NetBIOS NULL Sessions: The Good, The Bad, and The Ugly
(Last updated August 17, 2005)
I. The NULL Session Concept: The Good?
NULL sessions take advantage of “features” in the SMB (Server Message Block) protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Using these NULL connections allows you to gather the following information from the host:
NULL sessions exist in windows networking to allow:
NetBIOS NULL sessions are enabled by default in Windows NT and 2000. Windows XP and 2003 will allow anonymous enumeration of shares, but not SAM accounts.
II. The Bad and the Ugly
The NULL session vulnerability is fairly widespread, however the introduction of Windows XP and Windows 2003 has made it far less useful. For the most part if the appropriate ports are accessible a NULL session is possible.
Port 139 or 445 TCP is required to be open in order for a NULL session to be successful (it needs to connect to IPC$ first). The other ports may be required, depending on the configuration, for services such as name resolution. There are many tools available to exploit NULL sessions, here are some examples:
enum is truly one of the best tools for exploiting the NULL session vulnerability. It is the "Swiss army knife" of NULL session hacking, allowing you to exploits every aspect of this flaw. Its true power lies in the ability to enumerate users, and then try to brute force the password using a supplied password list. Sample output is below (I usually run with the –S and –U flags as shown below):
From the above output we can see that the machine has one additional user aside from the default accounts, called “victim_user”, and that none of the default accounts have been renamed. This is another great usage of NULL sessions, if the user has been conscientious and renamed the administrator account, we can see what it has been changed to. The guest account exists as well, which comes by default in most windows, and should be left disabled. It appears as though this machine is also running Microsoft IIS web server, from the IUSR_<machine name> account that exists. Moving on to the shares we see all of the default hidden administrative shares (denoted by the “$” character), as well as an unhidden share called “c”. The ability to view hidden shares on the host is yet another great feature of NULL sessions.
Part of the NT Forensic Toolkit from Foundstone, this tool makes it very easy to enumerate users and shares from a vulnerable windows host, and is the most accurate in my experience. Some sample output is below:
Above we see the same information as enum presents represented in a slightly different format.
winfo ( http://ntsecurity.nu/toolbox/winfo/ )
This command line tool queries the host for most of the information made available by a NULL session (Including any trust relationships) and displays it to the screen. Sample output is below:
The output above shows the listing of users, similar to the other tools. winfo is unique in that it will also show the trust relationships this machine may have with other machines. Finally, it will list the shares it has made available.
Formerly Dumpacl, This tool is similar to winfo, but has a GUI interface.
You can use built-in tools to enumerate NULL sessions by executing the following command using the "net" utility that comes with Windows. Without NULL sessions when we attempt to list the shares on a remote windows computer we get the following error:
By default we would not have permissions to list the shares. If we map the IPC$ share (Inter Process Communications) using our NULL username and password combinations we are successful:
Now we try to list the shares again with greater success:
III. Using the Information
An attacker will use the information gained from NULL sessions and try to logon to the system, using various tools that will try different username and password combinations. Common attacks against University computers have shown that attackers will typically gain access to the system, install FTP servers, IRC bots, and DDOS tools, then copy the illegal (copyrighted and pirated) software up for distribution. The FTP server Serv-U FTP Server and the IRC bot iroffer are very common as well. This task is made easier by users who when prompted for an administrator password when installing NT/2000/XP leave it blank. Please set a password on every account on your machine, if not for the security of your machine, then for the security of all our machines.
A worm called “Zotob” that takes advantage of the MS05-039 vulnerability relies on NULL sessions to propagate. Follow the instructions in the next section to protect yourself (and of course apply all operating system patches).
IV. How to Disable NetBIOS NULL Sessions
Follow the link below to download a script to disable NULL sessions: Download Disable NULL sessions Script (Authored by Brown University Software Services)
Below are instructions on how to manually disable NetBIOS NULL sessions:
Windows XP Home Edition
Note: This also works in Windows 2000 and XP Professional.
Windows XP Professional Edition and Windows Server 2003
Windows NT 4.0 (Service Pack 3 or later)
V. Further Defenses
While the above describes how to disable this vulnerability on the host, there are some things you can do on the network to help defend against NULL sessions:
Most Intrusion Detection systems come with signatures to detect NULL session activity, although when run on the “inside” of your network will generate false positives if not configured correctly. Configuring the Snort ( www.snort.org ) NULL session detection rule ( http://www.snort.org/pub-bin/sigs.cgi?sid=530 ) to look at certain traffic proves to be very effective. For example, you may only want to look at NULL session attempts from the Internet to your internal network, and IDS rules should be configured accordingly.
All versions of Windows that are vulnerable to this attack provide some mechanism to set account policies. The Center for Internet Security has released benchmark standards for all Windows platforms that include recommended account policies (See http://www.cisecurity.org for more details and to download the benchmarks). They cover password expiration, password length, and account lockout policies, which should all be applied to your domain (or workstation if you are not part of a domain). These documents also outline some recommendations for audit policies, or logging of certain activity on your computer. You should enable logging of security events on your windows servers and workstations for accounting purposes. Account and auditing policies should be tailored to individual organizations needs. Having these in place will significantly decrease the risk of someone using NULL sessions to gain access to your machine.
VI. References and Further Reading
rr.sans.org/win/null.php - “NULL sessions In NT/2000” - Perhaps the best description of why NULL sessions exist, and general NULL session facts includes a complete description of how NetBIOS NULL sessions are used in a Windows networking environment. By Joe Finamore.
www.giac.org/certified_professionals/practicals/gcih/0345.php - “Weak Passwords + NULL Session = Windows 2000 Exploit” -This paper outlines the dangers of NULL sessions and gives an example of incident that uses this vulnerability. By Michael S. Kriss.
www.hsc.fr/ressources/presentations/null_sessions/msrpc_null_sessions.pdf - “MSRPC NULL sessions - exploitation and protection” – A new way to exploit NULL sessions using MSRPC and named pipes. Lets you do more than just view users and shares.
www.softheap.com/security/session-access.html - "How is information enumerated through NULL session access, Remote Procedure Calls and IPC$?"
www.sygate.com/alerts/Netbios_Null_Attack.htm - “NetBIOS NULL Session Attack in XP”
www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/proddocs/windows_security_differences.asp - Important differences between Windows NT 4.0 and Windows XP Professional
secinf.net/info/nt/wardoc.txt - “The Windows NT WARDOC: A Study in Remote NT Penetration”
www.sans.org/top20/#w3 - SANS/FBI Top 20 List, Windows Remote Access Services
"Hacking Exposed" or "Hacking Windows 2000 Exposed", Scambray & McClure, Chapter 4: Enumeration
Other Universities Descriptions of NetBIOS NULL Sessions:
Authored by Paul Asadoorian, Brown University, June 17, 2002
Please send any questions/comments to firstname.lastname@example.org
Revision 1.0: November 14, 2002 – Added a significant amount of content.
Revision 1.1 January 3, 2003 – Updated for Windows XP Home Edition
Revision 1.3 August 16, 2005 – Updated for Windows 2003, MS05-039 worm, general clean-up and fixed all broken links.