux"

# File system exploration
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "ls -la /"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "mount"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "df -h"

# Security assessment
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "cat /etc/passwd"
$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "find / -perm -4000 2>/dev/null"
```

**IMPORTANT FOR CLAUDE CODE**: When using this skill, ALWAYS include `--logfile /tmp/telnet_session.log` in every command so the user can monitor activity with `tail -f /tmp/telnet_session.log`.

## Instructions

### 1. Connection Setup

**Default connection:**
- **Port**: 23 (standard telnet, override with `--port`)
- **Timeout**: 3 seconds (override with `--timeout`)
- **Logging**: `/tmp/telnet_session.log` by default

**Common telnet ports on IoT devices:**
- 23: Standard telnet port
- 2222: Alternative telnet port (common on cameras)
- 8023: Alternative telnet port
- Custom ports: Check device documentation or nmap scan results

### 2. BusyBox Shells (Most IoT Devices)

**IMPORTANT**: The vast majority of IoT devices use BusyBox, a lightweight suite of Unix utilities designed for embedded systems. BusyBox provides a minimal shell environment with limited command functionality.

**Identifying BusyBox:**
```bash
# Check what shell you're using
busybox
busybox --help

# Or check symlinks
ls -la /bin/sh
# Often shows: /bin/sh -> /bin/busybox

# List available BusyBox applets
busybox --list
```

**BusyBox Limitations:**
- Many standard Linux commands may be simplified versions
- Some common flags/options may not be available
- Features like tab completion may be limited or absent
- Some exploitation techniques that work on full Linux may not work

**Common BusyBox commands available:**
```bash
# Core utilities (usually available)
cat, ls, cd, pwd, echo, cp, mv, rm, mkdir, chmod, chown
ps, kill, top, free, df, mount, umount
grep, find, sed, awk (limited versions)
ifconfig, route, ping, netstat, telnet
vi (basic text editor - no syntax highlighting)

# Check what's available
busybox --list | sort
ls /bin /sbin /usr/bin /usr/sbin
```

**BusyBox-specific considerations for pentesting:**
- `ps` output format may differ from standard Linux
- Some privilege escalation techniques require commands not in BusyBox
- File permissions still work the
Files: 8
Size: 54.3 KB
Complexity: 43/100
Category: Security
Source: https://github.com/brownfinesecurity/iothackbot/tree/main/skills/telnetshell

Related in Security

mac-ops

Included

Comprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.

Securityscripts

a11y-audit

Included

Run accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).

Securityscripts

erpclaw

Included

AI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.

Securityscripts

assess

Included

Assesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.

Securityscripts

spring-boot-security-jwt

Included

Provides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.

Securityscripts

code-hardcode-audit

Included

Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.

Securityscripts
Sign up & unlock — $97