NetBIOS NULL Sessions

NetBIOS NULL Sessions: The Good, The Bad, and The Ugly

(Last updated August 17, 2005)

I. The NULL Session Concept: The Good?

II. The Bad and The Ugly.

III. Using the Information.

IV. How to disable NetBIOS NULL Sessions.

V. Further Defenses.

VI. References and Further reading.

I. The NULL Session Concept: The Good?

NULL sessions take advantage of “features” in the SMB (Server Message Block) protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Using these NULL connections allows you to gather the following information from the host:

  • List of users and groups
  • List of machines
  • List of shares
  • Users and host SID' (Security Identifiers)

NULL sessions exist in windows networking to allow:

  • Trusted domains to enumerate resources
  • Computers outside the domain to authenticate and enumerate users
  • The SYSTEM account to authenticate and enumerate resources

NetBIOS NULL sessions are enabled by default in Windows NT and 2000. Windows XP and 2003 will allow anonymous enumeration of shares, but not SAM accounts.

II. The Bad and the Ugly

The NULL session vulnerability is fairly widespread, however the introduction of Windows XP and Windows 2003 has made it far less useful. For the most part if the appropriate ports are accessible a NULL session is possible.

Port
Protocol
 Description

135
TCP
 Location Service (RPC endpoint mapping)
135
UDP
 Location Service (RPC endpoint mapping)
137
TCP
 NETBIOS Name Service
137
UDP
 NETBIOS Name Service
138
TCP
 NETBIOS Datagram Service
138
UDP
 NETBIOS Datagram Service
139
TCP
 NETBIOS Session Service
139
UDP
 NETBIOS Session Service
445
TCP
 SMB/CIFS

Figure 1

Port 139 or 445 TCP is required to be open in order for a NULL session to be successful (it needs to connect to IPC$ first). The other ports may be required, depending on the configuration, for services such as name resolution. There are many tools available to exploit NULL sessions, here are some examples:

Enum ( http://www.bindview.com/Services/RAZOR/Utilities/Windows/enum_readme.cfm )

enum is truly one of the best tools for exploiting the NULL session vulnerability. It is the "Swiss army knife" of NULL session hacking, allowing you to exploits every aspect of this flaw. Its true power lies in the ability to enumerate users, and then try to brute force the password using a supplied password list. Sample output is below (I usually run with the –S and –U flags as shown below):

 

C:\tools>enum -SU <IP Address>
server: <IP Address>
setting up session... success.
getting user list (pass 1, index 0)... success, got 5.
Administrator Guest IUSR_CHANNEL IWAM_CHANNEL victim_user
enumerating shares (pass 1)... got 4 shares, 0 left:
IPC$ c ADMIN$ C$
cleaning up... success.

 

Figure 2

From the above output we can see that the machine has one additional user aside from the default accounts, called “victim_user”, and that none of the default accounts have been renamed. This is another great usage of NULL sessions, if the user has been conscientious and renamed the administrator account, we can see what it has been changed to. The guest account exists as well, which comes by default in most windows, and should be left disabled. It appears as though this machine is also running Microsoft IIS web server, from the IUSR_<machine name> account that exists. Moving on to the shares we see all of the default hidden administrative shares (denoted by the “$” character), as well as an unhidden share called “c”. The ability to view hidden shares on the host is yet another great feature of NULL sessions.

Hunt ( http://www.foundstone.com/resources/freetools/hunt.zip )

Part of the NT Forensic Toolkit from Foundstone, this tool makes it very easy to enumerate users and shares from a vulnerable windows host, and is the most accurate in my experience. Some sample output is below:

 

C:\tools>hunt \\<IP Address>
share = IPC$ - Remote IPC
share = c -
share = ADMIN$ - Remote Admin
share = C$ - Default share
User = Administrator, , , Built-in account for administering the computer/domain
Admin is <NetBIOS Name>\Administrator
User = Guest, , , Built-in account for guest access to the computer/domain
User = IUSR_<NetBIOS Name>, Internet Guest Account, Built-in account for anonymous access to Internet Information Services, Built-in account for anonymous access to Internet Information Services
User = IWAM_<NetBIOS Name>, Internet Guest Account, Built-in account for anonymous access to Internet Information Services out of process applications, Built-in account for anonymous access to Internet Information Services out of process applications
User = victim_user Victim Name, ,

