Uncategorized

/Uncategorized

Windows Null Session Enumeration

Null Sessions are a ‘feature’ of Windows allowing an anonymous user to connect to the IPC$ share and enumerate certain information. We can connect to this under Windows using the commands: net use \\IP_ADDRESS\ipc$ "" /user:"" net use or from Linux with: rpcclient -U "" IP_ADDRESS Once connected and at the “rpcclient $>” prompt, we can issue a ‘?’ to look at the supported commands. The most interesting are ‘enumdomusers’, ‘netshareenum’, ‘netshareenumall’ and ‘querydominfo’. Here’s the output against a sample lab machine: rpcclient $> enumdomusers cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host 192.168.1.20! user:[admin] rid:[0x3ef] user:[Administrator] rid:[0x1f4] user:[npn] rid:[0x3f0] user:[Guest] rid:[0x1f5] rpcclient $> querydominfo cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host 192.168.1.20! Domain: WINSRV Server: Comment: Total Users: 13 Total Groups: 1 Total Aliases: 0 Sequence No: 899 Force Logoff: -1 Domain Server State: 0x1 Server Role: ROLE_DOMAIN_PDC Unknown 3: 0x1 rpcclient $> […]

By | August 10th, 2013|Uncategorized|2 Comments