Analyzing Telnet

Telnet offers a bi-directional byte-oriented communication. Originally designed to offer a
communications method for terminal access, telnet uses port 23 on the server side and
a dynamic port number on the client side. Telnet is documented in RFCs 854 (Telnet)
and 855 (Telnet Options).
The Telnet Elements
Telnet hosts exchange information about options that they support as they establish a
connection with another host. This remote host is referred to as a Network Virtual
Terminal (NVT), or a virtual, generic host. These options use the DO, DON’T, WILL and
WON’T structure to define what features they support. All telnet communications use the
server port number 23 to exchange the option information and telnet data, as shown in
Figure 1.

NVT
Each side of a telnet communication is referred to as an NVT – the client NVT typically
initiates the telnet connection, while the server NVT offers some services to the client. In
the traditional sense, the NVT was considered a printer-keyboard device that receives
bytes from the other host and prints the information. It sends data entered on the
keyboard to the other host.

WILL –WON’T – DO – DON’T Structures
During the initial telnet connection establishment process, the hosts propose and accept
or deny the use of specific parameters to use in the communications.
The following structures are used for this negotiation process:
· 251 (0xFB) WILL
· 252 (0xFC) WON’T
· 253 (0xFD) DO
· 254 (0xFE) DON’T
Although these operators are not the only ones available, they are the most widely used
structures. A host sends one of these operators, such as DO or WILL, and follows it with
an option code. The option is accepted when the other host responds with a DO or
WILL. Returning a DON’T or WON’T indicates that a host does not accept an option.
Options
Options are parameters or conventions used for the telnet connection. For example, one
option, echo, is used to define whether a telnet host echoes back data characters it
receives over the telnet connection. The telnet echo option is covered in detail in RFC
857.
Table 1 shows a partial list of the options registered for telnet. Refer to www.iana.org for
a complete list of telnet options.
Table 1
Telnet Options List
Options Name References
0 Binary Transmission [RFC856]
1 Echo [RFC857]
2 Reconnection [NIC50005]
3 Suppress Go Ahead [RFC858]
4 Approx Message Size Negotiation [ETHERNET]
5 Status [RFC859]
6 Timing Mark [RFC860]
7 Remote Controlled Trans and Echo [RFC726]
8 Output Line Width [NIC50005]
9 Output Page Size [NIC50005]
10 Output Carriage-Return Disposition [RFC652]
11 Output Horizontal Tab Stops [RFC653]
12 Output Horizontal Tab Disposition [RFC654]
13 Output Formfeed Disposition [RFC655]
14 Output Vertical Tabstops [RFC656]
15 Output Vertical Tab Disposition [RFC657]
16 Output Linefeed Disposition [RFC658]
17 Extended ASCII [RFC698]
18 Logout [RFC727]
19 Byte Macro [RFC735]
20 Data Entry Terminal [RFC1043, RFC732]
21 SUPDUP [RFC736, RFC734]
22 SUPDUP Output [RFC749]
23 Send Location [RFC779]
24 Terminal Type [RFC1091]
25 End of Record [RFC885]
26 TACACS User Identification [RFC927]
27 Output Marking [RFC933]
28 Terminal Location Number [RFC946]
29 Telnet 3270 Regime [RFC1041]
30 X.3 PAD [RFC1053]
31 Negotiate About Window Size [RFC1073]
32 Terminal Speed [RFC1079]
33 Remote Flow Control [RFC1372]
34 Linemode [RFC1184]
35 X Display Location [RFC1096]
36 Environment Option [RFC1408]
37 Authentication Option [RFC2941]
38 Encryption Option [RFC2946]
Some options require that additional information is exchanged between hosts. For
example, when an option requires a parameter, the simple DO, DON’T, WILL, and
WON’T functions are not sufficient. To support additional information exchange, both
hosts must agree to discuss the parameters and then use the command SB to begin
subnegotiation.