 

Figure 3

Above we see the same information as enum presents represented in a slightly different format.

winfo ( http://ntsecurity.nu/toolbox/winfo/ )

This command line tool queries the host for most of the information made available by a NULL session (Including any trust relationships) and displays it to the screen. Sample output is below:

 

C:\>winfo 128.148.151.7 –n
winfo 1.5 - copyright (c) 1999-2001, Arne Vidstrom
- http://www.ntsecurity.nu/toolbox/winfo/

Trying to establish null session...
Null session established.

USER ACCOUNTS:

* Administrator
(This account is the built-in administrator account)

* Guest
(This account is the built-in guest account)

* victim_user

WORKSTATION TRUST ACCOUNTS:

INTERDOMAIN TRUST ACCOUNTS:

SERVER TRUST ACCOUNTS:

SHARES:

* IPC$

* drivec$

 

Figure 4

The output above shows the listing of users, similar to the other tools. winfo is unique in that it will also show the trust relationships this machine may have with other machines. Finally, it will list the shares it has made available.

Dumpsec ( http://www.systemtools.com/cgi-bin/download.pl?DumpAcl )

Formerly Dumpacl, This tool is similar to winfo, but has a GUI interface.

Built-in tools

You can use built-in tools to enumerate NULL sessions by executing the following command using the "net" utility that comes with Windows. Without NULL sessions when we attempt to list the shares on a remote windows computer we get the following error:

 

C:\tools>net view \\MY.SUB.NET.IP
System error 5 has occurred.

Access is denied.

 

Figure 5

By default we would not have permissions to list the shares. If we map the IPC$ share (Inter Process Communications) using our NULL username and password combinations we are successful:

 

C:\tools>net use \\MY.SUB.NET.IP\IPC$ "" /u:""
The command completed successfully.

 

Figure 6

Now we try to list the shares again with greater success:

 

C:\tools>net view \\MY.SUB.NET.IP
Shared resources at \\MY.SUB.NET.IP

Share name Type Used as Comment
-------------------------------------------------------

c Disk
The command completed successfully.

 

Figure 7

 

III. Using the Information

An attacker will use the information gained from NULL sessions and try to logon to the system, using various tools that will try different username and password combinations. Common attacks against University computers have shown that attackers will typically gain access to the system, install FTP servers, IRC bots, and DDOS tools, then copy the illegal (copyrighted and pirated) software up for distribution. The FTP server Serv-U FTP Server and the IRC bot iroffer are very common as well. This task is made easier by users who when prompted for an administrator password when installing NT/2000/XP leave it blank. Please set a password on every account on your machine, if not for the security of your machine, then for the security of all our machines.

A worm called “Zotob” that takes advantage of the MS05-039 vulnerability relies on NULL sessions to propagate. Follow the instructions in the next section to protect yourself (and of course apply all operating system patches).

IV. How to Disable NetBIOS NULL Sessions

Follow the link below to download a script to disable NULL sessions: Download Disable NULL sessions Script (Authored by Brown University Software Services)

Below are instructions on how to manually disable NetBIOS NULL sessions:

Windows XP Home Edition

Note: This also works in Windows 2000 and XP Professional.

1. Set the Following Registry Key: HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=2

2. Reboot to make the changes take effect.

Windows XP Professional Edition and Windows Server 2003

1. Go to Administrative Tools --> Local Security Policy --> Local Policies --> Security Options. Make sure the following two policies are enabled:
Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Default)
Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled

This can also be accomplished using the following registry keys:
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=1 (This disallows enumeration of shares)
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=1 (Default, not allowing enumeration of user accounts)

2. Reboot to make the changes take effect.

Windows 2000

1. Go to --> Administrative Tools --> Local Security Settings --> Local Policies --> Security Options

2. Select "Additional restrictions of anonymous connections" in the Policy pane on the right

3. From the pull down menu labeled "Local policy setting", select: "No access without explicit anonymous permissions"

4. Click OK

5. The registry setting equivalent is: HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=2

6. Reboot to make the changes take effect.

Windows NT 4.0 (Service Pack 3 or later)

Set the Following Registry Key: HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=1

Samba

I am not certain how this works in the latest releases of Samba. Please email me with any feedback or experiences you could provide.

