I'm studying for the CEH and working through some exercises on null sessions.  I'm not sure how useful they are in real life now since it seems XP sp3 and any newer systems seem to have fixed the issue, but I suppose there could be older machines...

Anyways, I have an unpatched XP with no service pack running as a virtual machine and another running XPsp3 where I test from.

I didnt have an any trouble setting up a null session as it told me it was set up successfully.  However, it did take some work to get user2sid to work remotely...it always told me the user did not exist, even though the previous step set up the null session and ports 137 and 445 were both open.  It did seem to work once I put both machines in the same workgroup.

However, I then tried dumpsec to get an enumerated list, but I haven't been able to get that to work.  I set up the null session as before and can use the net use command and user2sid remotely, but after connecting to the same machine in dumpsec it fails to retrieve a list of users...am i doing something wrong?  Is dumpsec broken for XP?  I tried to find some other enum tools that were mentioned in my book, but I cant even find any to download.  The one enum.exe download i found was corrupted, tried searching for 4getacct as mentioned in my book, but the only thing pulled up by google wwas references to the chapter from the book I'm reading.

I also checked the registry settings, which were still the defaults.  Restrictanom was set to 0 and restrictanomsam was set to 1.  Tried changing this to 0 as well to see if that would fix the issue with dumpsec but still no luck...

So...anyone have any ideas?  Is it worth the trouble to even try to get this to work?  Can i still use this in real life or just need to know the idea for the CEH?

Welcome Superman859 to the forum!

Based on what you wrote, you know more than you need to pass the C|EH exam. This exam focuses more on which tools can be used to exploit a NULL session vulnerability and how can you check if there is a NULL session in the first place.

Although knowledge is always good, I think you are going too far for this exam... 

Check Network access: Allow anonymous SID/name translation

http://technet.microsoft.com/en-us/library/cc728431%28WS.10%29.aspx


Even when Network access: Do not allow anonymous enumeration of SAM accounts (and shares) is enabled you can still use sid2user and user2sid as it uses a separate api to pull that information and will still work if that SID/name translation is set to 1.

You could automate this with a FOR loop for all the user accounts starting with RID 1000 and going to 1050. Admin accounts start at 500 so just modify the script accordingly