Null Sessions

• NULL sessions, also known as anonymous sessions, refer to

unauthorized connections to a server without requiring
authentication credentials, such as a username and password.
• In simpler terms, it allows an attacker to connect to a system, access
its resources, and gather information without any form of
authentication.
Null Sessions
• The concept of NULL sessions was originally intended for
administrative purposes, allowing administrators to access shared
resources on remote systems without entering credentials repeatedly.
• However, this feature has also become a potential security
vulnerability when improperly configured.
What is Null Session?
• The null session attack has been present since Windows
2000 was extensively used; yet, system administrators
do not take this type of attack into account when
implementing network security measures.
• This can have unimaginable consequences since
hackers can use this type of attack to obtain all of the
necessary information to gain remote access to the
system.
• A null session occurs when you log in to a system with no username or
password.
• NetBIOS null sessions are a vulnerability found in the Common
Internet File System (CIFS) or SMB(Server Message Block protocol ),
depending on the operating system.
• SMB- is a client-server communication protocol used for sharing
access to files, printers, serial ports and other resources on a network.
• CIFS- a network protocol that can be used for cybersecurity to protect
sensitive data. Its lack of encryption has seen it exploited through
malware like NotPetya and the WannaCry ransomware attack, which
occurred through a zero-day exploit called EternalBlu
• Microsoft Windows uses SMB, and Unix/Linux systems use CIFS.
• Once an attacker has made a NetBIOS connection using
a null session to a system, they can easily get a full list
of all usernames, groups, shares, permissions, policies,
services, and more using the Null user account.
• The SMB and NetBIOS standards in Windows include
APIs that return information about a system via TCP port
139.
• One method of connecting a NetBIOS null session to a
Windows system is to use the hidden Inter-Process
Communication share (IPC$). This hidden share is
accessible using the net use command.
• The “net use” command is a built-in Windows command that connects to a share on
another computer.
• The empty quotation marks (” “) indicate that you want to connect with no username
and no password.
• To make a NetBIOS null session to a system with the IP address 192.21.7.1 with the
built-in anonymous user account and a null password using the net use command, the
syntax is as follows:

net use \\192.21.7.1 \IPC$ "" /u: ""

• Once the net use command has been successfully completed, the attacker has a
channel over which to use other hacking tools and techniques.
How to Disable Null Session in
Windows
• In a Windows environment, null sessions can allow users to have anonymous
access to hidden administrative shares on a system.

• Once connected to the shares through a null session, attackers can

potentially enumerate information about your system and environment,
such as users and groups, operating systems, password policies, privileges,
etc. With this information, an attacker can learn about any potential
vulnerabilities or ways to best attack your systems.

• Disabling null sessions is a keyway to help you strengthen your organization's

security and reduce your attack surface
• Edit GPO- Go to Computer configuration\Policies\Windows settings\Security Settings\
Local Policies\SecurityOptions

• Enable:

• Network access: Restrict Anonymous access to Named Pipes and Shares

• Network access: Do not allow anonymous enumeration of SAM accounts
• Network access: Do not allow anonymous enumeration of SAM accounts and shares
• Network access: Shares that can be accessed anonymously
• Disable:
• Network access: Let Everyone permissions apply to anonymous users
• Network access: Allow anonymous SID/Name translation
• Restrict Null Sessions in the Registry
Ethical Hacking and NULL Sessions

• Ethical hackers, also known as white-hat hackers, employ various

techniques and tools to assess the security of systems and networks.
• NULL sessions can be a valuable asset in an ethical hacker’s toolkit
when used for legitimate and authorized security testing.
Ethical hackers can leverage NULL
sessions:
• Information Gathering: NULL sessions provide an excellent starting
point for collecting information about a target system. Ethical hackers
can identify users, groups, and shared resources, helping them build a
profile of the system’s structure and security posture.
• Enumeration: NULL sessions can be used to enumerate various
details, such as open network shares, group memberships, and user
account information. This information is critical for understanding
potential attack vectors.
Ethical hackers can leverage NULL
sessions
• Vulnerability Assessment: By analyzing the data obtained through
NULL sessions, ethical hackers can identify security weaknesses, such
as open shares with inadequate permissions, outdated software, or
unpatched vulnerabilities.
• Password Policies: Ethical hackers can use NULL sessions to assess the
password policies on a target system, helping to identify weak or
easily guessable passwords that need to be addressed.
Tools for NULL Session Enumeration
• NetBIOS Enumeration Tools: Tools like nbtscan and enum4linux can
enumerate user and group information, as well as shared resources,
by exploiting NULL sessions.
• SMBclient: The smbclient utility can be used to connect to an SMB
share without authentication, allowing ethical hackers to access and
download shared files and directories.
Tools for NULL Session Enumeration
• RPCclient: The rpcclient tool can be used to interact with remote
Windows systems, enabling ethical hackers to extract sensitive
information and gather data about the target.
Mitigation and Best Practices
• To prevent unauthorized access via NULL sessions, administrators
must follow best practices, including:
• Disable NULL Sessions: It is crucial to configure systems to disallow
NULL sessions unless they are explicitly required for legitimate
administrative purposes.
• Secure File and Share Permissions: Ensure that file and share
permissions are properly configured, limiting access to authorized
users only.
Mitigation and Best Practices
• Regular Patching: Keep systems and software up to date to mitigate
known vulnerabilities that could be exploited through NULL sessions.
• Strong Password Policies: Implement strong password policies to
reduce the risk of attackers gaining unauthorized access to user
accounts.