V. Further Defenses

While the above describes how to disable this vulnerability on the host, there are some things you can do on the network to help defend against NULL sessions:

  • Blocking NetBIOS ports on your firewall or border router
  • Blocking the Windows networking ports in Figure 1 will prevent against NULL sessions (And other attacks that use NetBIOS)
  • Remove the IPC$ share (net share IPC$ /delete)

Intrusion Detection

Most Intrusion Detection systems come with signatures to detect NULL session activity, although when run on the “inside” of your network will generate false positives if not configured correctly. Configuring the Snort ( www.snort.org ) NULL session detection rule ( http://www.snort.org/pub-bin/sigs.cgi?sid=530 ) to look at certain traffic proves to be very effective. For example, you may only want to look at NULL session attempts from the Internet to your internal network, and IDS rules should be configured accordingly.

Account Policy

All versions of Windows that are vulnerable to this attack provide some mechanism to set account policies. The Center for Internet Security has released benchmark standards for all Windows platforms that include recommended account policies (See http://www.cisecurity.org for more details and to download the benchmarks). They cover password expiration, password length, and account lockout policies, which should all be applied to your domain (or workstation if you are not part of a domain). These documents also outline some recommendations for audit policies, or logging of certain activity on your computer. You should enable logging of security events on your windows servers and workstations for accounting purposes. Account and auditing policies should be tailored to individual organizations needs. Having these in place will significantly decrease the risk of someone using NULL sessions to gain access to your machine.

VI. References and Further Reading

Web Sites:

rr.sans.org/win/null.php - “NULL sessions In NT/2000” - Perhaps the best description of why NULL sessions exist, and general NULL session facts includes a complete description of how NetBIOS NULL sessions are used in a Windows networking environment. By Joe Finamore.

www.giac.org/certified_professionals/practicals/gcih/0345.php - “Weak Passwords + NULL Session = Windows 2000 Exploit” -This paper outlines the dangers of NULL sessions and gives an example of incident that uses this vulnerability. By Michael S. Kriss.

www.hsc.fr/ressources/presentations/null_sessions/msrpc_null_sessions.pdf - “MSRPC NULL sessions - exploitation and protection” – A new way to exploit NULL sessions using MSRPC and named pipes. Lets you do more than just view users and shares.

www.softheap.com/security/session-access.html - "How is information enumerated through NULL session access, Remote Procedure Calls and IPC$?"

www.sygate.com/alerts/Netbios_Null_Attack.htm - “NetBIOS NULL Session Attack in XP”

www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/proddocs/windows_security_differences.asp - Important differences between Windows NT 4.0 and Windows XP Professional

secinf.net/info/nt/wardoc.txt - “The Windows NT WARDOC: A Study in Remote NT Penetration”

www.sans.org/top20/#w3 - SANS/FBI Top 20 List, Windows Remote Access Services

Books:

"Hacking Exposed" or "Hacking Windows 2000 Exposed", Scambray & McClure, Chapter 4: Enumeration

Other Universities Descriptions of NetBIOS NULL Sessions:

www.cit.cornell.edu/computer/security/scanning/windows/nullsessions.html

rusecure.rutgers.edu/add_sec_meas/nullssn.php

security.uchicago.edu/windows/netbios/index.shtml

mit.edu/ist/topics/windows/server/winmitedu/security.html

Copyright 2002-2005

Authored by Paul Asadoorian, Brown University, June 17, 2002

Please send any questions/comments to paul@oshean.org

Revision 1.0: November 14, 2002 – Added a significant amount of content.

Revision 1.1 January 3, 2003 – Updated for Windows XP Home Edition

Revision 1.3 August 16, 2005 – Updated for Windows 2003, MS05-039 worm, general clean-up and fixed all broken links.