Author Topic: Null Session Domain Controller Enumeration  (Read 2601 times)

0 Members and 2 Guests are viewing this topic.

Offline leonteale

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 6
  • Penetration Tester
    • View Profile
    • Personal Website
Null Session Domain Controller Enumeration
« on: May 20, 2015, 05:20:12 pm »
Today we are going to discuss Null Session enumeration, specifically against a Windows Domain Controller.

Null session attacks have been around a long time. Probably back since Windows 2000. Yet it is something that System Administrators often neglect to consider when hardening their domain and network. This can lead to disastrous results as enumeration of a null session can divulge just about every bit of useful information an attacker needs to remotely gain access to a system. Many people consider this an old technique, hell, many Pentesters and companies don’t even check for this. However, this is one of the very first checks i do when performing a Penetration test and providing they haven’t had previous Pentests that have found this and they have remediated against, then i can safely say i find this on nearly every test.

So what exactly is Null Session Authentication?

Well, to put it very briefly, it’s how Windows represents an anonymous user. A remote session is created when a user logs onto a computer, providing a user name and password that has access to the system resources. This is accomplished through the SMB protocol and the Windows Server service.

So as you’d expect, a Null Session comes into play when a user without providing a username or password. This type of connection can not be made to any typical windows share, but it can be made to the IPC share. The IPC share is used exclusively by the SMB protocol.

Using the IPC share with no credentials is typically reserved for programs communicating with one another, but there is nothing to say that a user can’t connect using the IPC connection instead. This would not allow for unrestricted access to the machine, but will allow for pretty extensive enumeration that could aid an attacker.

Exploitation

So that’s the run down of Null Session authentication. I will now go onto the means and methods of enumerating a domain controller using this vulnerability and finish this post with remediation advice for you to help protect your own network/domain against this type of attack.

I think the first thing to discuss is what tools we can use for the job to enumerate information from a host with Null Sessions enabled.

Enum4Linux

http://labs.portcullis.co.uk/tools/enum4linux/

Features include:

  • RID Cycling (When RestrictAnonymous is set to 1 on Windows 2000)
  • User Listing (When RestrictAnonymous is set to 0 on Windows 2000)
  • Listing of Group Membership Information
  • Share Enumeration
  • Detecting if host is in a Workgroup or a Domain
  • Identifying the remote Operating System
  • Password Policy Retrieval (using polenum)

WinscanX

http://packetstormsecurity.com/files/84199/WinScanX-Password-Utility.html

==== WinScanX Advanced Features ====

  • -a  -- Get Account Policy Information
  • -b  -- Get Audit Policy Information
  • -c  -- Get Display Information
  • -d  -- Get Domain Information
  • -e  -- Get LDAP Information
  • -f  -- Get Administrative Local & Global Group Information
  • -g  -- Get Local & Global Group Information
  • -p  -- Get Installed Programs
  • -k  -- Get Interactively Logged On Users
  • -l  -- Get Logged On Users
  • -i  -- Get Patch Information
  • -j  -- Get Registry Information
  • -m  -- Get Scheduled Task Information
  • -n  -- Get Server Information
  • -o  -- Get Service Information
  • -s  -- Get Share Information
  • -t  -- Get Share Permissions
  • -q  -- Get SNMP Community Information
  • -u  -- Get User Information
  • -r  -- Get User Information via RA Bypass
  • -x  -- Get User Rights Information
  • -w  -- Get WinVNC3 & WinVNC4 Passwords
  • -y  -- Save Remote Registry Hives

Enum4Linux

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in PERL and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. The samba package is therefore a dependency.



Usage for this is also very straight forward.

Quote
$ ./enum4linux.pl 10.1.1.100

From here it will list out (using various methods) to enumerate the local users and groups.

I would recommend that you firstly test you do get output. If a host is not vulnerable it will get permission denied for the null user.

Once you know the host is affected and you are getting the desired output then rerun the command and pipe the results to a text file.

Quote
$ ./enum4linux.pl 10.1.1.100 > dcenum.txt

From here I usually strip out all the domain users and all the domain admins.

