I have recently started using an EE 5G router and nmap scanned it internally to see what ports are open (I assume this is normal behavior considering I own the device, and it's an internal scan on the gateway 192.168.1.1 and not an external server or service).
I notice ports 22 and 23 are filtered, which is weird as I don't use ssh or the depreciated telnet, so how come they show up in the nmap scan?
Also from the command nmap --script vuln 192.168.1.1 I notice it finds a problem, saying it's likely vulnerable to a CVE from 2007, CVE-2007-6750 to be exact. I haven't tested the CVE as I thought it better to mention it's showing up in my scan and questioning it rather than trying to exploit it.
I'm a novice and constantly learning so sorry if this seems badly informed or stupid to ask such questions. Bellow is the nmap scan output. I just don't really understand what I'm looking at, like, why are ports 22 and 23 filtered, why do they even show up, and why telnet of all services to use in 2022?
sudo nmap --script vuln 192.168.1.1
[sudo] password for shaun:
Sorry, try again.
[sudo] password for shaun:
Starting Nmap 7.80 ( https: //nmap.org ) at 2022-09-23 01:36 BST
Stats: 0:00:54 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.54% done; ETC: 01:37 (0:00:01 remaining)
Stats: 0:03:36 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.52% done; ETC: 01:39 (0:00:03 remaining)
Nmap scan report for 5gee.router (192.168.1.1)
Host is up (0.0032s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
| http-phpmyadmin-dir-traversal:
| VULNERABLE:
| phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
| State: UNKNOWN (unable to test)
| IDs: CVE:CVE-2005-3299
| PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|
| Disclosure date: 2005-10-nil
| Extra information:
| ../../../../../etc/passwd :
| <!DOCTYPE html><html><head><meta charset=utf-8><meta http-equiv=Cache-Control content=no-store><meta http-equiv=cache-control content=no-cache><meta http-equiv=cache-control content="max-age=0"><meta name=viewport content="width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1"><title>5GEE Router</title><link rel=stylesheet href=/static/plugins/glyphicons/glyphicons.css><link type=text/css href=/static/plugins/zyxel-icon/styles.css rel=stylesheet><link rel=stylesheet href=/static/css/layout_ee.css><link rel="shortcut icon" href=/static/plugins/ee-icon/img/favicon.ico type=image/x-icon><link rel=stylesheet href=/static/plugins/ee-icon/css/bootstrap.css><link rel=stylesheet href=/static/plugins/ee-icon/css/main.css><link rel=stylesheet href=/static/plugins/ee-icon/css/responsive.css><link href=/static/css/app.0984c50c41e584f59257b5a3c7ad1801.css rel=stylesheet></head><body class=body_login><div id=app class=yellow></div><script src=/static/plugins/popper/popper.min.js></script><script src=/static/plugins/ee-icon/js/jquery.min.js></script><script src=/static/plugins/ee-icon/js/bootstrap.min.js></script><script src=/static/plugins/ee-icon/js/custom.js></script><script>$(function(){
| // new AccordionMenu({menuArrs:mainMenu});
| // getsubMenu();
| // statusMenu_active();
| // mainMenu_linkage();
| });</script><script src=/static/js/site.js></script><script src=/static/js/zyxel.js></script><script src=/static/js/jsencrypt.min.js></script><script src=/static/js/aes.js></script><script type=text/javascript src=/static/js/manifest.js></script><script type=text/javascript src=/static/js/vendor.js></script><script type=text/javascript src=/static/js/app.js></script></body></html>
| References:
| http:// www.exploit-db.com/exploits/1244/
|_ https:// cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https:// cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http:// ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
443/tcp filtered https
MAC Address: D8:EC:E5:1A:2C:88 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 523.03 seconds
