{"id":2374,"date":"2017-01-11T19:27:00","date_gmt":"2017-01-11T19:27:00","guid":{"rendered":"http:\/\/emtunc.org\/blog\/?p=2374"},"modified":"2017-01-11T21:10:50","modified_gmt":"2017-01-11T21:10:50","slug":"state-telnet-internet-findings","status":"publish","type":"post","link":"https:\/\/emtunc.org\/blog\/01\/2017\/state-telnet-internet-findings\/","title":{"rendered":"The State of Telnet on the Internet &#8211; My Findings"},"content":{"rendered":"<p>This is my first in, I hope, a series of posts about the &#8216;<em>state of things on the internet&#8217;<\/em>\u00a0along with my findings and anything interesting I may have come across along the way.<\/p>\n<p>This post will be about the state of\u00a0<em>Telnet<\/em>\u00a0(Port 23) on the internet from the perspective of a single internet-scanning host (read more in the methodologies section below). I&#8217;ll be going through some statistics including: top countries, top brands and\/or firmware and lastly, an analysis on banner responses.<\/p>\n<p><!--more--><\/p>\n<h3>Scanning\/Results Methodology<\/h3>\n<p>First let&#8217;s get some basics out the way so that it is clear how I got the results I did from my scans:<\/p>\n<ul>\n<li>I used a Kali Linux distro running in a VM &#8211; the performance and reliability could have been better running this on a physical machine with direct access to the NIC; maybe next time.<\/li>\n<li>I used <a href=\"https:\/\/github.com\/robertdavidgraham\/masscan\" target=\"_blank\">masscan<\/a> as the port scanner and banner grabber &#8211;\u00a0it&#8217;s very similar to Nmap in terms of usage <em>but<\/em> it can scan at an order of magnitude faster than Nmap. The below is a copy of my masscan.conf which I used to run the scans:\n<pre class=\"lang:default decode:true\">rate = 6000.00\r\noutput-format = grepable\r\nports = 23\r\nrange = 0.0.0.0-49.255.255.255\r\nexclude-file = \/root\/Desktop\/ip-exclude-list.txt\r\nrandomize-hosts = false\r\nbanners = true\r\nadapter-ip = 192.168.10.200\r\noutput-filename = \/root\/Desktop\/masscan-results\/0.0.0.0-49.255.255.255-original.txt\r\nwait = 30<\/pre>\n<p>I could get to about 6,000 packets per second before melting my connection; in fact at one point the data plane on my (enterprise level!) firewall\/router crashed so I lost about 15 minutes of data whilst it was busy restarting.<\/p>\n<p>I scanned blocks at a time to keep the results manageable.<\/p>\n<p>The exclude file is a list of the RFC1918 addresses.<\/li>\n<li>I ran these scans off an internet connection with the following speeds:<br \/>\n73Mb\/s receive\u00a0and 19Mb\/s transmit.<\/li>\n<li>Results were analysed in Excel 2016 x64 &#8211; that last bit is important&#8230; a 32 bit version of Excel would cry about not being able to address more than 2GB of memory. Also it turns out analysing more than a million rows in Excel can be made a lot easier by using the Power Pivot tools which I didn&#8217;t know about previously<\/li>\n<li>I used an awesome free service\/API called <a href=\"http:\/\/about.ip2c.org\/#about\" target=\"_blank\">ip2c.org<\/a> (IP-2-Country) which allows one to pass an IP address in and get a Country code back. My PowerShell script to grab this data:<\/li>\n<\/ul>\n<pre class=\"lang:ps decode:true\">$csv = Import-Csv '.\\0.0.0.0-49.255.255.255-original.txt' -Delimiter \"`t\" -Header \"Host\",\"Port\",\"Service\",\"Banner\"\r\n$export = \"0.0.0.0-49.255.255.255-countries.csv\"\r\n\r\nForEach ($row in $csv)\r\n{\r\n    $Matches = $null\r\n    $regex = (Invoke-WebRequest \"http:\/\/ip2c.org\/$($row.Host)\").content -match ('[0-1];[A-Za-z]*;[A-Za-z]*;(.*)')\r\n    $row | Add-Member -MemberType NoteProperty -Name Country -Value $Matches[1]\r\n    $row | Export-Csv -Delimiter \",\" -Path .\/$export -Append -NoTypeInformation\r\n}<\/pre>\n<p>Lastly, I want to make two things clear about the #numbers in my results:<\/p>\n<ol>\n<li>There are probably\/most likely a lot more (hundreds of thousands\/millions?) more devices out there then I found &#8211; I may need to adjust my scan rate the next time I run such a test so that I capture more data and also I&#8217;d probably run my next test on physical hardware so that masscan has direct access to the NIC.<\/li>\n<li>There are more open Telnet ports than there are banners &#8211; that&#8217;s normal for a number of reasons. Some devices simply won&#8217;t return a banner. Some\u00a0will respond to a probe\u00a0even if nothing is listening behind it &#8211; think security appliances (SYN cookies) and load balancers.<\/li>\n<\/ol>\n<h1>Results<\/h1>\n<h4>Open Ports vs Banners Received<\/h4>\n<p>A total of <strong>5,601,277<\/strong> hosts were reported to be listening on Port 23. Of these,\u00a0<strong>2,570,080<\/strong>\u00a0<strong>(46%)<\/strong> returned banners.<\/p>\n<p>It&#8217;s common to see load balancers and security appliances reply back to a probe on Port 23 (or any other port really) which is probably one of the reasons why there are so many more open ports than banners received. The analysis below is based on the 2,570,080 hosts where banners were received from the scanned hosts.<\/p>\n<h4>Top 10 Countries<\/h4>\n<p>The chart below is of the top 10 countries where banner headers were received &#8211; i.e., from a total of 2.5 million hosts.<\/p>\n<p>The first few loosely follow the order of population by country so it&#8217;s no surprise to see China at #1.<\/p>\n<p><a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/countries-top10-1.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-2383 size-full\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/countries-top10-1.png\" width=\"973\" height=\"634\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/countries-top10-1.png 973w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/countries-top10-1-300x195.png 300w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/countries-top10-1-768x500.png 768w\" sizes=\"auto, (max-width: 973px) 100vw, 973px\" \/><\/a><\/p>\n<h4>Top Models\/Firmware<\/h4>\n<p>Analysing banner responses for long periods of time can make anyone go insane but\u00a0it can also make one good at spotting patterns such as sentence structures which make it highly likely that multiple devices belong to the same manufacturer.<\/p>\n<p><a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/top-models.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2387\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/top-models.png\" alt=\"\" width=\"969\" height=\"632\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/top-models.png 969w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/top-models-300x196.png 300w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/top-models-768x501.png 768w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/><br \/>\n<\/a><\/p>\n<p>It&#8217;s no surprise to see Huawei devices pop up the most in my scans; they manufacturer networking and telecommunications equipment &#8211; apparently the largest in the world with regards to the latter.<\/p>\n<p>The\u00a0<em>white label CCTV<\/em> is an interesting one &#8211; it&#8217;s the only name I could come up with because as far as my research takes me, it seems like generic CCTV\/IP camera\/Digital Video Recorder firmware that has been re-purposed by <strong>X<\/strong>\u00a0number of manufacturers.<br \/>\nThe web page for this firmware looks like the below &#8211; you may have seen it before, I know I have.<\/p>\n<p><a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/Sorry-Dear.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2388\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/Sorry-Dear.jpg\" alt=\"\" width=\"1024\" height=\"748\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/Sorry-Dear.jpg 1024w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/Sorry-Dear-300x219.jpg 300w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2017\/01\/Sorry-Dear-768x561.jpg 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>The banner for this firmware typically looks like this:<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\x0a\\x0aSorry, Dear! telnet service is still in lock-time,\\x0d\\x0aYou have to wait X min Y sec,\\x0d\\x0aIf you have any problem, ask administrator for help.