AD/Win: Null Session Attacks and How to Avoid Them

A well-known vulnerability within Windows can map an anonymous connection (or null session) to a hidden share called IPC$ (which stands for interprocess communication). This hack method can be used to

  • Gather Windows host configuration information, such as user IDs and share names.

  • Edit parts of the remote computer’s registry.

Although Windows Server 2008, Windows XP, Windows 7, and Windows 8 don’t allow null session connections by default, Windows 2000 Server does — and (sadly) plenty of those systems are still around to cause problems on most networks.

Map a null session

Follow these steps for each Windows computer to which you want to map a null session:

  1. Format the basic net command, like this:

    net use \\host_name_or_IP_address\ipc$ "" "/user:"

    The net command to map null sessions requires these parameters:

    • net followed by the use command

    • The IP address or hostname of the system to which you want to map a null connection

    • A blank password and username

  2. Press Enter to make the connection.

    After you map the null session, you should see the message The command completed successfully.

    image0.jpg

To confirm that the sessions are mapped, enter this command at the command prompt:

net use

You should see the mappings to the IPC$ share on each computer to which you’re connected.

With a null session connection, you can use other utilities to gather critical Windows information remotely. Dozens of tools can gather this type of information.

You — like a hacker — can take the output of these enumeration programs and attempt to

  • Crack the passwords of the users found.

  • Map drives to the network shares.

You can use the following applications for system enumeration against server versions of Windows prior to Server 2003 as well as Windows XP.

net view

The net view command shows shares that the Windows host has available. You can use the output of this program to see information that the server is advertising to the world and what can be done with it, including the following:

  • Share information that a hacker can use to attack your systems, such as mapping drives and cracking share passwords.

  • Share permissions that might need to be removed, such as the permission for the Everyone group, to at least see the share on older Windows 2000–based systems.

    image1.jpg

Configuration and user information

Winfo and DumpSec can gather useful information about users and configurations, such as

  • Windows domain to which the system belongs

  • Security policy settings

  • Local usernames

  • Drive shares

Your preference might depend on whether you like graphical interfaces or a command line. Winfo is a command-line tool. The following is an abbreviated version of Winfo’s output of a Windows NT server, but you can collect the same information from other Windows systems:

Winfo 2.0 - copyright (c) 1999-2003, Arne Vidstrom
   - http://www.ntsecurity.nu/toolbox/winfo/
SYSTEM INFORMATION:
 - OS version: 4.0
PASSWORD POLICY:
 - Time between end of logon time and forced logoff: No forced logoff
 - Maximum password age: 42 days
 - Minimum password age: 0 days
 - Password history length: 0 passwords
 - Minimum password length: 0 characters
USER ACCOUNTS:
 * Administrator
 (This account is the built-in administrator account)
 * doctorx
 * Guest
 (This account is the built-in guest account)
 * IUSR_WINNT
 * kbeaver
 * nikki
SHARES:
 * ADMIN$
 - Type: Special share reserved for IPC or administrative share
 * IPC$
 - Type: Unknown
 * Here2Bhacked
 - Type: Disk drive
 * C$
 - Type: Special share reserved for IPC or administrative share
 * Finance
 - Type: Disk drive
 * HR
 - Type: Disk drive

This information cannot be gleaned from a default installation of Windows Server 2003, Windows XP, Windows 7, or Windows 8.

You can peruse the output of such tools for user IDs that don’t belong on your system, such as

  • Ex-employee accounts that haven’t been disabled

  • Potential backdoor accounts that a hacker might have created

NetUsers

The NetUsers tool can show who has logged in to a remote Windows computer. You can see such information as

  • Abused account privileges

  • Users currently logged into the system

    image2.jpg

This information can help you track, for auditing purposes, who’s logging in to a system. Unfortunately, this information can be useful for hackers when they’re trying to figure out what user IDs are available to crack.

Countermeasures against null session hacks

If it makes good business sense and the timing is right, upgrade to the more secure Windows Server 2012 or Windows 7. They don’t have the vulnerabilities described in the following list.

You can easily prevent null session connection hacks by implementing one or more of the following security measures:

  • Block NetBIOS on your Windows server by preventing these TCP ports from passing through your network firewall or personal firewall:

    • 139 (NetBIOS sessions services)

    • 445 (runs SMB over TCP/IP without NetBIOS)

  • Disable File and Printer Sharing for Microsoft Networks in the Properties tab of the machine’s network connection for those systems that don’t need it.

  • Restrict anonymous connections to the system. For Windows NT and Windows 2000 systems, you can set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous to a DWORD value as follows:

    • None: This is the default setting.

    • Rely on Default Permissions (Setting 0): This setting allows the default null session connections.

    • Do Not Allow Enumeration of SAM Accounts and Shares (Setting 1): This is the medium security level setting. This setting still allows null sessions to be mapped to IPC$, enabling such tools as Walksam to garner information from the system.

    • No Access without Explicit Anonymous Permissions (Setting 2): This high security setting prevents null session connections and system enumeration.

Microsoft Knowledge Base Article 246261 covers the caveats of using the high security setting for RestrictAnonymous. It’s available on the web at http://support.microsoft.com/default.aspx?scid=KB;en-us;246261.

image3.jpg

%d bloggers like this: