A critical security vulnerability has been discovered in the Microsoft Telnet Client, allowing remote attackers to silently harvest user credentials without user interaction. This flaw exploits the MS-TNAP authentication mechanism and can lead to credential theft through 0-Click attacks, especially in misconfigured network zones. (Affected: Microsoft Windows systems using Telnet)
Keypoints :
- The vulnerability resides in the MS-TNAP (Microsoft Telnet Authentication Protocol) used by the legacy Telnet Client on Windows systems.
- Attackers can lure victims into connecting to a malicious Telnet server, which automatically transmits NTLM credentials without warnings.
- Silent credential leakage occurs when zone security settings incorrectly trust IP addresses or use broad zone configurations without protocol specificity.
- Hackers can intercept NTLM hashes and leverage tools like Hashcat for offline password cracking, leading to credential disclosure.
- Servers in the Intranet or Trusted Sites zones may not prompt users, increasing the risk of unnoticed credential theft.
- The proof-of-concept demonstrates how an attacker can capture and crack credentials using a rogue Telnet server listening on port 23.
- Mitigation requires disabling the Telnet Client, restricting zone trust settings, and replacing Telnet with secure alternatives like SSH.
Read More: https://thecyberexpress.com/microsoft-telnet-0-click-vulnerability/