Hacker Jeopardy, Wrong Answers Only Edition

Among the evening entertainment at DEF CON is “Hacker Jeopardy”, like the TV show Jeopardy, but with hacking tech/culture questions. In today’s blog post, we are going to play the “Wrong Answers Only” version, in which I die upon the hill defending the wrong answer.

The problem posed is this:

YOU’LL LIKELY SHAKE YOUR HEAD WHEN YOU SEE TELNET AVAILABLE, NORMALLY SEEN ON THIS PORT

Apparently, people gave 21, 22, and 25 as the responses. The correct response, according to RFC assignments of well-known ports, is 23.
A good wrong answer is this one, port 25, where the Morris Worm spread via port 25 (SMTP) via the DEBUG command.

But the real correct response is port 21. The problem posed wasn’t about which port was assigned to Telnet (port 23), but what you normally see these days.
Port 21 is assigned to FTP, the file transfer protocol. A little known fact about FTP is that it uses Telnet for it’s command-channel on port 21. In other words, FTP isn’t a text-based protocol like SMTP, HTTP, POP3, and so on. Instead, it’s layered on top of Telnet. It says right in RFC 959:
When we look at the popular FTP implementations, we see that they do respond to Telnet control codes on port 21. There are a ton of FTP implementations, of course, so some don’t respond to Telnet, and which treat it as a straight text protocol. But the vast majority of what’s out there are implementations that do the Telnet as defined.
Consider network intrusion detection systems. When they decode FTP, they do so with their Telnet protocol parsers. You can see this in the Snort source code, for example.
The question is “normally seen”. Well, Telnet on port 23 has largely been replaced by SSH on port 22, so you don’t normally see it on port 23. However, FTP is still popular. While I don’t have a hard study to point to, in my experience, the amount of traffic seen on port 21 is vastly higher than that seen on port 23. QED: the port where Telnet is normally seen is port 21.
But the original problem wasn’t so much “traffic” seen, but “available”. That’s a problem we can study with port scanners — especially mass port scans of the entire Internet. Rapid7 has their yearly Internet Exposure Report. According to that report, port 21 is three times as available on the public Internet as port 23.
So the correct response to the posed problem is port 21! Whoever answered that at Hacker Jeopardy needs to have their score updated to reflect that they gave the right response.
Prove me wrong. 

*** This is a Security Bloggers Network syndicated blog from Errata Security authored by Robert Graham. Read the original post at: https://blog.erratasec.com/2019/08/hacker-jeopardy-wrong-answers-only.html