Saturday, August 10, 2019

Hacker Jeopardy, Wrong Answers Only Edition

Among the evening entertainments at DEF CON is "Hacker Jeopardy", like the TV show Jeopardy, but with hacking tech/culture questions. In today's blog post, we are going to play the "Wrong Answers Only" version, in which I die upon the hill defending the wrong answer.

The problem posed is:
YOU'LL LIKELY SHAKE YOUR HEAD WHEN YOU SEE TELNET AVAILABLE, NORMALLY SEEN ON THIS PORT
Apparently, people gave 21, 22, and 25 as the responses. The correct response, according to RFC assignments of well-known ports, is 23.

But the real correct response is port 21. The problem posed wasn't about which port was assigned to Telnet (port 23), but what you normally see these days. 


Port 21 is assigned to FTP, the file transfer protocol. A little known fact about FTP is that it uses Telnet for it's command-channel on port 21. In other words, FTP isn't a text-based protocol like SMTP, HTTP, POP3, and so on. Instead, it's layered on top of Telnet. It says so right in RFC 959:


When we look at the popular FTP implementations, we see that they do indeed respond to Telnet control codes on port 21. There are a ton of FTP implementations, of course, so some don't respond to Telnet (treating the command channel as a straight text protocol). But the vast majority of what's out there are implementations that implement Telnet as defined.

Consider network intrusion detection systems. When they decode FTP, they do so with their Telnet protocol parsers. You can see this in the Snort source code, for example.

The question is "normally seen". Well, Telnet on port 23 has largely been replaced by SSH on port 22, so you don't normally see it on port 23. However, FTP is still popular. While I don't have a hard study to point to, in my experience, the amount of traffic seen on port 21 is vastly higher than that seen on port 23. QED: the port where Telnet is normally seen is port 21.

But the original problem wasn't so much "traffic" seen, but "available". That's a problem we can study with port scanners -- especially mass port scans of the entire Internet. Rapid7 has their yearly Internet Exposure Report. According to that report, port 21 is three times as available on the public Internet as port 23.

So the correct response to the posed problem is port 21! Whoever answered that at Hacker Jeopardy needs to have their score updated to reflect that they gave the right response.

Prove me wrong. 


No comments: