The State of Telnet on the Internet – My Findings

This is my first in, I hope, a series of posts about the ‘state of things on the internet’ along with my findings and anything interesting I may have come across along the way.

This post will be about the state of Telnet (Port 23) on the internet from the perspective of a single internet-scanning host (read more in the methodologies section below). I’ll be going through some statistics including: top countries, top brands and/or firmware and lastly, an analysis on banner responses.

Scanning/Results Methodology

First let’s get some basics out the way so that it is clear how I got the results I did from my scans:

  • I used a Kali Linux distro running in a VM – the performance and reliability could have been better running this on a physical machine with direct access to the NIC; maybe next time.
  • I used masscan as the port scanner and banner grabber – it’s very similar to Nmap in terms of usage but it can scan at an order of magnitude faster than Nmap. The below is a copy of my masscan.conf which I used to run the scans:

    I could get to about 6,000 packets per second before melting my connection; in fact at one point the data plane on my (enterprise level!) firewall/router crashed so I lost about 15 minutes of data whilst it was busy restarting.

    I scanned blocks at a time to keep the results manageable.

    The exclude file is a list of the RFC1918 addresses.

  • I ran these scans off an internet connection with the following speeds:
    73Mb/s receive and 19Mb/s transmit.
  • Results were analysed in Excel 2016 x64 – that last bit is important… a 32 bit version of Excel would cry about not being able to address more than 2GB of memory. Also it turns out analysing more than a million rows in Excel can be made a lot easier by using the Power Pivot tools which I didn’t know about previously
  • I used an awesome free service/API called ip2c.org (IP-2-Country) which allows one to pass an IP address in and get a Country code back. My PowerShell script to grab this data:

Lastly, I want to make two things clear about the #numbers in my results:

  1. There are probably/most likely a lot more (hundreds of thousands/millions?) more devices out there then I found – I may need to adjust my scan rate the next time I run such a test so that I capture more data and also I’d probably run my next test on physical hardware so that masscan has direct access to the NIC.
  2. There are more open Telnet ports than there are banners – that’s normal for a number of reasons. Some devices simply won’t return a banner. Some will respond to a probe even if nothing is listening behind it – think security appliances (SYN cookies) and load balancers.

Results

Open Ports vs Banners Received

A total of 5,601,277 hosts were reported to be listening on Port 23. Of these, 2,570,080 (46%) returned banners.

It’s common to see load balancers and security appliances reply back to a probe on Port 23 (or any other port really) which is probably one of the reasons why there are so many more open ports than banners received. The analysis below is based on the 2,570,080 hosts where banners were received from the scanned hosts.

Top 10 Countries

The chart below is of the top 10 countries where banner headers were received – i.e., from a total of 2.5 million hosts.

The first few loosely follow the order of population by country so it’s no surprise to see China at #1.

Top Models/Firmware

Analysing banner responses for long periods of time can make anyone go insane but it can also make one good at spotting patterns such as sentence structures which make it highly likely that multiple devices belong to the same manufacturer.


It’s no surprise to see Huawei devices pop up the most in my scans; they manufacturer networking and telecommunications equipment – apparently the largest in the world with regards to the latter.

The white label CCTV is an interesting one – it’s the only name I could come up with because as far as my research takes me, it seems like generic CCTV/IP camera/Digital Video Recorder firmware that has been re-purposed by X number of manufacturers.
The web page for this firmware looks like the below – you may have seen it before, I know I have.

The banner for this firmware typically looks like this:

I was surprised to see so many DD-WRT firmware enabled routers with open Telnet access as this firmware is typically installed by tech enthusiasts and more advanced users who should probably know better than to enable Telnet on the external interface. DD-WRT helpfully gives us the firmware release and system name in the banner which can be useful for an attacker looking for interesting victims…

The ‘CIA’ seem to be running an older firmware release – anyone want to let them know? 😉

Chatty Devices

Some devices and firmware love to talk. I mean, take a look at this Polycom device – it’s happy to tell us its life story before we’ve even logged on.

A lot of devices and firmware grab the system name and/or locations and spit it out in the banner responses before log-on. Not inherently a bad thing (I mean security through obscurity is no security at all, right?) but it does make it easier for attackers to know who they’re attacking.

Vigilante Devices

So this was an interesting one. There are botnets out there logging in to insecure devices with default usernames and passwords and changing them to something non-default in order to prevent them being attacked by malicious botnets.  There are a small number of these devices on the internet so far; 3,659 revealed in my scans.

This one seems to be created by Team White and the anti-botnet…botnet is called REINCARNA. You can read more about this on their GitLab page.

This one is a little less subtle but the outcome is the same:

Older Devices/Firmware

It should be of no surprise that there are really old devices still sitting on the internet. This is a problem that won’t be going away any time soon but it’s still worth looking at some interesting stats…

  • The device with the longest up-time I’ve seen is 5.6 years. To this day I still see sysadmins boasting about their up-times; sometimes even posting screenshots and shell outputs to public forums. In most cases, your up-time is just an indicator for the last time you patched your systems system… and that’s not a good thing.
  • The oldest firmware I saw was from 1997-2001. Again, this problem of old crap on the internet isn’t going away any time soon unfortunately.

Amusing Devices/Firmware

As I was trawling through the data I came across some… funny banners.

Actually… I couldn’t really tell if this one was meant to be funny or not:

Have fun with my IP address, NASA.

Interesting Banners

Damnit why the hell am I seeing projectors on the internet?!

Telnet is not available on port 23 so why don’t you go ahead and look at this .gif (why is it even a .gif?!) which will tell you what port to connect to… my head hurt after seeing this one…

There was a small number of these Intelligent Power Meters – a mere clear-text password away from remotely turning off power?

Here’s an automatic number plate recognition system by PIPS Technology who have been exposed in the past.

There are GAMES running on Telnet!!! I guess I’m not old enough to have known that this was/still is a thing!

I certainly admire the effort.

Here’s chess:

And another – you gotta have some Telnet Chess competition, right?

“An on-line real time multiplayer text based role-playing game”

I also happened to see a lot of non-telnet services responding on port 23. Most of them are probably the result of misconfigurations or an attempt at really bad obscurity.

  • 16,674 banners appeared to be HTTP responses
  • 8,118 banners appeared to be SSH
  • 2,112 banners appeared to be FTP servers (Microsoft FTP Service,FileZilla, etc)
  • 40 banners appeared to be VNC servers

Final Words

It’s 2017 and we still have millions,maybe tens of millions of devices on the internet with default credentials listening on inherently insecure services. Millions of devices where credentials are being passed around in clear-text. Devices that probably have no reason to be on the internet at all like projectors and printers. It’s not a problem that will go away any time soon unfortunately and I don’t know that there is a clear solution for it either.

Network operators and administrators need to work harder to keep their infrastructures secure – there’s a lot of enterprise level equipment out there just waiting to be owned.

Firmware manufacturers also need to start shipping their devices with more secure, default configurations.

Is this all wishful thinking? I hope not…

Leave a Reply