\\x0d\\x0a<\/pre>\n<p>I was surprised to see so many DD-WRT firmware enabled routers with open Telnet access as this firmware is typically installed by tech enthusiasts and more\u00a0<em>advanced<\/em> users who should probably know better than to enable Telnet on the external interface. DD-WRT helpfully gives us the firmware release and system name in the banner which can be useful for an attacker looking for interesting victims&#8230;<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\xff\\xfd\\x01\\xff\\xfd\\x1f\\xff\\xfb\\x01\\xff\\xfb\\x03\\x0d\\x0d\\x0aDD-WRT v24-sp2 big (c) 2012 NewMedia-NET GmbH\\x0d\\x0aRelease: 04\/07\/12 (SVN revision: 18946)\\x0d\\x0a\\x0d\\x0aCIA Surveillance Node login:\r\n<\/pre>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\xff\\xfd\\x01\\xff\\xfd\\x1f\\xff\\xfb\\x01\\xff\\xfb\\x03\\x0d\\x0d\\x0aDD-WRT v24-sp2 giga (c) 2013 NewMedia-NET GmbH\\x0d\\x0aRelease: 03\/25\/13 (SVN revision: 21061)\\x0d\\x0a\\x0d\\x0aVolkswagen WiFi login:<\/pre>\n<p>The &#8216;CIA&#8217; seem to be running an older firmware release &#8211; anyone want to let them know? \ud83d\ude09<\/p>\n<h4>Chatty Devices<\/h4>\n<p>Some devices and firmware love to talk.\u00a0I mean, take a look at this Polycom device &#8211; it&#8217;s happy to tell us its life story before we&#8217;ve even logged on.<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\xff\\xfb\\x01\\x00\\xff\\xfd\\x03\\x00\\x0d\\x0a\\x0d\\x0aHi, my name is :     Anderson Industries\\x0d\\x0a\\x0d\\x0aSerial Number:       006961\\x0d\\x0aBrand:               Polycom\\x0d\\x0aSoftware Version:    Release 7.5.4 - 04 Mar 2005\\x0d\\x0aModel:               VS\\x0d\\x0aNetwork Interface:   ISDN_UNKNOWN\\x0d\\x0aMP Enabled:          No\\x0d\\x0aIP Address:          10.10.10.50\\x0d\\x0aGMT:                 Sun Nov 20 06:13:07 2016\\x0d\\x0aTime In Last Call:   0:02:34\\x0d\\x0aTotal Time In Calls: 3926:29:17\\x0d\\x0aTotal Calls:         10417\\x0d\\x0aCountry Code:        1\\x0d\\x0a<\/pre>\n<p>A lot of devices and firmware grab the system name and\/or locations and spit it out in the banner responses\u00a0<em>before<\/em> log-on. Not inherently a bad thing (I mean security through obscurity is no security at all, right?) but it does make it easier for attackers to\u00a0know <em>who<\/em> they&#8217;re attacking.<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\x0d\\x0aWANFleX Access Control 0\\x0d\\x0aAdidas_Borisovskoe1\\x0d\\x0a\\x0d\\x0a\\xff\\xfb\\x01\\xff\\xfe\\x22\\xff\\xfd\\x03\\xff\\xfd\\x1f\\x0dLogin:\\x0d\\x1b[6C\\x1b[K\\x0d\\x1b[6C<\/pre>\n<h4>Vigilante Devices<\/h4>\n<p>So this was an interesting one. There are botnets out there logging in to insecure devices with default usernames and passwords and changing them to something non-default in order to <em>prevent<\/em> them being attacked by\u00a0<em>malicious<\/em> botnets. \u00a0There are a small number of these devices on the internet so far; 3,659 revealed in my scans.<\/p>\n<p>This one seems to be created by\u00a0<em>Team White<\/em> and the anti-botnet&#8230;botnet is called\u00a0<em>REINCARNA<\/em>. You can read more about this on their <a href=\"https:\/\/gitlab.com\/rav7teif\/linux.wifatch\" target=\"_blank\">GitLab page<\/a>.<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\x0aREINCARNA \/ Linux.Wifatch\\x0a\\x0aYour device has been infected by REINCARNA \/ Linux.Wifatch.\\x0a\\x0aWe have no intent of damaging your device or harm your privacy in any way.\\x0a\\x0aTelnet and other backdoors have been closed to avoid further infection of\\x0athis device. Please disable telnet, change root\/admin passwords, and\/or\\x0aupdate the firmware.\\x0a\\x0aThis software can be removed by rebooting your device, but unless you take\\x0asteps to secure it, it will be infected again by REINCARNA, or more harmful\\x0asoftware.