Make your own free website on



Home | T.H.A.W Untested Code Vault | Clan | Python | Downloads | PS2 Code Hacking Tutorials | Pictures | How to become a hacker | THAW Codes | Links | Contacts | DOS


In this Guide you will learn how to:
* Use telnet from Windows
* Download web pages via telnet
* Get finger information via telnet
* Telnet from the DOS command-line
* Use netcat
* Break into Windows Computers from the Internet
Protecting Yourself
What can they do
The command-line approach
The GUI approach
Final Words
How to Use Telnet on a Windows Computer
Telnet is great little program for doing a couple of interesting things. In fact, if you want to call yourself a hacker, you absolutely MUST be able to telnet! In this lesson you will find out a few of the cool things a hacker can do with telnet.
If you are using Win95, you can find telnet in the c:\windows directory, and on NT, in the c:\winnt\system32 directory. There isn't a lot of online help concerning the usage of the program, so my goal is to provide some information for new users.
First off, telnet isn't so much an application as it is a protocol. Telnet is protocol that runs over TCP/IP, and was used for connecting to remote computers. It provides a login interface, and you can run command-line programs by typing the commands on your keyboard, and the programs use the resources of the remote machine. The results are displayed in the terminal window on your machine, but the memory and CPU cycles consumed by the program are located on the remote machine. Therefore, telnet functions as a terminal emulation program, emulating a terminal on the remote machine.
Now, telnet runs on your Win95 box as a GUI application...that is to say that you can type "telnet" at the command prompt (in Windows 95 this is the MS-DOS prompt), and assuming that your PATH is set correctly, a window titled "telnet" will open. This differs from your ftp program in that all commands are entered in the DOS window.
Let's begin by opening telnet. Simply open a DOS window by clicking "start", then "programs", then "MS-DOS", and at the command prompt, type:
The window for telnet will open, and you can browse the features of the program from the menu bar.
NEWBIE NOTE: In this text file, I am referring only to the telnet
program that ships with Win95/NT. If you type "telnet" at the
command prompt and you don't get the telnet window, make sure
that the program is on your hard drive using the Start -> Find ->
Files or Folders command. Also make sure that your path statement includes the Windows directory. There are many other programs available that provide similar functionality, with a lot of other bells and whistles, from any number of software sites.
To learn a bit more about telnet, choose Help -> Contents, or
Help -> Search for help on... from the menu bar. Read through
the files in order to find more detailed explanations of things
you may wish to do. For example, in this explanation, I will
primarily be covering how to use the application and what it can
be used for, but now how to customize the colors for the application.
Now, if you choose Connect -> Remote System, you will be presented with a dialog window that will ask you for the remote host, the port and the terminal type.
NEWBIE NOTE: For most purposes, you can leave the terminal type on
In the Connect dialog box, you can enter in the host to which
you wish to connect, and there is a list box of several ports
you can connect to:
daytime: May give you the current time on the server.
echo: May echo back whatever you type in, and will tell you that the computer you have connected to is alive nd running on the Internet. qotd: May provide you with a quote of the day.
chargen: May display a continuous stream of characters, useful for spotting network problems, but may crash your telnet program.
telnet: May present you with a login screen.
These will only work if the server to which you are trying to connect is running these services. However, you are not limited to just those can type in any port number you wish. (For more on fun ports, see the GTMHH, "Port Surf's Up.") You will only successfully connect to the port if the service in question is available. What occurs after you connect depends upon the protocol for that particular service.
When you are using telnet to connect to the telnet service on a server, you will (in most cases) be presented with a banner and a login prompt.
[Note from Carolyn Meinel: Many people have written saying their telnet program fails to connect no matter what host they try to reach. Here's a way to fix your problem. First -- make sure you are already connected to the Internet. If your telnet program still cannot connect to anything, here's how to fix your problem. Click "start" then "settings" then "control panel." Then click "Internet" then "connection." This screen will have two boxes that may or may not be checked. The top one says "connect to the Internet as needed." If that box is checked, uncheck it -- but only uncheck it if you already have been having problems connecting. The bottom box says "connect through a proxy server." If that box is checked, you probably are on a local area network and your systems administrator doesn't allow you to use telnet.]
NEWBIE NOTE: It's not a good idea to connect to a host on which you don't have a valid account. In your attempts to guess a username and password, all you will do is fill the log files on that host. From there, you can very easily be traced, and your online service provider will probably cancel your account.
Now, you can also use telnet to connect to other ports, such as
ftp (21), smtp (25), pop3 (110), and even http (80). When you
connect to ftp, smtp, and pop3, you will be presented with a
banner, or a line of text that displays some information about the
service. This will give you a clue as to the operating system
running on the host computer, or it may come right out and tell
you what the operating system is...for instance, AIX, Linux,
Solaris, or NT. If you successfully connect to port 80, you will
see a blank screen. This indicates, again, that you have successfully completed the TCP negotiation and you have a connection.
Now, what you do from there is up to you. You can simply disconnect with the knowledge that, yes, there is a service running on port 80, or you can use your knowledge of the HTTP protocol to retrieve the HTML source for web pages on the server.
How to Download Web Pages Via Telnet
To retrieve a web page for a server using telnet, you need to connect to that server on port 80, generally. Some servers may use a different port number, such as 8080, but most web servers run on port 80. The first thing you need to do is click on Terminal -> Preferences and make sure that there is a check in the Local Echo box. Then, since most web pages will generally take up more than a single screen, enable logging by clicking Terminal -> Start Logging... and select a location and filename. Keep in mind that as long as logging is on, and the same file is being logged to, all new information will be appended to the file, rather than overwriting the
original file. This is useful if you want to record several sessions, and edit out the extraneous information using Notepad.
Now, connect the remote host, and if your connection is successful, type in:
GET / HTTP/1.0
and hit enter twice.
NEWBIE NOTE: Make sure that you hit enter twice...this is part
of the HTTP protocol. The single / after GET tells the server
to return the default index file, which is generally "index.html".
However, you can enter other filenames, as well.
You should have seen a bunch of text scroll by on the screen. Now you can open the log file in Notepad, and you will see the HTML
code for the page, just as though you had chosen the View Source
option from your web browser. You will also get some additional
information...the headers for the file will contain some information
about the server. For example:
HTTP/1.0 200 Document follows
Date: Thu, 04 Jun 1998 14:46:46 GMT
Server: NCSA/1.5.2
Last-modified: Thu, 19 Feb 1998 17:44:13 GMT
Content-type: text/html
Content-length: 3196
One particularly interesting piece of information is the server
name. This refers to the web server software that is running
and serving web pages. You may see other names in this field,
such as versions of Microsoft IIS, Purveyor, WebSite, etc.
This will give you a clue as to the underlying operating system
running on the server.
SYSADMIN NOTE: This technique, used in conjunction with a
database of exploits on web servers, can be particularly annoying.
Make sure you keep up on exploits and the appropriate security
patches from your web server and operating system vendors.
NEWBIE NOTE: This technique of gathering web pages is perfectly legal. You aren't attempting to compromise the target system, you are simply doing by hand what your web browser does for you automatically. Of course, this technique will not load images and Java applets for you.
Getting Finger Information Via Telnet
By now, you've probably heard or read a lot about finger. It doesn't seem like a very useful service, and many sysadmins disable the service because it provides information on a particular user, information an evil hacker can take advantage of. Win95 doesn't ship with a finger client, but NT does. You can download finger clients for Win95 from any number of software sites. But why do that when you have a readily available client in telnet?
The finger daemon or server runs on port 79, so connect to a remote host on that port. If the service is running, you will be presented with a blank screen.
NEWBIE NOTE: NT doesn't ship with a finger daemon (A daemon is a program on the remote computer which waits for people like you to connect to it), so generally speaking, and server that you find running finger will be a Unix box. I say "generally" because there are third-party finger daemons available and someone may want to run one on their NT computer.
The blank screen indicates that the finger daemon is waiting for input. If you have a particular user that you are interested in, type in the username and hit enter. A response will be provided, and the daemon will disconnect the client. If you don't know a particular username, you can start by simply hitting enter. In some cases, you may get a response such as "No one logged on." Or you may get information of all currently logged on users. It all depends on whether or not the sysadmin has chosen to enable certain features of the daemon. You can also try other names, such as "root", "daemon", "ftp", "bin", etc.
Another neat trick to try out is something that I have seen referred to as "finger forwarding". To try this out, you need two hosts that run finger. Connect to the first host,, and enter the username that you are interested in. Then go to the second host, and enter:
You should see the same information! Again, this all depends upon
the configuration of the finger daemon.
Using Telnet from the Command Line
Now, if you want to show your friends that you a "real man" because "real men don't need no stinkin' GUIs", well just open up a DOS window and type:
c:\>telnet <host> <port>
and the program will automatically attempt to connect to the host
on the designated port for you.
Using Netcat
Let me start by giving a mighty big thanks to Weld Pond from L0pht for producing the netcat program for Windows NT. To get a copy of this program, which comes with source code, simply go to:
NOTE: The first character of "l0pht: is the letter "l". The second character is a zero, not an "o".
I know that the program is supposed to run on NT, but I have
seen it run on Win95. It's a great little program that can be used
to do some of the same things as telnet. However, there are
advantages to using netcat...for one, it's a command-line program,
and it can be included in a batch file. In fact, you can automate
multiple calls to netcat in a batch file, saving the results to
a text file.
NEWBIE NOTE: For more information on batch files, see previous versions of the Guide To (mostly) Harmless Hacking, Getting Serious with Windows series of them dealt with basic batch file programming.
Before using netcat, take a look at the readme.txt file provided in
the zipped archive you downloaded. It goes over the instructions
on how to download web pages using netcat, similar to what I
described earlier using telnet.
There are two ways to go about getting finger information using
netcat. The first is in interactive mode. Simply type:
c:\>nc <host> 79
If the daemon is running, you won't get a command prompt back. If this is the case, type in the username and hit enter. Or use the automatic mode by first creating a text file containing the username of interest. For example, I typed:
c:\>edit root
and entered the username "root", without the quotes. Then from
the command prompt, type:
c:\>nc <host> 79 < root
and the response will appear on your screen. You can save the
output to a file by adding the appropriate redirection operator
to the end of the file:
c:\>nc <host> 79 < root > nc.log
to create the file nc.log, or:
c:\>nc <host> 79 < root >> nc.log
to append the response to the end of nc.log. NOTE: Make sure
that you use spaces between the redirection operators.
How to Break into a Windows 95 machine Connected to the Internet
The intent of this file is NOT to provide a step-by-step guide to accessing a Win95 computer while it is connected to the Internet. The intent is show you how to protect yourself.
There are no special tools needed to access a remote Win95 machine...everything you need is right there on your Win95 system! Two methods will be described...the command-line approach and the GUI approach.
Protecting Yourself
First, the method of protecting yourself needs to be made perfectly clear. DON'T SHARE FILES!! I can't stress that enough. If you are a home user, and you are connecting a Win95 computer to the Internet via some dial-up method, disable sharing. If you must share, use a strong password...8 characters minimum, a mix of upper and lower case letters and numbers, change the password every now and again. If you need to transmit the
password to someone, do so over the phone or by written letter. To disable sharing, click on My Computer -> Control Panel -> Network -> File and Print Sharing. In the dialog box that appears, uncheck both boxes. It's that easy.
What Can They Do?
What can someone do? Well, lots of stuff, but it largely depends on what shares are available. If someone is able to share a printer from your machine, they can send you annoying letters and messages. This consumes time, your printer ink/toner, and your paper. If they are able to share a disk share, what they can do largely depends upon what's in that share. The share appears as another directory on the attacker's machine, so any programs they run will be consuming their own resources...memory, cpu cycles, etc. But if the attacker has read and write access to those disk shares, then you're in trouble. If you take work home, your files may be vulnerable. Initialization and configuration files can be searched for passwords. Files can be modified and deleted. A particularly nasty thing to do is adding a line to your autoexec.bat file so that the next time your computer is booted, the hard drive is formatted without any prompting from the user. Bad ju-ju, indeed.
** The command-line approach **
Okay, now for the part that should probably be titled "How they do it". All that is needed is the IP address of the remote machine. Now open up a DOS window, and at the command prompt, type:
c:\>nbtstat -A [ip_addr]
If the remote machine is connected to the Internet and the ports used for sharing are not blocked, you should see something like:
NetBIOS Remote Machine Name Table
Name Type Status
NAME <00> UNIQUE Registered
DOMAIN <00> GROUP Registered
NAME <03> UNIQUE Registered
USERNAME <03> UNIQUE Registered
MAC Address = 00-00-00-00-00-00
This machine name table shows the machine and domain names, a logged-on username, and the address of the Ethernet adapter (the information has been obfuscated for instructional purposes).
**Note: This machine, if unpatched and not protected with a firewall or packet-filter router, may be vulnerable to a range of denial of service attacks, which seem to be fairly popular, largely because they require no skill or knowledge to perpetrate.
The key piece of information that you are looking for is in the Type column. A machine that has sharing enabled will have a hex code of "<20>".
**Note: With the right tools, it is fairly simple for a sysadmin to write a batch file that combs a subnet or her entire network, looking for client machines with sharing enabled. This batch file can then be run at specific times...every day at 2:00 am, only on Friday evenings or weekends, etc.
If you find a machine with sharing enabled, the next thing to do is type the following command:
c:\>net view
Now, your response may be varied. You may find that there are no shares on the list, or that there are several shares available. Choose which share you would like to connect to, and type the command:
c:\>net use g:
You will likely get a response that the command was completed successfully. If that is the case, type:
c:\>cd g:
or which ever device name you decided to use. You can now view what exists on that share using the dir commands, etc.
Now, you may be presented with a password prompt when you ssue the above command. If that is the case, typical "hacker" (I shudder at that term) methods may be used.
** The GUI approach **
After issuing the nbtstat command, you can opt for the GUI approach to accessing the shares on that machine. To do so, make sure that you leave the DOS window open, or minimized...don't close it. Now, use Notepad to open this file:
Read over the file, and then open create another file in Notepad, called simply "Lmhosts", without an extension. The file should contain the IP address of the host, the NetBIOS name of the host (from the nbtstat command), and #PRE, separated by tabs. Once you have added this information, save it, and minimize the window. In the DOS command window, type:
c:\>nbtstat -R
This command reloads the cache from the Lmhosts file you just created.
Now, click on Start -> Find -> Computer, and type in the NetBIOS name of the computer...the same one you added to the lmhosts file. If your attempt to connect to the machine is successful, you should be presented with a window containing the available shares. You may be presented with a password prompt window, but again, typical "hacker" (again, that term grates on me like fingernails on a chalk board, but today, it seems that it's all folks understand) techniques may be used to break the password.
Note from Carolyn Meinel: Want to try this stuff without winding up in jail or getting expelled from school? Get a friend to give you permission to try to break in.
First, you will need his or her IP address. Usually this will be different every time your friend logs on. You friend can learn his or her IP address by going to the DOS prompt while online and giving the command "netstat -r". Something like this should show up:
C:\WINDOWS>netstat -r
Route Table
Active Routes:
Network Address Netmask Gateway Address Interface Metric 198.999.176.84 198.999.176.84 1 1
198.999.176.0 198.999.176.84 198.999.176.84 1
198.999.176.84 1
198.999.176.255 198.999.176.84 198.999.176.84 1 198.999.176.84 198.999.176.84 1 198.999.176.84 1
Your friend's IP address should be under "Gateway Address." Ignore the as this will show up for everyone and simply means "locahost" or "my own computer." If in doubt, break the Internet connection and then get online again. The number that changes is the IP address of your friend's computer.