You can use these two commands here to do that:

Quote
cat dcenum.txt | grep “Domain Users” | awk {‘print $8′} | cut -d \\ -f 2 > users.txt

cat dcenum.txt | grep “Domain Admins” | awk {‘print $8′} | cut -d \\ -f 2 > admins.txt

Now you will have two lists “Users” and “Admins”. You can use this lists as a reference to identify privileged users but also as a userlist for password attacks. For example running the username list for “Users” through Hydra with the password “Password1″. So if you have a list of 2000 users. Im sure some of them will have Password1 ;)

WinscanX

WinScanX is a Windows enumeration utility featuring over 20 options including the ability to identify easy-to-guess Windows passwords, the ability to identify easy-to-guess SNMP community strings, and the ability to locate and decrypt WinVNC passwords. Includes an optional GUI front-end.

Usage is pretty easy. Since this is a Windows tool by design, I will stick to showing you the GUI. If your a true techie and don’t like using GUI’s, then why are you using Windows anyway?



The interface is quite straight forward. Simply enter the IP address of the host which has null sessions enabled. Select ‘Use Anonymous Credentials’

Then you can select any of the tick boxes you want on the right. A word of advice, do NOT select ‘Guess Windows Passwords’ or else you will find user accounts lockout as this will perform a password attack. I would stick with just selecting “Get Local And Global Group Information’ this will be enough to return enough information for you to know a. The site is vulnerable b. Get local users to perform password attacks against.

NOTE:

Domain Controllers with large amount of users (and i mean anything more than about 5000+) then WinscanX will hang and look like its crashed. Just leave it, it will work. If you check netstat / ps list etc.. you will see it doing something. If it does completely crash its still a good sign the site is vulnerable so seek alternate methods to obtain the information. I recommend using ‘enum’ a win32 application after connecting to the DC using ‘net use’

How can i defend against this?

well, and i say this with as much enthusiasm as possible, make sure you have backups and make changes out of hours for obvious reasons so you can test there is no adverse affects.

Here is an article by Microsoft

http://support.microsoft.com/kb/837964

Now this vulnerability effects server 2000 and 2003 by default so it is up to you to disable it.

Server 2008 remediates this in its build (fresh build). However, if you upgrade from Windows Server 2003 to Windows Server 2008 then you will migrate the settings with your from 2003 and you will still be vulnerable to Null Sessions unless you follow the steps below.

Enable:

  • Network access: Restrict Anonymous access to Named Pipes and Shares
  • Network access: Do not allow anonymous enumeration of SAM accounts

Disable:

  • Network access: Let Everyone permissions apply to anonymous users
  • Network access: Allow anonymous SID/Name translation

It has also been noted that there must be no session pipes in the registry.
« Last Edit: October 16, 2015, 01:06:54 am by iTpHo3NiX »
Penetration Tester
@leonteale

Offline kenjoe41

  • Symphorophiliac Programmer
  • Administrator
  • Baron
  • *
  • Posts: 990
  • Cookies: 224
    • View Profile
Re: Null Session Domain Controller Enumeration
« Reply #1 on: May 22, 2015, 12:35:44 pm »
You realize you are going to learn a bit of SMF and BBcode to have better formatting of your tutorials.

Ummh: http://www.leonteale.co.uk/dcenum/
If you can't explain it to a 6 year old, you don't understand it yourself.
http://upload.alpha.evilzone.org/index.php?page=img&img=GwkGGneGR7Pl222zVGmNTjerkhkYNGtBuiYXkpyNv4ScOAWQu0-Y8[<NgGw/hsq]>EvbQrOrousk[/img]

Offline leonteale

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 6
  • Penetration Tester
    • View Profile
    • Personal Website
Re: Null Session Domain Controller Enumeration
« Reply #2 on: May 26, 2015, 11:57:55 am »
agreed! when i updated my blog it must have messed up the formatting :/ which i only just realized when trying to port over the tutorial.

problem is, when writing on this forum, the preview box is different to the actual saved product so i have to keep previewing to make sure its formatting correctly. PITA.

I will go through and reformat when i have some time
« Last Edit: October 16, 2015, 01:08:08 am by iTpHo3NiX »
Penetration Tester
@leonteale

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: Null Session Domain Controller Enumeration
« Reply #3 on: October 16, 2015, 01:08:40 am »
I fixed the format, and I would like you to post your other tutorials (if you need help with formatting let me know)
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry