![[img]CI
S icon[img]](NetBIOS Null Sessions The Good, The Bad, and The Ugly_files/cisbrown2.gif)
Follow the link below to download a script to disable null
sessions: Download
Disable Null Sessions Script
NetBIOS Null Sessions: The Good,
The Bad, and The Ugly
(UPDATED January 2,
2003)
I.
The Null Session Concept: The Good?. 1
IV.
How to disable NetBIOS Null Sessions. 5
VI.
References and Further reading. 7
The Null Session is often referred to as the "Holy Grail" of Windows hacking. Listed as the number 5 windows vulnerability on the SANS/FBI Top 20 list, Null Sessions take advantage of flaws in the CIFS/SMB (Common Internet File System/Server Messaging Block) architecture. You can establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name and password. Using these null connections allows you to gather the following information from the host:
- List of users and groups
- List of machines
- List of shares
- Users and host SID' (Security Identifiers)
This “Feature” of windows networking exists so that:
- Trusted domains can enumerate resources
- Computers outside the domain can authenticate and enumerate users
- The SYSTEM account can authenticate and enumerate resources
For a full description of how NetBIOS Null Sessions are used in a
Windows networking environment see “NULL Sessions In NT/2000” (http://rr.sans.org/win/null.php
) by Joe Finamore. It is perhaps the best description
of why Null Sessions exist, and general Null Session facts. Another excellent paper is “Weak Passwords + Null Session = Windows
2000 Exploit” (http://www.giac.org/practical/Michael_Kriss_GCIH.doc)
by Michael S. Kriss. It outlines the dangers of Null
Sessions and gives an example of incident that uses this
vulnerability.
II. The Bad and
The
Ugly
More times than I can count I have responded to an incident, or audited a host, and it has been vulnerable to a Null Session. If port 139 is open and it is a windows host there is a good chance that I can gather all usernames and shares by executing one command. I use many tools to do this, here are some examples:
enum (http://razor.bindview.com/tools/desc/enum_readme.html)
enum is truly one of the best tools for exploiting the Null Session vulnerability. It is the "Swiss army knife" of Null Session hacking, allowing you to exploits every aspect of this flaw. Its true power lies in the ability to enumerate users, then try to brute force the password using a supplied password list. Sample output is below (I usually run with the –S and –U flags as shown below):
C:\tools>enum -SU
<IP Address>
server: <IP Address>
setting up session...
success.
getting user list (pass 1, index 0)... success, got
5.
Administrator Guest IUSR_CHANNEL IWAM_CHANNEL victim_user
enumerating shares
(pass 1)... got 4 shares, 0 left:
IPC$ c ADMIN$ C$
cleaning up...
success.
From the above output we can see that the machine has one additional user aside from the default accounts, called “victim_user”, and that none of the default accounts have been renamed. This is another “Feature” that Null Sessions provide, if the user has been conscientious and renamed the administrator account, we can see what it has been changed to. The guest account exists as well, which comes by default in most windows, and should be left disabled. It appears as though this machine is also running Microsoft IIS web server, from the IUSR_<machine name> account that exists. Moving on to the shares we see all of the default hidden administrative shares (denoted by the “$” character), as well as an unhidden share called “c”. One can only imagine what this share is mapped to on this machine.
Hunt (http://www.foundstone.com/knowledge/proddesc/forensic-toolkit.html)
Part of the NT Forensic Toolkit from Foundstone, this tool makes it very easy to enumerate users and shares from a vulnerable windows host. Some sample output is below:
C:\tools>hunt
\\<IP Address>
share = IPC$ - Remote IPC
share = c -
share
= ADMIN$ - Remote Admin
share = C$ - Default share
User =
Administrator, , , Built-in account for administering the
computer/domain
Admin is
<NetBIOS Name>\Administrator
User = Guest, , , Built-in account
for guest access to the computer/domain
User = IUSR_<NetBIOS
Name>, Internet Guest Account, Built-in account for anonymous access to
Internet Information Services, Built-in account for anonymous access to
Internet Information Services
User = IWAM_<NetBIOS Name>,
Internet Guest Account, Built-in account for anonymous access to Internet
Information Services out of process applications, Built-in account for
anonymous access to Internet Information Services out of process
applications
User = victim_user Victim Name, ,
Above we see the same information as enum presents represented in a slightly different format.