Evil Genius tip: Here is something really scary. In your shell account give the "netstat" command. If your ISP allows you to use it, you might be able to get the dynamically assigned IP addresses of people from all over the world -- everyone who is browsing a Web site hosted by your ISP, everyone using ftp, spammers you might catch red-handed in the act of forging email on your ISP, guys up at 2AM playing on multiuser dungeons, IRC users, in fact you will see everyone who is connected to your ISP!
YOU CAN GO TO JAIL WARNING: If you find a Windows 95 box on the Internet with file sharing enabled and no password protection, you can still get in big trouble for exploiting it. It's just like finding a house whose owner forgot to lock the door -- you still are in trouble if someone catches you inside. Tell temptation to take a hike!
Final Words
Please remember that this Guide is for instructional purposes only and is meant to educate the sysadmin and user alike. If someone uses this information to gain access to a system which they have no permission or business messing with, I cannot be responsible for the outcome. If you are intending to try this information out, do so with the consent and permission of a friend.

Another Guide

Part I: The Magic of DOS
In this guide you will learn how to telnet, forge email, and use nslookup with Windows XP.
So you have the newest, glitziest, "Fisher Price" version of Windows: XP. How can you use XP in a way that sets you apart from the boring millions of ordinary users?
Luser Alert: Anyone who thinks this GTMHH will reveal how to blow up people's TV sets and steal Sandra Bullock's email is going to find out that I won't tell them how.
The key to doing amazing things with XP is as simple as D O S. Yes, that's right, DOS as in MS-DOS, as in MicroSoft Disk Operating System. Windows XP (as well as NT and 2000) comes with two versions of DOS. is an old DOS version. Various versions of come with Windows 95, 98, SE, ME, Window 3, and DOS only operating systems.
The other DOS, which comes only with XP, 2000 and NT, is cmd.exe. Usually cmd.exe is better than because it is easier to use, has more commands, and in some ways resembles the bash shell in Linux and other Unix-type operating systems. For example, you can repeat a command by using the up arrow until you back up to the desired command. Unlike bash, however, your DOS command history is erased whenever you shut down cmd.exe. The reason XP has both versions of DOS is that sometimes a program that won?t run right in cmd.exe will work in
Flame Alert: Some readers are throwing fits because I dared to compare DOS to bash. I can compare cmd.exe to bash if I want to. Nanny nanny nah nah.
DOS is your number one Windows gateway to the Internet, and the open sesame to local area networks. From DOS, without needing to download a single hacker program, you can do amazingly sophisticated explorations and even break into poorly defended computers.
You can go to jail warning: Breaking into computers is against the law if you do not have permission to do so from the owner of that computer. For example, if your friend gives you permission to break into her Hotmail account, that won't protect you because Microsoft owns Hotmail and they will never give you permission.
You can get expelled warning: Some kids have been kicked out of school just for bringing up a DOS prompt on a computer. Be sure to get a teacher's WRITTEN permission before demonstrating that you can hack on a school computer.
So how do you turn on DOS?
Click All Programs -> Accessories -> Command Prompt
That runs cmd.exe. You should see a black screen with white text on it, saying something like this:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
Your first step is to find out what commands you can run in DOS. If you type "help" at the DOS prompt, it gives you a long list of commands. However, this list leaves out all the commands hackers love to use. Here are some of those left out hacker commands.
TCP/IP commands:
NetBIOS commands (just some examples):
net use
net view
net localgroup

TCP/IP stands for transmission control protocol/Internet protocol. As you can guess by the name, TCP/IP is the protocol under which the Internet runs. along with user datagram protocol (UDP). So when you are connected to the Internet, you can try these commands against other Internet computers. Most local area networks also use TCP/IP.
NetBIOS (Net Basic Input/Output System) protocol is another way to communicate between computers. This is often used by Windows computers, and by Unix/Linux type computers running Samba. You can often use NetBIOS commands over the Internet (being carried inside of, so to speak, TCP/IP). In many cases, however, NetBIOS commands will be blocked by firewalls. Also, not many Internet computers run NetBIOS because it is so easy to break in using them. We will cover NetBIOS commands in the next Guide to XP Hacking.
The queen of hacker commands is telnet. To get Windows help for telnet, in the cmd.exe window give the command:
C:\>telnet /?
Here's what you will get:
telnet [-a][-e escape char][-f log file][-l user][-t term][host
-a Attempt automatic logon. Same as --l option except uses the currently logged on user's name.
-e Escape character to enter telnet cclient prompt.
-f File name for client side logging
-l Specifies the user name to log in with on the remote system. Requires that the remote system support the TELNET ENVIRON option.
-t Specifies terminal type. Supportedd term types are vt100, vt52, ansi and vtnt only.
host Specifies the hostname or IP address of the remote computer to connect to.
port Specifies a port number or service name.

Newbie note: what is a port on a computer? A computer port is sort of like a seaport. It's where things can go in and/or out of a computer. Some ports are easy to understand, like keyboard, monitor, printer and modem. Other ports are virtual, meaning that they are created by software. When that modem port of yours (or LAN or ISDN or DSL) is connected to the Internet, your computer has the ability to open or close any of over 65,000 different virtual ports, and has the ability to connect to any of these on another computer - if it is running that port, and if a firewall doesn?t block it.
Newbie note: How do you address a computer over the Internet? There are two ways: by number or by name.
The simplest use of telnet is to log into a remote computer. Give the command:
C:/>telnet (substituting the name of the computer you want to telnet into for
If this computer is set up to let people log into accounts, you may get the message:
Type your user name here, making sure to be exact. You can't swap between lower case and capital letters. For example, user name Guest is not the same as guest.
Newbie note: Lots of people email me asking how to learn what their user name and password are. Stop laughing, darn it, they really do. If you don't know your user name and password, that means whoever runs that computer didn't give you an account and doesn't want you to log on.
Then comes the message:
Again, be exact in typing in your password.
What if this doesn't work?
Every day people write to me complaining they can't telnet. That is usually because they try to telnet into a computer, or a port on a computer that is set up to refuse telnet connections. Here's what it might look like when a computer refuses a telnet connection:
C:\ >telnet
Connecting To not open connection to the host, on port 23. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Or you might see:
C:\ >telnet
Connecting To not open connection to the host, on port 23. No connection could be made because the target machine actively refused it.
If you just give the telnet command without giving a port number, it will automatically try to connect on port 23, which sometimes runs a telnet server.
Newbie note: your Windows computer has a telnet client program, meaning it will let you telnet out of it. However you have to install a telnet server before anyone can telnet into port 23 on your computer.
If telnet failed to connect, possibly the computer you were trying to telnet into was down or just plain no longer in existence. Maybe the people who run that computer don't want you to telnet into it.
Even though you can't telnet into an account inside some computer, often you can get some information back or get that computer to do something interesting for you. Yes, you can get a telnet connection to succeed -without doing anything illegal --against almost any computer, even if you don't have permission to log in. There are many legal things you can do to many randomly chosen computers with telnet. For example:
C:/telnet 22
That tells us the target computer is running an SSH server, which enables encrypted connections between computers. If you want to SSH into an account there, you can get a shell account for free at . You can get a free SSH client program from .
You can get punched in the nose warning: Your online provider might kick you off for making telnet probes of other computers. The solution is to get a local online provider and make friends with the people who run it, and convince them you are just doing harmless, legal explorations.
Sometimes a port is running an interesting program, but a firewall won't let you in. For example,, a computer on my local area network, runs an email sending program, (sendmail working together with Postfix, and using Kmail to compose emails). I can use it from an account inside to send emails with headers that hide from where I send things.
If I try to telnet to this email program from outside this computer, here's what happens:
C:\>telnet 25
Connecting To not open connection to the host, on port 25. No connection could be made because the target machine actively refused it.
However, if I log into an account on and then telnet from inside to port 25, here's what I get:
Last login: Fri Oct 18 13:56:58 2002 from
Have a lot of fun...
cmeinel@test-box:~> telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying [Carolyn's note: is the numerical address meaning localhost, the same computer you are logged into]
Connected to localhost.
Escape character is '^]'.
220 test-box.local ESMTP Postfix
The reason I keep this port 25 hidden behind a firewall is to keep people from using it to try to break in or to forge email. Now the ubergeniuses reading this will start to make fun of me because no Internet address that begins with 10. is reachable from the Internet. However, sometimes I place this "test-box" computer online with a static Internet address, meaning whenever it is on the Internet, it always has the same numerical address. I'm not going to tell you what its Internet address is because I don't want anyone messing with it. I just want to mess with other people's computers with it, muhahaha. That's also why I always keep my Internet address from showing up in the headers of my emails.
Newbie note: What is all this about headers? It's stuff at the beginning of an email that may - or may not - tell you a lot about where it came from and when. To see full headers, in Outlook click view -> full headers. In Eudora, click the "Blah blah blah" icon.
Want a computer you can telnet into and mess around with, and not get into trouble no matter what you do to it? I've set up my ( with user xyz, password guest for you to play with. Here's how to forge email to using telnet. Start with the command:
C:\>telnet 25
Connecting To
220 <> Service ready
Now you type in who you want the message to appear to come from:
helo will answer:
250 <> host ready
Next type in your mail from address:
250 Requested mail action okay, completed
Your next command:
250 Requested mail action okay, completed
Your next command:
354 Start main input; end with <CRLF>.<CRLF>
Carolyn's note: <CRLF> just means hit return. In case you can't see that little period between the <CRLF>s, what you do to end composing your email is to hit enter, type a period, then hit enter again. Anyhow, try typing:
This is a test.
250 Requested mail action okay, completed
221 <> Service closing transmission channel
Connection to host lost.
Using techbroker's mail server, even if you enable full headers, the message we just composed looks like:
Status: R
X-status: N
This is a test.
That's a pretty pathetic forged email, huh? No "from", no date. However, you can make your headers better by using a trick with the data command. After you give it, you can insert as many headers as you choose. The trick is easier to show than explain:
220 <> Service ready
250 <> host ready
250 Requested mail action okay, completed
250 Requested mail action okay, completed
354 Start main input; end with <CRLF>.<CRLF>
Date: Mon, 21 Oct 2002 10:09:16 -0500
Subject: Rudolf
This is a Santa test.
250 Requested mail action okay, completed
221 <> Service closing transmission channel
Connection to host lost.
The message then looks like:
Date: Mon, 21 Oct 2002 10:09:16 -0500
Subject: Rudolf
This is a Santa test.
The trick is to start each line you want in the headers with one word followed by a colon, and the a line followed by "return". As soon as you write a line that doesn't begin this way, the rest of what you type goes into the body of the email.
Notice that the from the "mail from:" command didn't show up in the header. Some mail servers would show both "from" addresses.
You can forge email on within one strict limitation. Your email has to go to someone at If you can find any way to send email to someone outside techbroker, let us know, because you will have broken our security, muhahaha! Don't worry, you have my permission.
Next, you can read the email you forge on via telnet:
C:\>telnet 110
Give this command:
user xyz
+OK user is known
Then type in this:
pass test
+OK mail drop has 2 message(s)
retr 1
+OK message follows
This is a test.
