Exploiting through a filtered port

You have contradictory information: nmap says the port is filtered but nessus says that the vulnerability is present on the system. They cannot both be true, one of these must be wrong. Given that metasploit is unable to connect it is likely that nessus is reporting incorrectly, or is basing the vulnerability report on information gleaned from other open ports. If you look at tenable's page on that advisory you will see that nessus can test for it using port 139 or port 445, so 139 is probably open, and may be exploitable.


tl;dr No, you won't be able to directly exploit this vulnerability through a filtered port, and it can't be detected in this way. There must be something else going on in your scenario.

Why?

If this port is coming back as filtered then a firewall or IPS is dropping packets, meaning you won't be receiving any response from the server. This flaw (MS08-067) can only be detected by Nessus if the vulnerability scanner can establish an SMB connection to this port. Nessus won't automatically be attempting to bypass the firewall in any way, but it might be doing a different kind of port scan that could wield different results.

Possible reasons for the results you are seeing:

  • Nessus might be detecting the vulnerability on a different port, probably NetBIOS over TCP (NBT) on TCP/139. Check the Nessus report carefully. In this case you would need to set RPORT 139 and also set SMBDirect false. The latter is an advanced option (show advanced).

  • Some kind of intrusion prevention is running between you and the target host (or on the target host) which is leading to inconsistent port scan results. Try running NMAP in various configurations (-sS, -sT, -p445,139 etc) to see if the results are consistent. This doesn't really explain why Nessus would be able to detect it but it not be exploitable by Metasploit though. It also seems unlikely in a lab environment, unless the lab has specifically been setup for IPS evasion.


Even if the port 445 (SMB) is closed, you may sometimes be able to exploit this vulnerability through port 139 (NetBios). In metasploit, just use the following syntax:

set RPORT 139; set SMBDirect false; exploit