Jacques Dalbera's IT world

Web site for IT admins and cloud architects

AD/Win: Null Session Attacks and How to

Avoid Them
A well-known vulnerability within Windows can map an anonymous connection (or null session) to
a hidden share called IPC$ (which stands for interprocess communication). This hack method can
be used to
Gather Windows host configuration information, such as user IDs and share names.
Edit parts of the remote computer’s registry.
Although Windows Server 2008, Windows XP, Windows 7, and Windows 8 don’t allow null session
connections by default, Windows 2000 Server does — and (sadly) plenty of those systems are still
around to cause problems on most networks.
Map a null session
Follow these steps for each Windows computer to which you want to map a null session:
1. Format the basic net command, like this:
net use \\host_name_or_IP_address\ipc$ "" "/user:"
The net command to map null sessions requires these parameters:
net followed by the use command
The IP address or hostname of the system to which you want to map a null
connection
A blank password and username
2. Press Enter to make the connection.
After you map the null session, you should see the message The command completed
successfully.

Privacy & Cookies: This site uses cookies. By continuing to use this
Towebsite,
confirmyou
that thetosessions
agree Close
their use.are mapped, enter this command at the command and accept
prompt:
net useout more, including how to control cookies, see here: Cookie
To find
You should see the mappings to the IPC$ share on each computer to which you’re connected.
Policy
With a null session connection, you can use other utilities to gather critical Windows information
remotely. Dozens of tools can gather this type of information.
You — like a hacker — can take the output of these enumeration programs and attempt to
Crack the passwords of the users found.
Map drives to the network shares.
You can use the following applications for system enumeration against server versions of Windows
prior to Server 2003 as well as Windows XP.
net view
The net view command shows shares that the Windows host has available. You can use the output
of this program to see information that the server is advertising to the world and what can be done
with it, including the following:
Share information that a hacker can use to attack your systems, such as mapping drives
and cracking share passwords.
Share permissions that might need to be removed, such as the permission for the
Everyone group, to at least see the share on older Windows 2000–based systems.

Configuration and user information

Winfo and DumpSec can gather useful information about users and configurations, such as
Windows domain to which the system belongs
Security policy settings
Local usernames
Drive shares
Your preference might depend on whether you like graphical interfaces or a command line. Winfo
is a command-line tool. The following is an abbreviated version of Winfo’s output of a Windows NT
server, but you can collect the same information from other Windows systems:

Privacy & Cookies: This site uses cookies. By continuing to use this
website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie
Policy
Winfo 2.0 - copyright (c) 1999-2003, Arne Vidstrom
- http://www.ntsecurity.nu/toolbox/winfo/
SYSTEM INFORMATION:
- OS version: 4.0
PASSWORD POLICY:
- Time between end of logon time and forced logoff: No forced logoff
- Maximum password age: 42 days
- Minimum password age: 0 days
- Password history length: 0 passwords
- Minimum password length: 0 characters
USER ACCOUNTS:
* Administrator
(This account is the built-in administrator account)
* doctorx
* Guest
(This account is the built-in guest account)
* IUSR_WINNT
* kbeaver
* nikki
SHARES:
* ADMIN$
- Type: Special share reserved for IPC or administrative share
* IPC$
- Type: Unknown
* Here2Bhacked
- Type: Disk drive
* C$
- Type: Special share reserved for IPC or administrative share
* Finance
- Type: Disk drive
* HR
- Type: Disk drive
This information cannot be gleaned from a default installation of Windows Server 2003, Windows
XP, Windows 7, or Windows 8.
You can peruse the output of such tools for user IDs that don’t belong on your system, such as
Ex-employee accounts that haven’t been disabled
Potential backdoor accounts that a hacker might have created
NetUsers
The NetUsers tool can show who has logged in to a remote Windows computer. You can see such
information as
Abused account privileges
Users currently logged into the system

Privacy & Cookies: This site uses cookies. By continuing to use this
website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie
Policy
This information can help you track, for auditing purposes, who’s logging in to a system.
Unfortunately, this information can be useful for hackers when they’re trying to figure out what
user IDs are available to crack.
Countermeasures against null session hacks
If it makes good business sense and the timing is right, upgrade to the more secure Windows
Server 2012 or Windows 7. They don’t have the vulnerabilities described in the following list.
You can easily prevent null session connection hacks by implementing one or more of the following
security measures:
Block NetBIOS on your Windows server by preventing these TCP ports from passing
through your network firewall or personal firewall:
139 (NetBIOS sessions services)
445 (runs SMB over TCP/IP without NetBIOS)
Disable File and Printer Sharing for Microsoft Networks in the Properties tab of the
machine’s network connection for those systems that don’t need it.
Restrict anonymous connections to the system. For Windows NT and Windows 2000
systems, you can set
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous to a
DWORD value as follows:
None: This is the default setting.
Rely on Default Permissions (Setting 0): This setting allows the default null session
connections.
Do Not Allow Enumeration of SAM Accounts and Shares (Setting 1): This is the medium
security level setting. This setting still allows null sessions to be mapped to IPC$,
enabling such tools as Walksam to garner information from the system.
No Access without Explicit Anonymous Permissions (Setting 2): This high security setting
prevents null session connections and system enumeration.
Microsoft Knowledge Base Article 246261 covers the caveats of using the high security setting for
RestrictAnonymous. It’s available on the web at
http://support.microsoft.com/default.aspx?scid=KB;en-us;246261.

Advertisements

Privacy & Cookies: This site uses cookies. By continuing to use this
website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie
Policy
 jdalbera December 1, 2015
Active Directory, Microsoft, Security, System and Network Admins, Windows Server/Client
IPC$, null sessions, restrictanonymous

Published by jdalbera
IT Pro: 28 years experience for large companies - Technical manager and solution architect:
Directory services and Identity Managemen expert, Azure AD, Office 365, Azure infrastructures,
Microsoft AD Security (ADDS,ADFS,ADCS), PowerShell, Quest solutions architect. Operating
systems (Win/Lin). Unix and Microsoft interoperability. Data center Operations. Company
integrations. Network architectures. Virtualization and storage infrastructures. HP/Dell servers
deployments. Multiple certifications: Azure, MCSE, MCPs, MCITS, ITIL, VCP, CCNA, CyberArk
View more posts

Jacques Dalbera's IT world, Website Powered by WordPress.com.

Privacy & Cookies: This site uses cookies. By continuing to use this
website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie
Policy