winfo (http://ntsecurity.nu/toolbox/winfo/)
This command line tool queries the host for most of the information made available by a null session (Including any trust relationships) and displays it to the screen. Sample output is below:
L:\>winfo
128.148.151.7 –n
winfo 1.5 - copyright (c) 1999-2001, Arne
Vidstrom
- http://www.ntsecurity.nu/toolbox/winfo/
Trying to
establish null session...
Null session established.
USER
ACCOUNTS:
* Administrator
(This account is the
built-in administrator account)
* Guest
(This account is the
built-in guest account)
* victim_user
WORKSTATION
TRUST ACCOUNTS:
INTERDOMAIN
TRUST ACCOUNTS:
SERVER TRUST
ACCOUNTS:
SHARES:
* IPC$
* drivec$
The output above shows the listing of users, similar to the other tools. winfo is unique in that it will also show the trust relationships this machine may have with other machines. Finally, it will list the shares it has made available.
dumpsec (http://www.systemtools.com/somarsoft/)
Formerly Dumpacl, This tool is similar to winfo, but has a GUI interface.
Built-in tools
The easiest way to enumerate Null Sessions is to execute the following command using the "net" utility that comes with most versions of windows. Without Null Sessions when we attempt to list the shares on a remote windows computer this is typically the result:
C:\tools>net view
file://128.148.54.251/
System
error 5 has occurred.
Access is denied.
By default we would not have permissions to list the shares. If we map the IPC$ share (Inter Process Communications) using our null username and password combinations we are successful:
C:\tools>net use
\\MY.SUB.NET.IP\IPC$ "" /u:""
The command completed
successfully.
Now we try to list the shares again with greater success:
C:\tools>net view
file://128.148.54.251/
Shared
resources at \\MY.SUB.NET.IP
Share
name Type Used as
Comment
------------------------------------------------------------------------------
c
Disk
The command completed successfully.
An attacker will use the information gained from Null Sessions and try to logon to the system, using various tools that will try different username and password combinations. Recent attacks against University computers have show that attackers will typically gain access to the system, copy software to the machine (FTP servers, IRC bots, and DDOS tools are very common), then copy the illegal (copyrighted and pirated) software up for distribution. The FTP server Serv-U FTP Server and the IRC bot iroffer are very common as well. This task is made easier by users who when prompted for an administrator password when installing NT/2000/XP leave it blank. Please set a password on every account on your machine, if not for the security of your machine, then for the security of all our machines.
Follow the link below to download a script to disable null sessions: Download
Disable Null Sessions Script (Authored by
Below are instructions on how to manually disable NetBIOS Null Sessions:
Windows XP Home Edition
Note: This also works in Windows 2000
and XP Professional.
Set the Following Registry Key:
HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=2
Windows XP Professional Edition
Go to Administrative Tools --> Local Security Policy --> Local Policies --> Security Options. Make sure the following two policies are enabled:
Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled
Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
Windows 2000
Go to --> Administrative Tools --> Local Security Settings --> Local Policies --> Security Options
Select "Additional restrictions of anonymous connections" in the Policy pane on the right
From the pull down menu labeled "Local policy setting", select
"No
access without explicit anonymous permissions"
Click OK
Reboot to make the changes take effect.
Windows NT 4.0 (Service Pack 3 or later)
Set the Following Registry Key:
HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=1
Samba
According to the following post (http://samba.cadcamlab.org/lists/samba-technical/Apr2002/00358.html) Samba handles Null Session requests by mapping a null username and password to the guest account. So by disabling the UNIX guest account you can supposedly disable Null Sessions in Samba. We have not tested this as of yet and would be interested in any feedback or experiences you could provide.
