Ports

Port 23: Telnet

Legacy remote terminal in cleartext. Mostly unsafe except in tightly controlled labs.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 23 is traditionally used by Telnet for remote terminal access. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host.

A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections. The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate.

Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network. A Telnet server listens on port 23, and a client opens a TCP connection from an ephemeral source port to destination port 23.

After the handshake, keystrokes and output flow as plain text with no built in encryption. In practice that means usernames, passwords, and commands can be read or modified by anyone who can observe or intercept the traffic on the path.

This is why Telnet is largely legacy today and is replaced by SSH on port 22 for secure administration. If you still find 23 open, it often indicates older network gear, lab environments, or misconfigured management interfaces that should be isolated.

How it works in broad strokes

  1. Client connects and immediately starts sending keystrokes and receiving terminal output.
  2. Optional Telnet option negotiation can adjust terminal behavior, but it does not add confidentiality.
  3. Authentication and commands run entirely in plaintext unless an external tunnel is used.

Concrete example

A technician telnets into a switch from a WiFi network. Anyone on the same segment with a sniffer can capture the login and reuse it, which is why modern devices default to SSH.

Why it matters

Telnet matters because you still find it on old network gear, embedded devices, and lab environments. From a security perspective, an exposed Telnet service is almost always a problem because credentials can be captured and sessions can be hijacked.

Security angle

  • Disable Telnet and use SSH instead.
  • If you cannot remove it, restrict to a management network and add strong monitoring.
  • Hunt for Telnet in scans and logs because it often indicates outdated devices.

Common pitfalls

  • Using Telnet on shared networks where attackers can sniff traffic.
  • Leaving default credentials on devices that expose Telnet.
  • Assuming a private VLAN means safe. Many internal threats start inside the network.