Null Session
A null session is an anonymous connection to a freely accessible network share called IPC$ on Windows-based servers.[1] It allows immediate read and write access with Windows NT/2000 and read-access with Windows XP and 2003.
To establish such a connection from a DOS-prompt these commands can be used:
net use \\IP address_or_host name\ipc$ “” /user:””
net use
Regarding the possibilities from such a connection, from a NULL session, hackers can call APIs and use Remote Procedure calls to enumerate information. These techniques can, and will provide information on passwords, groups, services, users and even active processors. NULL session access can also even be used for escalating privileges and perform DoS attacks.
This hack method can be used to gather Windows host configuration information, such as user IDs and share names and edit parts of the remote computer’s registry.
Although Windows Server 2008, Windows XP, Windows 7, and Windows 8 don’t allow null session connections by default, Windows 2000 Server does — and (sadly) plenty of those systems are still around to cause problems on most networks.
Steps to map a null session
Follow these steps for each Windows computer to which you want to map a null session:
- Format the basic net command, as
net use \\host_name_or_IP_address\ipc$ “” “/user:”
The net command to map null sessions requires these parameters, net followed by the use command, the IP address or hostname of the system to which you want to map a null connection and a blank password and username.
- Press Enter to make the connection.
After you map the null session, you should see the message The command completed successfully. To confirm that the sessions are mapped, enter this command at the command prompt – net use. You should see the mappings to the IPC$ share on each computer to which you’re connected.
Countermeasures
If it makes good business sense and the timing is right, upgrade to the more secure Windows Server 2012 or Windows 7. The countermeasures for rest are
- Block NetBIOS on your Windows server by preventing these TCP ports from passing through your network firewall or personal firewall – 139 (NetBIOS sessions services) and 445 (runs SMB over TCP/IP without NetBIOS)
- Disable File and Printer Sharing for Microsoft Networks in the Properties tab of the machine’s network connection for those systems that don’t need it.
- Restrict anonymous connections to the system.
SNMP Enumeration
The Simple Network Management Protocol is used to manage and monitor hardware devices connected to a network and to utilise SNMP in this fashion you need three distinct components
- Network Management System
- SNMP Agents
- Managed devices (SNMP agent deployed)
The managed devices records information and by use of the deployed agent communicates with the overarching Network Management System. This information is stored in a Management Information Base (MIB). SNMP is dangerous as it is a clear text protocol and as such could potentially provide valuable information to an attacker
You may have heard of SNMP Community Strings, the default are Public and Private. Should you be utilising SNMP in your domain, these should be changed as they are the first strings that an attacker will try to gain information about your network and more dangerously, control over your hardware. Another term of note is SNMP Traps, this is generally when a device has been configured to receive pre-configured alerts/ information from other clients. SNMP uses UDP Port 161 to communicate.
Most network hosts run SNMP enabled with the default read/write community strings of public/private. The majority of network devices have SNMP enabled and don’t even need it. If SNMP is compromised, a hacker may be able to gather such network information as ARP tables, usernames, and TCP connections to attack your systems further. If SNMP shows up in port scans, you can bet that a malicious attacker will try to compromise the system.
Some utilities for SNMP enumeration are the commercial tools NetScanTools Pro and Essential NetTools and the free Windows GUI-based Getif.
Countermeasures
- Always disable SNMP on hosts if you’re not using it — period.
- Block the SNMP ports (UDP ports 161 and 162) at the network perimeter.
- Change the default SNMP community read string from public and the default community write string from private to another long and complex value that’s virtually impossible to guess.