Null Sessions and Enumeration 
by AcidFLame   (flameacid@hotmail.com)

     I wrote this article because of the large shortage of articles on null
sessions and enumeration.  For this tutorial I used Windows 2000, though
it is possible to use null sessions and enumeration on UNIX systems and Win9x.

     First of all, what are null sessions?  Null sessions are the connections
to Windows shares with no username or password.  They are usually connections
to the IPC$ (Inter-Process Communication) share on a Windows computer.
This share is hidden if you try to browse it in Windows, but usually you can see
it if you type in this line in the command prompt:

	net view \\TargetComputer

This will show all the shares including IPC$.  Next I made a null session to
the TargetComputer:
	
	net use \\TargetComputer\IPC$ "" /user:""

If the other computer allows null sessions you would probably see "This
operation completed successfully."  This means that your computer made a 
connection to the TargetComputer.

     The next part is enumeration.  The IPC$ share is a share that contains
a lot of data about the TargetComputer (users, lists of shares, groups, etc.).
You can request all that information off of that computer if it allows you to do
so (most of the time it does!).

     One of the best programs for this is a program called 'enum.exe', which
is a DOS program that you can easily find on the Internet.  By running 
'enum.exe' and listing a few options and the TargetComputer, you can see all
the users, groups, shares, etc.  I'm not going to go into detail with the
complete list of information you can get.  I tested this program on WinNT 4,
Win2000, and WinXP.  It works on WinNT 4 and Win2000, but WinXP blocks out
most of the information.  Many computers are unsecured from this (for example,
I tried it on our school district's domain server and ended up with all the 
names of the 5000+ users).  Enumeration also helps if the username of the
Administrator is changed.  By running 'enum.exe' you can see the names of 
the new Administrator in the list, in this case you would see:

	SpongeBob (Built-in account for the administrator)

     There is also an option to turn this off which requires you to go into
the system registry and insert a new key, which would enable you to disable
null connections to your computer.  In the folder:

	HKEY_LOCALMACHINE\System\CurrentControlSet\Control\LSA\

create a key called 'RestrictAnonymous' and set it to 1.  This will block out
null connections.

     I hope this helps secure your computer or improve your knowledge.

Greetz to Guybrush, DadyShEre, Kommando, and OrangeBeast.
Return to $2600 Index