Windows Null session attack
It’s used to enumerate info (password, system users, system groups. running system processes). A null session attack exploits an authentification vulnerability for Windows Administrative Shares. This lets an attacker connect to a local or remote share without authentification.
Manually from Windows
- Enumerate File Server services:
nbtstat -A $ip
# ELS-WINXP <00> UNIQUE Registered
# <00> tells us ELS-WINXP is a workstation.
# <20> says that the file sharing service is up and running on the machine
# UNIQUE tells us that this compiter must have only one IP address assigned
- Enumerate Windows Shares. Once we spot a machine with the File Server service running, we can enumerate:
- Verify if a null attack is possible by exploiting the IPC$ administrative share and trying to connect without valid credentials.
This tells Windows to connect to the IPC$ share by using an empty password and a empty username. It only works with IPC$ (not c$).
Manually from Linux
Using the samba suite: https://www.samba.org/
- Enumerate File Server services:
- Also with the smbclient we can enumerate the shares provides by a host:
smbclient -L //$ip -N
# -L Look at what services are available on a target
# $ip Prepend the two slahes
# -N Force the tool not to ask for a password
- Connect:
Be careful, sometimes the shell removes the slashes and you need to escape them.
- Once connected you can browse with the smb command line. To see allowed commands: help
-
When you know the path of a file and you want to retrieve it:
- from kali:
- from smb command line:
-
To map users with permissions
To get an specific file in a connection: get flag.txt
Tricks
Enumerate users with enum4linux -U demo.ine.local
Enumerate the permissions of users with smbmap -H demo.ine.local
If some users are missing in the permission list, maybe they are accesible, try with:
More tools
- Winfo.
- enum.
- enum4linux.
- SAMRDump.