.

Null sessions in XP

<<

Superman859

Newbie
Newbie

Posts: 5

Joined: Wed Dec 15, 2010 5:57 pm

Post Wed Dec 15, 2010 6:11 pm

Null sessions in XP

I'm studying for the CEH and working through some exercises on null sessions.  I'm not sure how useful they are in real life now since it seems XP sp3 and any newer systems seem to have fixed the issue, but I suppose there could be older machines...

Anyways, I have an unpatched XP with no service pack running as a virtual machine and another running XPsp3 where I test from.

I didnt have an any trouble setting up a null session as it told me it was set up successfully.  However, it did take some work to get user2sid to work remotely...it always told me the user did not exist, even though the previous step set up the null session and ports 137 and 445 were both open.  It did seem to work once I put both machines in the same workgroup.

However, I then tried dumpsec to get an enumerated list, but I haven't been able to get that to work.  I set up the null session as before and can use the net use command and user2sid remotely, but after connecting to the same machine in dumpsec it fails to retrieve a list of users...am i doing something wrong?  Is dumpsec broken for XP?  I tried to find some other enum tools that were mentioned in my book, but I cant even find any to download.  The one enum.exe download i found was corrupted, tried searching for 4getacct as mentioned in my book, but the only thing pulled up by google wwas references to the chapter from the book I'm reading.

I also checked the registry settings, which were still the defaults.  Restrictanom was set to 0 and restrictanomsam was set to 1.  Tried changing this to 0 as well to see if that would fix the issue with dumpsec but still no luck...

So...anyone have any ideas?  Is it worth the trouble to even try to get this to work?  Can i still use this in real life or just need to know the idea for the CEH?
network+, security+
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Thu Dec 16, 2010 11:34 am

Re: Null sessions in XP

I use enum4linux all the time. It works against all versions of Windows provided they allow null sessions.

http://labs.portcullis.co.uk/application/enum4linux/
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Dec 16, 2010 12:10 pm

Re: Null sessions in XP

Welcome Superman859 to the forum!

Based on what you wrote, you know more than you need to pass the C|EH exam. This exam focuses more on which tools can be used to exploit a NULL session vulnerability and how can you check if there is a NULL session in the first place.

Although knowledge is always good, I think you are going too far for this exam...  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Superman859

Newbie
Newbie

Posts: 5

Joined: Wed Dec 15, 2010 5:57 pm

Post Thu Dec 16, 2010 3:42 pm

Re: Null sessions in XP

@h1t M0nk3y : You're right.  I probably do know enough to pass the C|EH considering the format it's in and things of that nature.  But I don't intend to stop at the C|EH and want to learn along the way as it will help me in the real world as well as preparation for more challenging exams in the future.  Might as well learn it right the first time!

@ziggy : I downloaded enum4linux and seems it could be pretty handy and straightforward to use.  Unfortunately I'm having the same issue with it that I had using Dumpsec.  I can't enumerate information even though it seems like it connects fine using IPC$.

With enum4linux running enum4linux.pl -a targetIP I see it successfully gets:

domain/workgroup name (workgroup in this case)
nbstat information
server allows sessions using username '' password ''
domain sid (NULL SID) cant determine if host is part of domain or workgroup
gets some OS information

But now we start having issues:
users on targetIP:
couldnt find users using querydispinfo or enumdomusers NT_STATUS_ACCESS_DENIED

share enumeration:
share enumeration works (gets shares, including IPC$ and a test one I created), but
session request to targetIP failed (called name not present)
attempting to map shares fails resulting in denied for all shares EXCEPT
targetIP/IPC$ mapping: OK Listing: Denied

And then later on,
couldnt get RID: NT_STATUS_ACCESS_DENIED. RID cycling not possible


And that's basically it.  So again, seems to be the same issue.  Can connect to IPC$ but can't really get much information.

Double checked settings on targetIP...both restrictanonymous and restrictanonymoussam are currently set to 0.  Windows Firewall is off altogether...
network+, security+
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Thu Dec 16, 2010 5:09 pm

Re: Null sessions in XP

Check Network access: Allow anonymous SID/name translation

http://technet.microsoft.com/en-us/library/cc728431%28WS.10%29.aspx

Even when Network access: Do not allow anonymous enumeration of SAM accounts (and shares) is enabled you can still use sid2user and user2sid as it uses a separate api to pull that information and will still work if that SID/name translation is set to 1.

You could automate this with a FOR loop for all the user accounts starting with RID 1000 and going to 1050. Admin accounts start at 500 so just modify the script accordingly

  Code:
for /L %i IN (1000,1,1050) DO sid2user \\targetpc  "machine sid space delimited" %i >> users.txt
Last edited by tturner on Thu Dec 16, 2010 5:19 pm, edited 1 time in total.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org

Return to CEH - Certified Ethical Hacker

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software