Penetration Testing mailing list archives
Re: Null Session
From: pand0ra <pand0ra.usa () gmail com>
Date: Sat, 6 Jan 2007 23:29:51 -0700
The ability to use null session is directly liked to this Win2k registry setting (give or take the OS): HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\ If this setting is disabled then (as far as I know) you will not be able to enumerate any system information using the null session method. Null sessions are used for anonymous users, kind of similar to the IUSR account for IIS. As far as I know (or that I can think of ATM), there is no other method that can do the same thing as a null session (without conducting an attack). On 1/5/07, Michael J Condon <mjc001 () jjuno com> wrote:
What alternatives are there to the "Holy Grail" null session (net use \\ipaddress\IPC$ "" /user:"") if this method does not work?
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Null Session Michael J Condon (Jan 06)
- Re: Null Session Peter Wood (Jan 08)
- Re: Null Session Lee Lawson (Jan 08)
- Re: Null Session pand0ra (Jan 08)
- Re: Null Session Paul Asadoorian (Jan 13)
- <Possible follow-ups>
- Re: Null Session kushwadhwa (Jan 08)
- Re: Null Session kushwadhwa (Jan 10)