\\x0a\\x0aThis remote disinfection bot is free software. The source code\\x0ais currently available at https:\/\/gitlab.com\/rav7teif\/linux.wifatch\\x0a\\x0aTeam White \\x3crav7teif@ya.ru\\x3e\\x0a\\x0a<\/pre>\n<p>This one is a little less subtle but the outcome is the same:<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\xff\\xfb\\x01\\xff\\xfb\\x03\\xff\\xfd\\x18\\xff\\xfd\\x1f\\x0d\\x0aYour security sucks! Use less obvious passwords and stop having telnet listen from the whole world!\\x0d\\x0aNothing has been done in these routers except changing the motd, rebooting them or issuing configure replace startup-config will remove this.\\x0d\\x0aBut first, go fix your network!\\x0d\\x0a\\x0d\\x0a\\x0d\\x0aUser Access Verification\\x0d\\x0a\\x0d\\x0aPassword: \\x0d\\x0a% Password:  timeout expired!\\x0d\\x0aPassword:<\/pre>\n<h4>Older Devices\/Firmware<\/h4>\n<p>It should be of no surprise that there are really old devices still sitting on the internet. This is a problem that won&#8217;t be going away any time soon but it&#8217;s still worth looking at some interesting stats&#8230;<\/p>\n<ul>\n<li>The device with the longest up-time I&#8217;ve seen is 5.6 years. To this day I still see sysadmins boasting about their up-times; sometimes even posting screenshots and shell outputs to public forums. In\u00a0<em><span style=\"text-decoration: underline;\">most<\/span>\u00a0<\/em>cases, your up-time is just an indicator for the last time you patched your systems\u00a0system&#8230; and that&#8217;s not a good thing.<\/li>\n<li>The oldest firmware I saw was from 1997-2001. Again, this problem of old crap on the internet isn&#8217;t going away any time soon unfortunately.<\/li>\n<\/ul>\n<h4>Amusing Devices\/Firmware<\/h4>\n<p>As I was trawling through the data I came across some&#8230; funny banners.<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true \">\\xff\\xfb\\x01\\x0a\\x0d\\x0a\\x0d\\x0a\\x0dWelcome to UTMA.com\\x0a\\x0d\\x0a\\x0dUnauthorized use of this device is prohibited.\\x0a\\x0d\\x0a\\x0dTrespassers will be shocked via the keyboard interface.\\x0a\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a\\x0dUsername:<\/pre>\n<p>Actually&#8230; I couldn&#8217;t really tell if this one was meant to be funny or not:<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\xff\\xfb\\x01\\x0d\\x0aWARNING: CONTENTS UNDER PRESSURE. HIGHLY FLAMMABLE. RISK OF SHOCK.\\x0d\\x0a         DO NOT ATTEMPT TO OPEN COVER. NO USER SERVICABLE PARTS INSIDE.\\x0d\\x0a         REFER SERVICING TO QUALIFIED PERSONNEL ONLY.\\x0d\\x0a\\x0d\\x0a         Unauthorized access is prohibited and will be prosecuted by law.\\x0d\\x0a\\x0d\\x0alogin :<\/pre>\n<p>Have fun with my IP address, NASA.<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\x0aWelcome to the blackhole. \\x0aYour ip adress was saved and will be sent to nasa.\\x0a<\/pre>\n<h4>Interesting Banners<\/h4>\n<p>Damnit why the hell am I seeing\u00a0<strong>projectors<\/strong>\u00a0on the internet?!<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true \">\\x0d\\x0aSHARP XG-C435X Version 1.01.\\x0d\\x0a(c) 2007 Sharp Corporation.\\x0d\\x0a\\x0d\\x0aUser Name:<\/pre>\n<p>Telnet is not available on port 23 so why don&#8217;t you go ahead and look at this .gif (why is it even a .gif?!) which will tell you what port to connect to&#8230; my head hurt after seeing this one&#8230;<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\x0aTelnet is not available on port 23.\\x0a\\x0aSee http:\/\/m5.chicago.il.us\/telnet.gif\\x0a\\x0d\\x0a<\/pre>\n<p>There was a small number of these\u00a0<em>Intelligent Power Meters<\/em> &#8211; a mere clear-text password away from remotely turning off power?