What Is a Null Session?

An empty session is a session established with the server without trust (that is, no user name and password are provided), but according to the access control model of WIN2000 (take win2000 as an example), the establishment of an empty session also requires a token, but During the establishment of the empty session, the user information is not authenticated, so the token does not include user information. Therefore, the session cannot allow encrypted information to be sent between systems, but this does not mean that the token of the empty session does not include security. The identifier SID (it identifies the user and the group to which it belongs). For an empty session, the SID of the token provided by the LSA is S-1-5-7, which is the SID of the empty session.

Empty conversation

An empty session is a session established with the server without trust (that is, no user name and password are provided), but according to the access control model of WIN2000 (take win2000 as an example), the establishment of an empty session also requires the provision of a token, but During the establishment of the empty session, the user information is not authenticated, so the token does not include user information. Therefore, the session cannot allow encrypted information to be sent between systems, but this does not mean that the token of the empty session does not include security. Identifier SID (it identifies the user and the group to which it belongs). For an empty session, the SID of the token provided by the LSA is S-1-5-7. This is the SID of the empty session. The name can be seen in the user list, but it cannot be found in the SAM database and belongs to the system's built-in account.) This access token contains the following disguised groups:

Everyone

Network

in

For NT, under the default security settings, users and shares on the target host can be listed with the help of an empty connection, access to everyone's permissions, access to a small part of the registry, and so on. There is not much use value; it has a smaller effect on 2000. Because in Windows 2000 and later versions, only administrators and backup operators have access to the registry from the network by default, and it is not easy to implement. Tools are needed.

From these we can see that this kind of untrusted session is not very useful, but from a complete ipc $ intrusion, an empty session is an indispensable springboard, because we can get a list of households from it, and large Most weak password scanning tools use this user list for password guessing. Successfully exporting the user list greatly increases the success rate of guessing. From this point alone, it is sufficient to explain the security risks brought by empty sessions. The argument that conversation is useless is incorrect. Here are some specific commands that can be used in an empty session:

1 First, we first establish an empty connection (of course, this requires the target to open ipc $)

Command: net use \\ ip \ ipc $ "" / user: ""

Note: The above command includes four spaces, one space between net and use, one space after use, and one space to the left and right of the password.

2 View the shared resources of the remote host

Command: net view \\ ip

Explanation: The premise is that after an empty connection is established, you can use this command to view the shared resources of the remote host. If it opens sharing, you can get the following results, but this command cannot display the default sharing.

Share resources in \\ *. *. *. *

Resource share name type usage notes

-------------------------------------------------- ---------

NETLOGON Disk Logon server share

SYSVOL Disk Logon server share

The command completed successfully.

3 View the current time of the remote host

Command: net time \\ ip

Explanation: Use this command to get the current time of a remote host.

4 Get the NetBIOS username list of the remote host (need to open your own NBT)

Command: nbtstat -A ip

Use this command to get a list of NetBIOS usernames of remote hosts, and return the following results:

Node IpAddress: [*. *. *. *] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status

---------------------------------------------

SERVER <00> UNIQUE Registered

OYAMANISHI-H <00> GROUP Registered

OYAMANISHI-H <1C> GROUP Registered

SERVER <20> UNIQUE Registered

OYAMANISHI-H <1B> UNIQUE Registered

OYAMANISHI-H <1E> GROUP Registered

SERVER <03> UNIQUE Registered

OYAMANISHI-H <1D> UNIQUE Registered

..__ MSBROWSE __. <01> GROUP Registered

INet ~ Services <1C> GROUP Registered

IS ~ SERVER ...... <00> UNIQUE Registered

MAC Address = 00-50-8B-9A-2D-37

5. Some people add $ to the share name to achieve the hidden effect, but this can be seen with net share under DOS;

This hiding is only a limitation of the Microsoft Windows standard client net view, not a server limitation. It is treated equally during network transmission, so you can directly modify the client to lift this restriction or use third-party client software to see the so-called hiding. Sharing, such as smbclient is a typical representative.

6. Some people add a password to the share, but I heard that there is a way to crack it

This crack depends on what level it is. There is no need to say purely brute-force cracking, of course, it is always possible. And 95, 98 has another vulnerability, which is his famous vredir.vxd. The length used by the server to verify the password is actually provided by the client, which means that it can guess at most 256 times (in fact, not so many, consider printable characters Range) to enter. At first, many people used this method to illegally browse other people's machines. Reported to Microsoft in 2000 and is now patched.

By the way, using this vulnerability can quickly exhaust the original password, although this is not necessary in the attack.

7. In 2000, SMB can run directly on TCP / IP without additional NBT layer, using TCP 445 port. So it should be slightly more than NT at 2000.

In fact, on the contrary, it is indicated in the ssaxh_capabilities field that "extended security authentication" is not used. At this time, the original authentication mechanism is used. Simply remove the NBT session request and change 139 / TCP to 445 / TCP. Empty session and successfully opened // IPC $.

As for the higher-level RPC Over SMB, there is no need to make any changes. In other words, from 139 / TCP to 445 / TCP, a pair of NBT Session Request / Response is reduced in the whole communication process, and the subsequent messages are completely consistent for both.

The so-called NBT layer, which has not been removed even in 445 communication, has always existed, and the difference is only the above paragraph.

8. If NBT is enabled on the client, ports 139 and 445 will be accessed at the same time when connecting. Microsoft has not allowed 139 / TCP to compete fairly with 445 / TCP. The SYN packet that initiates the connection is sent simultaneously at the macro level. Specifically, sometimes it initiates a connection request to 139 / TCP, and sometimes it initiates a connection request to 445 / TCP.

When sending the last ACK message of the three-way handshake to 139 / TCP, Windows carried the data by hand. Here, an NBT Session Request was made with a deliberately incorrect NetBIOS name (* SMBSERV <00 ... (8)>. And 445 / TCP does not require NBT layer sessions.

Due to a deliberately incorrect NetBIOS name, it is difficult for 139 / TCP to compete with 445 / TCP. The server returned a Negative NBTSession Response and performed the close () operation. This makes it necessary to re-establish a connection to 139 / TCP (TCP connection at the transport layer).

It can be seen that the deliberately wrong NetBIOS name is just to give the 445 / TCP a first chance. Unfortunately, 445 / TCP is not frustrated. The task on this port is heavy and the load is high. Even in this unfair competition situation, 139 / TCP may still re-establish an NBT session before 445 / TCP (note , Not a TCP connection). Then 445 will send RST, and subsequent SMB sessions are established on 139 / TCP connection.

Microsoft's own operating system does not recognize "* SMBSERV <00 ... (8)>", but Samba Server 2.2.5 recognizes that it actually returns Positive Session Response. This became one of the ways to accurately identify Samba Server.

Microsoft will not mention these in <>, it just says that 139 / TCP, 445 / TCP competes fairly, and the earliest response message returned is preferred. Don't believe its nonsense.

Having said that, if it is not caused by demand, there is no need to care about this difference at all. When there is demand, this difference is fatal.

9. The most obvious is that empty sessions can be easily connected to other domains, enumerating users, machines, etc. This is the principle of scanning software for detection.

XP and 2003 prohibit PolicyAccountDomainInformation query on empty sessions by default. You can see that LsarOpenPolicy2 (44) fails and the permission is denied. If a valid account and password are specified in advance to establish an SMB session instead of an empty session, LsarOpenPolicy2 (44) will return successfully.

The above is what we often do with empty sessions. It seems that we can get a lot of things, but please note that the operation of establishing an IPC $ connection will leave a record in the Event Log, regardless of whether you are successfully logged in.