Penetration Testing mailing list archives
Re: Null Session
From: "Lee Lawson" <leejlawson () gmail com>
Date: Mon, 8 Jan 2007 08:52:32 +0000
Michael, That depends on what you were intending to do with the null session? Mostly it is used for Microsoft Windows enumeration of accounts, account settings and shares. If the Windows system has the restrictanonymous (restrictanonymoussam for XP) registry setting configured at value zero, you can use the null session to retrieve a list of usernames (local and domain if a domain controller) but you have to use tools like DumpSec to parse the data. If the Windows system has the restrictanonymous setting at value 1, then you cannot use the null session and DumpSec to retrieve that data. You will have to use a SID scanner to retrieve the information. There are a few out there but my favourites are 'Cain & Abel' and GetAcc. They do not need the registry setting of zero to retrieve the list of usernames from the target system. If the Windows system has the restrictanonymous setting at value 2, then you will need explicit permissions to enumerate the SAM database and this is only given to the Administrator accounts by default. If you are after other enumeration attacks, have a look at SNMP, Finger, SMTP etc. Also there are other paths such as Apache used to give different errors if you attempted to access a valid users home directory or a invalid users directory. Then we can start on LDAP (Active Directory) enumeration. If you have a valid account on the AD, you may be able to use LDP.exe (from Microsoft) to enumerate the whole database if you have pre-Windows 2000 compatability configured. If you are wanting the null session for any other reason, they I don't think anything else will do. later, On 1/5/07, Michael J Condon <mjc001 () jjuno com> wrote:
What alternatives are there to the "Holy Grail" null session (net use \\ipaddress\IPC$ "" /user:"") if this method does not work? ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
-- Lee J Lawson leejlawson () gmail com leejlawson () hushmail com "Give a man a fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." "Quidquid latine dictum sit, altum sonatur." ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Null Session Michael J Condon (Jan 06)
- Re: Null Session Peter Wood (Jan 08)
- Re: Null Session Lee Lawson (Jan 08)
- Re: Null Session pand0ra (Jan 08)
- Re: Null Session Paul Asadoorian (Jan 13)
- <Possible follow-ups>
- Re: Null Session kushwadhwa (Jan 08)
- Re: Null Session kushwadhwa (Jan 10)