While the above describes how to disable this vulnerability on the host, there are some things you can do on the network to help defend against Null Sessions.
Blocking NetBIOS ports on your
firewall or border router
Blocking the following ports will prevent against Null Sessions (And other attacks that use NetBIOS):
135
TCP
DCE/RPC Portmapper
137
TCP/UDP
NetBIOS Name Service
138
TCP/UDP
NetBIOS Datagram Service
139
TCP
NetBIOS Session Service
445
TCP
Microsoft-DS (Windows 2000 CIFS/SMB)
Intrusion
Detection
Most Intrusion Detection systems come with signatures to detect Null
Session activity, although when run on the “inside” of your network will
generate false positives if not configured correctly. Configuring the Snort (http://www.snort.org/) Null Session
detection rule (http://www.snort.org/snort-db/sid.html?id=530)
to look at certain traffic proves to be very effective. For example, you may only want to
look at Null Session attempts from the Internet to your internal network,
and IDS rules can be configured accordingly.
Account
Policy
All versions of Windows that are vulnerable to this attack provide some mechanism to set account policies. The Center for Internet Security has released benchmark standards for both Windows 2000 and Windows NT that include recommended account policies (See http://www.cisecurity.org/ for more details and to download the benchmarks). They cover password expiration, password length, and account lockout policies, which should all be applied to your domain (or workstation if you are not part of a domain). These documents also outline some recommendations for audit policies, or logging of certain activity on your computer. You should enable logging of security events on your windows servers and workstations for accounting purposes. Account and auditing policies should be tailored to individual organizations needs. Having these in place will significantly decrease the risk of someone using Null Sessions to gain access to your machine.
Books:
"Hacking Exposed" or "Hacking Windows 2000
Exposed", Scambray & McClure, Chapter 4: Enumeration
Web Sites:
http://rr.sans.org/win/null.php
- “NULL Sessions In
NT/2000”
http://www.softheap.com/security/session-access.html
- “How is information enumerated through NULL session access, Remote
Procedure Calls and IPC$? “
http://www.sygate.com/alerts/Netbios_Null_Attack.htm-
“NetBIOS NULL Session Attack in XP”
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/proddocs/windows_security_differences.asp
- Important differences between Windows NT 4.0 and Windows XP
Professional
http://www.nardware.co.uk/Security/NetBIOS/NetBIOSscan2.htm
- “Windows Security Secrets”
http://www.softheap.com/security/session-access.html
- “How is information enumerated through NULL session access, Remote
Procedure Calls and IPC$?”
http://secinf.net/info/nt/wardoc.txt - “THE
WINDOWS NT WARDOC: A STUDY IN REMOTE NT PENETRATION, BY NEONSURGE AND THE
RHINO9 TEAM”
http://www.sans.org/top20/#W5 –
SANS/FBI Top 20 List, Windows NetBIOS Null Sessions vulnerability
http://rr.sans.org/firewall/blocking_ipchains.php
- “Top
Ten Blocking Recommendations Using ipchains”
http://www.snort.org/ports.html
- Ports database
Other
Universities Descriptions of NetBIOS Null Sessions:
http://www.cit.cornell.edu/computer/security/scanning/windows/nullsessions.html
http://netsecurity.rutgers.edu/null_sessions.htm
http://security.uchicago.edu/windows/netbios/index.shtml
Copyright
2002
Compiled by Paul
Asadoorian, Brown University CIRT,
Please send any
questions/comments to Paul_Asadoorian@brown.edu
Revision 1.0:
Revision 1.1
This page last updated
January 3, 2003
Comments, questions, and
suggestions
Computer Incident
Response Team
Computing and Information
Services
Brown University
Providence, Rhode Island
Help | A to Z | Email | Computer
Education | About CIS |
Software Services
| Phone & Voice
Mail | Doc/Publications
| Web Service
| Contact |
Search | Brown Home
| CIS Home