A NULL session connection is an unauthenticated connection to an NT/W2000
machine. Gaining NULL session access to an NT\W2000 system is the number one
method for hackers to enumerating information about an NT\W2000 machine.
From a NULL session hackers can call APIs and use Remote Procedure calls to
enumerate information. These techniques can, and will provide information on
passwords, groups, services, users and even active processors. NULL session
access can also even be used for escalating privileges and perform DoS attacks.
See the below table for TCP/UDP ports and their use within NT\W2000.
Keyword Decimal Description
---------------------------------------------------------------
loc-srv 135/tcp Location Service (RPC endpoint mapping)
loc-srv 135/udp Location Service (RPC endpoint mapping)
netbios-ns 137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name Service
netbios-dgm 138/tcp NETBIOS Datagram Service
netbios-dgm 138/udp NETBIOS Datagram Service
netbios-ssn 139/tcp NETBIOS Session Service
netbios-ssn 139/udp NETBIOS Session Service
For more information on port usage, see RFC1001, RFC1002
The above ports are often found open on a standard NT\W2000 installation. A null
session can only be made to TCP port 139, but the above other ports are often
required for code to be called effectively. Port 135 for example is used for RPC
endpoint mapping.
From a hackers point of view when thinking about written code to enumerate this
information; Exactly what can be called is hard to know, except for the things
that are already known. There is little documentation available outside of
Microsoft that describes the different calls available after a null session has
been established. The only thing hackers can do is try whatever they can think
of and see what happens, then try to understand why it works the way it does.
There could be things nobody outside Microsoft knows of yet. A lot of what is
known though is wrote into tools to enumerate this information, tools such as
penetration scanners, DumpACL, epdump, Getmac and even net view use these
techniques. This is the only way currently coded into NT/Windows 2000 to gather
such information remotely. These tools are unfortunately a doubled edged sword,
a balance between usability and security. Windows 2000 uses this same method for
information enumeration so the same problems/usability will persist.
What this does tell us though is that these NULL sessions, RPC etc should not be
allowed on public networks or even private networks on some occasions if
security is of concern. This type of access requires the use of session layer
protocols Server Message Block (SMB) and NetBIOS that provide I higher layer
functionality to that of simply TCP/UDP/IP. The TCP/IP connection to port 139 is
made, then the session layer protocols SMB and NetBIOS are used to access the NT
hidden share IPC$. From the NT command line this can be performed with the
following: net use \\127.0.0.1\ipc$ "" /user:"" This
technique was programmatically written into an old exploit called the Redbutton
attack.
From this NULL session connection all the above mentioned tools can be used and
standard Microsoft APIs called. For example the WIN32 functions,
LookupAccountName and LookupAccountSid, which reveal the SID or RID to account
name and account name to SID or RID. Examples of these functions being called
can be seen in user2sid.exe and sid2user.exe developed by Evgenii Borisovich
Rudnyi.
What is shown below is a programmatic connection to an NT\W2000 machines via
NULL sessions that then enumerates the true administrator account. This is
achieved by using APIs to scan for the SID with the value 500, which is always
the Administrator account renamed or otherwise. The following code segment was
supplied by JD Glaser from NT OBJECTives, Inc which is an excellent site for NT
tools which demonstrate this same level of remote access
(http://www.ntobjectives.com/).
|
|
|
|
|
|
|
|