9

While web browsers send, among other things, the User-Agent string, does the Telnet protocol have a similar method of determining anything about the client connecting to it? OS? Specific Telnet client? Etc.

Peter Mortensen
  • 12,090
  • 23
  • 70
  • 90
Thufir
  • 1,490
  • 7
  • 36
  • 57

1 Answers1

14

There is no User-Agent, but there exist a few Telnet protocol options for sending client information:

  • TERMINAL TYPE – shows the used terminal type (e.g. xterm, urxvt, screen-256color...) You can't really get rid of this without breaking things. Same goes for NAWS which reports the window size (columns × rows).

  • OLD-ENVIRON and NEW-ENVIRON – can reveal some specific environment variables; some clients also reveal their FQDN in a fake $DISPLAY variable. Sending your configured system locale ($LANG, $LC_*) or timezone ($TZ) is also not uncommon.

  • XDISPLOC – similar to above, some clients send your FQDN as the X11 display location.

  • If any of the authentication features are enabled, they can reveal your OS username.

  • Finally, the whole set of recognized options varies between implementations and can be used as a rough Panopticlick-style fingerprint.

frost$ echo $DISPLAY
:0

frost$ telnet
telnet> set options
Will show option processing.
telnet> open m-net.arbornet.org
Trying 162.202.67.157...
Connected to m-net.arbornet.org.
Escape character is '^]'.
SENT DO SUPPRESS GO AHEAD
SENT WILL TERMINAL TYPE
SENT WILL NAWS
SENT WILL TSPEED
SENT WILL LFLOW
SENT WILL LINEMODE
SENT WILL NEW-ENVIRON
SENT DO STATUS
SENT WILL XDISPLOC
RCVD DO AUTHENTICATION
SENT WONT AUTHENTICATION
RCVD WILL SUPPRESS GO AHEAD
RCVD DO TERMINAL TYPE
RCVD DO NAWS
SENT IAC SB NAWS 0 95 (95) 0 46 (46)
RCVD DO TSPEED
RCVD DO LFLOW
RCVD DO LINEMODE
SENT IAC SB LINEMODE SLC SYNCH NOSUPPORT 0; IP VARIABLE|FLUSHIN|FLUSHOUT 3; AO VARIABLE 15; AYT NOSUPPORT 0; ABORT VARIABLE|FLUSHIN|FLUSHOUT 28; EOF VARIABLE 4; SUSP VARIABLE|FLUSHIN 26; EC VARIABLE 127; EL VARIABLE 21; EW VARIABLE 23; RP VARIABLE 18; LNEXT VARIABLE 22; XON VARIABLE 17; XOFF VARIABLE 19; FORW1 NOSUPPORT 0; FORW2 NOSUPPORT 0;
SENT DO SUPPRESS GO AHEAD
RCVD DO NEW-ENVIRON
RCVD WILL STATUS
RCVD DO XDISPLOC
RCVD WILL ENCRYPT
SENT DONT ENCRYPT
RCVD DO OLD-ENVIRON
SENT WONT OLD-ENVIRON
RCVD IAC SB TERMINAL-SPEED SEND
SENT IAC SB TERMINAL-SPEED IS 38400,38400
RCVD IAC SB X-DISPLAY-LOCATION SEND
SENT IAC SB X-DISPLAY-LOCATION IS "frost.nullroute.eu.org:0"
RCVD IAC SB NEW-ENVIRON SEND 
SENT IAC SB NEW-ENVIRON IS VAR "DISPLAY" VALUE "frost.nullroute.eu.org:0"
RCVD IAC SB TERMINAL-TYPE SEND
SENT IAC SB TERMINAL-TYPE IS "XTERM-256COLOR"
RCVD DO ECHO
SENT WONT ECHO
RCVD WILL ECHO
SENT DO ECHO
RCVD IAC SB TOGGLE-FLOW-CONTROL OFF
RCVD IAC SB TOGGLE-FLOW-CONTROL RESTART-XON
RCVD DONT LINEMODE
SENT WONT LINEMODE
RCVD IAC SB LINEMODE SLC IP VARIABLE|ACK|FLUSHIN|FLUSHOUT 3; AO VARIABLE|ACK 15; ABORT VARIABLE|ACK|FLUSHIN|FLUSHOUT 28; EOF VARIABLE|ACK 4; SUSP VARIABLE|ACK|FLUSHIN 26; EC VARIABLE|ACK 127; EL VARIABLE|ACK 21; EW VARIABLE|ACK 23; RP VARIABLE|ACK 18; LNEXT VARIABLE|ACK 22; XON VARIABLE|ACK 17; XOFF VARIABLE|ACK 19;

FreeBSD/i386 (m-net.arbornet.org) (pts/5)

login:
u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • 2
    excellent answer. when I read `man telnet` the only listed bug is: `The source code is not comprehensible.` Curious whether anyone has ever written an up to date client in anything other than C. – Thufir Apr 05 '16 at 13:23
  • 3
    That wouldn't be of much use, since the protocol itself is also outdated, as are most servers... SSHv2 is the modern replacement. // also, note that there are several different clients called "telnet" – inetutils-telnet & netkit-telnet, among others. – u1686_grawity Apr 05 '16 at 17:02
  • 1
    Though, on a related note, SSH *does* have a user-agent string. – u1686_grawity Apr 05 '16 at 19:51
  • 1
    @grawity telnet still sees plenty of use e.g. for diagnostics, though. It's becoming slightly less common thanks to the proliferation of TLS (in favor of e.g. OpenSSL `-connect`), but there are still many valid uses for a reasonably bare-bones text connection just like telnet gives you when invoked against a non-telnet server. Of course, your point remains that telnet is not simply software, it's a protocol; it's a bit like calling a web browser HTTP. – user Apr 05 '16 at 20:05
  • 1
    @MichaelKjörling But when the telnet command is used for debugging network communication it is not actually speaking the telnet protocol. With the telnet client I just tested simply telling it which port number to connect to will cause it to change behavior. – kasperd Apr 05 '16 at 21:14
  • @MichaelKjörling: For that you have `nc`, `ncat`, `socat`, and so on. – u1686_grawity Apr 06 '16 at 11:37
  • Telnet is still widely used for MUDs (MOOs, MUSHs, etc.). – blubberdiblub Jan 12 '17 at 23:01