Today we are going to discuss Null Session enumeration, specifically against a Windows Domain Controller.
Null session attacks have been around a long time. Probably back since Windows 2000. Yet it is something that System Administrators often neglect to consider when hardening their domain and network. This can lead to disastrous results as enumeration of a null session can divulge just about every bit of useful information an attacker needs to remotely gain access to a system. Many people consider this an old technique, hell, many Pentesters and companies don’t even check for this. However, this is one of the very first checks i do when performing a Penetration test and providing they haven’t had previous Pentests that have found this and they have remediated against, then i can safely say i find this on nearly every test.
So what exactly is Null Session Authentication?
Well, to put it very briefly, it’s how Windows represents an anonymous user. A remote session is created when a user logs onto a computer, providing a user name and password that has access to the system resources. This is accomplished through the SMB protocol and the Windows Server service.
So as you’d expect, a Null Session comes into play when a user without providing a username or password. This type of connection can not be made to any typical windows share, but it can be made to the IPC share. The IPC share is used exclusively by the SMB protocol.
Using the IPC share with no credentials is typically reserved for programs communicating with one another, but there is nothing to say that a user can’t connect using the IPC connection instead. This would not allow for unrestricted access to the machine, but will allow for pretty extensive enumeration that could aid an attacker.
ExploitationSo that’s the run down of Null Session authentication. I will now go onto the means and methods of enumerating a domain controller using this vulnerability and finish this post with remediation advice for you to help protect your own network/domain against this type of attack.
I think the first thing to discuss is what tools we can use for the job to enumerate information from a host with Null Sessions enabled.
Enum4Linuxhttp://labs.portcullis.co.uk/tools/enum4linux/Features include:
- RID Cycling (When RestrictAnonymous is set to 1 on Windows 2000)
- User Listing (When RestrictAnonymous is set to 0 on Windows 2000)
- Listing of Group Membership Information
- Share Enumeration
- Detecting if host is in a Workgroup or a Domain
- Identifying the remote Operating System
- Password Policy Retrieval (using polenum)
WinscanX
http://packetstormsecurity.com/files/84199/WinScanX-Password-Utility.html==== WinScanX Advanced Features ====
- -a -- Get Account Policy Information
- -b -- Get Audit Policy Information
- -c -- Get Display Information
- -d -- Get Domain Information
- -e -- Get LDAP Information
- -f -- Get Administrative Local & Global Group Information
- -g -- Get Local & Global Group Information
- -p -- Get Installed Programs
- -k -- Get Interactively Logged On Users
- -l -- Get Logged On Users
- -i -- Get Patch Information
- -j -- Get Registry Information
- -m -- Get Scheduled Task Information
- -n -- Get Server Information
- -o -- Get Service Information
- -s -- Get Share Information
- -t -- Get Share Permissions
- -q -- Get SNMP Community Information
- -u -- Get User Information
- -r -- Get User Information via RA Bypass
- -x -- Get User Rights Information
- -w -- Get WinVNC3 & WinVNC4 Passwords
- -y -- Save Remote Registry Hives
Enum4LinuxEnum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from
www.bindview.com.
It is written in PERL and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. The samba package is therefore a dependency.
Usage for this is also very straight forward.
$ ./enum4linux.pl 10.1.1.100
From here it will list out (using various methods) to enumerate the local users and groups.
I would recommend that you firstly test you do get output. If a host is not vulnerable it will get permission denied for the null user.
Once you know the host is affected and you are getting the desired output then rerun the command and pipe the results to a text file.
$ ./enum4linux.pl 10.1.1.100 > dcenum.txt
From here I usually strip out all the domain users and all the domain admins.
You can use these two commands here to do that:
cat dcenum.txt | grep “Domain Users” | awk {‘print $8′} | cut -d \\ -f 2 > users.txt
cat dcenum.txt | grep “Domain Admins” | awk {‘print $8′} | cut -d \\ -f 2 > admins.txt
Now you will have two lists “Users” and “Admins”. You can use this lists as a reference to identify privileged users but also as a userlist for password attacks. For example running the username list for “Users” through Hydra with the password “Password1″. So if you have a list of 2000 users. Im sure some of them will have Password1
WinscanXWinScanX is a Windows enumeration utility featuring over 20 options including the ability to identify easy-to-guess Windows passwords, the ability to identify easy-to-guess SNMP community strings, and the ability to locate and decrypt WinVNC passwords. Includes an optional GUI front-end.
Usage is pretty easy. Since this is a Windows tool by design, I will stick to showing you the GUI. If your a true techie and don’t like using GUI’s, then why are you using Windows anyway?
The interface is quite straight forward. Simply enter the IP address of the host which has null sessions enabled. Select ‘Use Anonymous Credentials’
Then you can select any of the tick boxes you want on the right. A word of advice, do NOT select ‘Guess Windows Passwords’ or else you will find user accounts lockout as this will perform a password attack. I would stick with just selecting “Get Local And Global Group Information’ this will be enough to return enough information for you to know a. The site is vulnerable b. Get local users to perform password attacks against.
NOTE:Domain Controllers with large amount of users (and i mean anything more than about 5000+) then WinscanX will hang and look like its crashed. Just leave it, it will work. If you check netstat / ps list etc.. you will see it doing something. If it does completely crash its still a good sign the site is vulnerable so seek alternate methods to obtain the information. I recommend using ‘enum’ a win32 application after connecting to the DC using ‘net use’
How can i defend against this?well, and i say this with as much enthusiasm as possible, make sure you have backups and make changes out of hours for obvious reasons so you can test there is no adverse affects.
Here is an article by Microsoft
http://support.microsoft.com/kb/837964Now this vulnerability effects server 2000 and 2003 by default so it is up to you to disable it.
Server 2008 remediates this in its build (fresh build). However, if you upgrade from Windows Server 2003 to Windows Server 2008 then you will migrate the settings with your from 2003 and you will still be vulnerable to Null Sessions unless you follow the steps below.
Enable:- Network access: Restrict Anonymous access to Named Pipes and Shares
- Network access: Do not allow anonymous enumeration of SAM accounts
Disable:- Network access: Let Everyone permissions apply to anonymous users
- Network access: Allow anonymous SID/Name translation
It has also been noted that there must be no session pipes in the registry.
