Back in August last year researchers at the University of Michigan released a new Internet Scanner ZMap that can scan the entire global IPv4 address space in as little as 45 minutes, you can read the research paper here.

After a few months of testing this tool in the Tiberium lab we have come to a few conclusions, the biggest being that unencrypted protocols such as telnet are still widely running on the perimeter of corporate networks. We have determined that 0.6% of the IPv4 global address space is hosting a Telnet service, that’s 25 million hosts!

We know that this is nothing new and has been a known issue for quite some time, but when presented with numbers like this its hard to ignore the glaring hole in many corporate networks and personal devices that is shown here.

Ignoring the fact that router manufacturers still have Telnet enabled by default and ISP’s ship these out to millions of their customers around the world (sometimes with default credentials still in place). We were still able to find 10,000 hosts within a few seconds ranging from Cisco routers to more enterprise grade firewalls, and this is only scanning 2 % of the global address space.

This being the case I call you to action! I see no reason why the massive number of insecure devices can not be reduced.

Run a vulnerability scanners across you public address space, disable any discovered insecure ports. This goes beyond Telnet, such as SSH without RSA keys or two factor authentication, PPTP without two factor, or basically anything that doesn’t require VPN access. Have a read of this Crypto guide, implement the recommendations now! Do you really need those management ports exposed to the public…doubt it?

Secondly we present our Unencrypted Traffic Detection content pack for HP ArcSight (a detailed review of this Content Pack will be featured in an upcoming blog post).

Install this ArcSight Content Pack to give you internal visibility to discover insecure services running on your network that you may not have known about, alerts and reports can be configured to help you discover where these services are running and who is using them. Remember that running some of these services may impact your PCI Compliance status depending on what controls and mitigations you have in place and where in the network they are running.

Currently the content detects the following service usage:

SNMP v2
FTP
TELNET
SMTP
POP3
TACACS
Portmap
NetBIOS
Rlogin
NFS (check sec=krb5p)

Those of you who want to know about running ZMap here are a few more details:

The 45 minute global scans number comes from a lab scenario on a 1Gbit Internet connection with upstream and local routers that can handle 500,000+ packets per second.

Real world usage is slightly different as not all of us have access to this type of connection and gear. If you were to run this at home you would find that your router will drop out after about 10 seconds, you can rate limit ZMap using the –rate=110 option setting it to 110 so that you can sustain a constant scan using a home grade router.Remember that your ISP still might not be happy about it and see this as a DoS attempt.

Have fun scanning the globe but remember to be considerate to not only your ISP, but the millions of IPv4 addresses that you are constantly prodding by utilizing these best practises.

Results of our research found the following top most common device types running a Telnet service on the internet today: