You can establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name and password.
Using these null connections allows you to gather the following information from the host:
List of users and groups
List of machines
List of shares
Users and host SIDs (Security Identifiers)
Anyone with a NetBIOS connection to your computer can easily get a full dump of all your usernames, groups, shares, permissions, policies, services and more using the Null user.
The above syntax connects to the hidden Inter Process Communication 'share' (IPC$) at IP address 192.34.34.2 with the built- in anonymous user (/u:'''') with ('''') null password.
The attacker now has a channel over which to attempt various techniques.
The CIFS/SMB and NetBIOS standards in Windows 2000 include APIs that return rich information about a machine via TCP port 139 - even to unauthenticated users.
C: \>net use \\192.34.34.2 \IPC$ '''' /u: '''‘
Null sessions require access to TCP 139 and/ or TCP 445 ports.
You could also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface.
Edit the registry to restrict the anonymous user.
1. Open regedt32, navigate to HKLM\SYSTEM\CurrentControlSet\LSA
2. Choose edit | add value
value name: ResticAnonymous
Data Type: REG_WORD
Value: 2
NBTscan is a program for scanning IP networks for NetBIOS name information.
For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.
The first thing a remote attacker will try on a Windows 2000 network is to get list of hosts attached to the wire.
1. net view / domain,
2. nbstat -A
DumpSec reveals shares over a null session with the target computer.
The NetBIOS Auditing Tool (NAT) is designed to explore the NetBIOS file-sharing services offered by the target system.
It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client.
If a NETBIOS session can be established at all via TCP port 139, the target is declared "vulnerable“.
Once the session is fully set up, transactions are performed to collect more information about the server including any file system "shares" it offers.
SNMP is simple. Managers send requests to agents, and the agents send back replies.
The requests and replies refer to variables accessible to agent software.
Managers can also send requests to set values for certain variables.
Traps let the manager know that something significant has happened at the agent's end of things:
a reboot
an interface failure,
or that something else that is potentially bad has happened.
Enumerating NT users via SNMP protocol is easy using snmputil
Simplest way to prevent such activity is to remove the SNMP agent or turn off the SNMP service.
If shutting off SNMP is not an option, then change the default 'public' community name.
Implement the Group Policy security option called Additional restrictions for anonymous connections.
Access to null session pipes and null session shares, and IPSec filtering should also be restricted.
For clients to locate Win 2k domain services such as Ad and kerberos, Win 2k relies on DNS SRV records.
Simple zone transfer (nslookup, ls -d
An attacker would look at the following records closely:
1. Global Catalog Service (_gc._tcp_)
2. Domain Controllers (_ldap._tcp)
3. Kerberos Authentication (_kerberos._tcp)
You can easily block zone transfers using the DNS property sheet as shown here.