If you want to know all possible commands, give this command:
+OK help list follows
USER user
PASS password
LIST [message]
RETR message
DELE message
APOP user md5
TOP message lines
UIDL [message]
Unless you use a weird online provider like AOL, you can use these same tricks to send and receive your own email. Or you can forge email to a friend by telnetting to his or her online provider's email sending computer(s).
With most online providers you need to get the exact name of their email computer(s). Often it is simply (substitute the name of the online provider for targetcomputer). If this doesn't work, you can find out the name of their email server with the DOS nslookup program, which only runs from cmd.exe. Here's an example:

C:\ >nslookup
Default Server:
> set q=mx
Address: MX preference = 5, mail exchanger = MX preference = 10, mail exchanger = MX preference = 20, mail exchanger = nameserver = nameserver = nameserver = nameserver = nameserver = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address =
The lines that tell you what computers will let you forge email to people with addresses are: MX preference = 5, mail exchanger = MX preference = 10, mail exchanger = MX preference = 20, mail exchanger =
MX stands for mail exchange. The lower the preference number, the more they would like you to use that address for email.If that lowest number server is too busy, then try another server.
Sometimes when you ask about a mail server, nslookup will give you this kind of error message:
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to [] timed-out
To get around this problem, you need to find out what are the domain servers for your target online provider. A good place to start looking is . If this doesn't work, see for how to find the domain servers for any Internet address.
Newbie note: A domain name server provides information on the names and numbers assigned to computers on the Internet. For example, and contain information on,,, and When you query about other computers, it might have to go hunting for that information from other name servers. That's why you might get a timed out failure.
Once you know the domain servers for an online service, set one of them for the server for your nslookup program. Here's how you do it:
C:\ >nslookup
Default Server:
Now give the command:
> server
Default Server:
Next command should be:
> set q=mx
Address: MX preference = 5, mail exchanger = MX preference = 5, mail exchanger = MX preference = 5, mail exchanger = MX preference = 5, mail exchanger = MX preference = 5, mail exchanger = MX preference = 5, mail exchanger = MX preference = 5, mail exchanger = nameserver = nameserver = nameserver = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address = internet address =
Your own online service will usually not mind and may even be glad if you use telnet to read your email. Sometimes a malicious person or faulty email program will send you a message that is so screwed up that your email program can't download it. With telnet you can manually delete the bad email. Otherwise tech support has to do it for you.
If you think about it, this ability to forge email is a huge temptation to spammers. How can your online provider keep the bad guys from filling up a victim's email box with garbage? The first time a bad guy tries this, probably nothing will stop him or her. The second time the online provider might block the bad guy at the firewall, maybe call the bad guy's online provider and kick him or her and maybe get the bad guy busted or sued.
You can go to jail warning: Sending hundreds or thousands of junk emails to bomb someone's email account is a felony in the US.
You can get sued warning: Spamming, where you send only one email to each person, but send thousands or millions of emails, is borderline legal. However, spammers have been successfully sued when they forge the email addresses of innocent people as senders of their spam.
Now that you know how to read and write email with telnet, you definitely have something you can use to show off with. Happy hacking!
Oh, here's one last goodie for advanced users. Get netcat for Windows. It's a free program written by Weld Pond and Hobbit, and available from many sites, for example . It is basically telnet on steroids. For example, using netcat, you can set up a port on your Windows computer to allow people to telnet into a DOS shell by using this command:
C:\>nc -L -p 5000 -t -e cmd.exe
You can specify a different port number than 5000. Just make sure it doesn't conflict with another port by checking with the netstat command. Then you and your friends, enemies and random losers can either telnet in or netcat in with the command:
C:\>nc -v [ipaddress of target] [port]
Of course you will probably get hacked for setting up this port. However, if you set up a sniffer to keep track of the action, you can turn this scary back door into a fascinating honeypot. For example, you could run it on port 23 and watch all the hackers who attack with telnet hoping to log in. With some programming you could even fake a unix-like login sequence and play some tricks on your attackers.

Make the world your own.