<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\x0a\\x0dGW25 v1.6.21 - Intelligent Power Meters GPRS Gateway\\x0a\\x0dDeveloped by Satelitech S.A for ESG Dilec\\x0a\\x0dEnter password:<\/pre>\n<p>Here&#8217;s an automatic number plate recognition system by PIPS Technology who have been <a href=\"https:\/\/www.eff.org\/deeplinks\/2015\/10\/license-plate-readers-exposed-how-public-safety-agencies-responded-massive\" target=\"_blank\">exposed in the past<\/a>.<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\x0aATZ\\x0d\\x0aP372 application Aug 29 2008 16:07:45\\x0d\\x0aP372 Serial Number: 6169\\x0d\\x0apcb:1, vers:03, rel:x06, build:1159\\x0d\\x0aRAM: 128M @ 128M\\x09EPROM: 512k\\x0d\\x0aFlex capabilities 003f\\x0d\\x0a     Camera firmware: 4.34\\x0a       362 epld vers: 13\\x0a    ANPR enabled for: USA Louisiana    , 2271\\x0a    Operating system: C EXECUTIVE 3.3\\x0aeprom image checksum: 1408\\x0a     application crc: bf68\\x0a  current config crc: f8f7\\x0areference config crc: f8f7\\x0a* Installed options: 00200018\\x0a* ... Compact Flash\\x0a* ... Basic VES with no security\\x0a* ... USA Licenceplate recognition\\x0a* PIPS Technology AUTOPLATE (tm) license plate recognition\\x0a* VES - (violation enforcement system)\\x0a\\x3e\\x3e<\/pre>\n<p>There are\u00a0<strong>GAMES<\/strong> running on Telnet!!! I guess I&#8217;m not old enough to have known that this was\/still is a thing!<\/p>\n<p>I certainly admire the effort.<\/p>\n<p>Here&#8217;s chess:<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true \">Welcome to the INTERNET CHESS CLUB\\x0d\\x0a\\x0d\\x0aweb:   www.chessclub.com    email: support@chessclub.com\\x0d\\x0aphone: 1-412-436-5558\\x0d\\x0a\\x0d\\x0alogin:<\/pre>\n<p>And another &#8211; you gotta have some Telnet Chess competition, right?<\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\x0a\\x0d             _       __     __                             __      \\x0a\\x0d            | |     \/ \/__  \/ \/________  ____ ___  ___     \/ \/_____ \\x0a\\x0d            | | \/| \/ \/ _ \\x5c\/ \/ ___\/ __ \\x5c\/ __ `__ \\x5c\/ _ \\x5c   \/ __\/ __ \\x5c\\x0a\\x0d            | |\/ |\/ \/  __\/ \/ \/__\/ \/_\/ \/ \/ \/ \/ \/ \/  __\/  \/ \/_\/ \/_\/ \/\\x0a\\x0d            |__\/|__\/\\x5c___\/_\/\\x5c___\/\\x5c____\/_\/ \/_\/ \/_\/\\x5c___\/   \\x5c__\/\\x5c____\/ \\x0a\\x0d       ^^__                  _____________________                 _  _  _ \\x0a\\x0d      \/  - \\x5c_               \/ ____\/  _\/ ____\/ ___\/   _            | || || |\\x0a\\x0d    \\x3c|    __\\x3c              \/ \/_   \/ \/\/ \/    \\x5c__ \\x5c   (_)           |_______|\\x0a\\x0d    \\x3c|    \\x5c               \/ __\/ _\/ \/\/ \/___ ___\/ \/  _              \\x5c__ ___ \/\\x0a\\x0d    \\x3c|     \\x5c             \/_\/   \/___\/\\x5c____\/\/____\/  (_)              |___|_|\\x0a\\x0d    \\x3c|______\\x5c                                                      |_|___|\\x0a\\x0d     _|____|_        ======================================        |___|_|\\x0a\\x0d    (________)         freechess.org  ----  167.114.65.195        (_______)\\x0a\\x0d    \/________\\x5c       ======================================       \/_______\\x5c \\x0a\\x0d                       (Login screen designed by Alefith)\\x0a\\x0d\\x0a\\x0d   ****** Welcome to the Free Internet Chess Server at freechess.org ******\\x0a\\x0d\\x0a\\x0dWebpage: http:\/\/www.freechess.org\\x0a\\x0dHead admin : Chessty   Complaints to : complaints@freechess.org\\x0a\\x0dServer location: freechess.org   Server version : 1.25.20\\x0a\\x0d\\x0a\\x0d      If you are not a registered player, enter guest or a unique ID.\\x0a\\x0d             (If your return key does not work, use cntrl-J)\\x0a\\x0d\\x0a\\x0dlogin:<\/pre>\n<p><em>&#8220;An on-line real time multiplayer text based role-playing game&#8221;<\/em><\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">\\x0a\\x0d17 players on.\\x0a\\x0dSystem started 4 days and 2 hours ago.\\x0a\\x0dGetting site info...\\x0a\\x0d\\x0a\\x0d-------------------------------------------------------------------------------\\x0a\\x0d Thanks to:          Michael Seifert, Hans Henrik Strfeldt, Tom Madsen,\\x0a\\x0d                 Katja Nyboe, Alan Button, Eric Litman, and Peter Bartlett\\x0a\\x0d       For many ideas and starting us down this twisting road of imagination.\\x0a\\x0d-------------------------------------------------------------------------------\\x0a\\x0d                                                  http:\/\/www.theforestsedge.com\\x0a\\x0d _____ _            _____                   _   _       _____    _            \\x0a\\x0d|_   _| |__   ___  |  ___|__  _ __ ___  ___| |_( )___  | ____|__| | __ _  ___ \\x0a\\x0d  | | | \\x27_ \\x5c \/ _ \\x5c | |_ \/ _ \\x5c| \\x27__\/ _ \\x5c\/ __| __|\/\/ __| |  _| \/ _` |\/ _` |\/ _ \\x5c\\x0a\\x0d  | | | | | |  __\/ |  _| (_) | | |  __\/\\x5c__ \\x5c |_  \\x5c__ \\x5c | |__| (_| | (_| |  __\/\\x0a\\x0d  |_| |_| |_|\\x5c___| |_|  \\x5c___\/|_|  \\x5c___||___\/\\x5c__| |___\/ |_____\\x5c__,_|\\x5c__, |\\x5c___|\\x0a\\x0d                                                                   |___\/\\x0a\\x0d\\x0a\\x0d                     [1] Start a new character\\x0a\\x0d                     [2] View online players\\x0a\\x0d                     [3] Recover lost password\\x0a\\x0d                     [4] Request character list\\x0a\\x0d                     [5] Help with connection problems\\x0a\\x0d\\x0a\\x0d        --* Or enter the name of an already existing character. *--\\x0a\\x0d\\x0a\\x0d                   Choice:<\/pre>\n<p>I also happened to see a\u00a0<em>lot<\/em> of non-telnet services responding on port 23. Most of them are probably the result of misconfigurations or an attempt at really bad obscurity.<\/p>\n<ul>\n<li>16,674 banners appeared to be HTTP responses<\/li>\n<li>8,118 banners appeared to be SSH<\/li>\n<li>2,112 banners appeared to be FTP servers (Microsoft FTP Service,FileZilla, etc)<\/li>\n<li>40 banners appeared to be VNC servers<\/li>\n<\/ul>\n<h1>Final Words<\/h1>\n<p>It&#8217;s 2017 and we still have millions,maybe tens of millions of devices on the internet with default credentials listening on inherently insecure services. Millions of devices where credentials are being passed around in clear-text. Devices that probably have no reason to be on the internet at all like projectors and printers. It&#8217;s not a problem that will go away any time soon unfortunately and I don&#8217;t know that there is a clear solution for it either.<\/p>\n<p>Network operators and administrators need to work harder to keep their infrastructures secure &#8211; there&#8217;s a lot of enterprise level equipment out there just waiting to be owned.<\/p>\n<p>Firmware manufacturers also need to start\u00a0shipping their devices with more secure, default configurations.<\/p>\n<p>Is this all wishful thinking? I hope not&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is my first in, I hope, a series of posts about the &#8216;state of things on the internet&#8217;\u00a0along with my findings and anything interesting I may have come across along the way. This post will be about the state of\u00a0Telnet\u00a0(Port 23) on the internet from the perspective of a single internet-scanning host (read more [&hellip;]<\/p>\n","protected":false},"author":32,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[1],"tags":[253,252],"class_list":["post-2374","post","type-post","status-publish","format-standard","hentry","category-tech","tag-state-of-things-on-the-internet","tag-telnet"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1trTO-Ci","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/2374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/comments?post=2374"}],"version-history":[{"count":30,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/2374\/revisions"}],"predecessor-version":[{"id":2413,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/2374\/revisions\/2413"}],"wp:attachment":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/media?parent=2374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/categories?post=2374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/tags?post=2374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}