NULL Sessions and Enumeration

by AcidFlame  (flameacid@hotmail.com)

I wrote this article because of the large shortage of articles on NULL sessions and enumeration.

For this tutorial I used Windows 2000, though it is possible to use NULL sessions and enumeration on UNIX systems and Windows 9x.

First of all, what are NULL sessions?

NULL sessions are the connections to Windows shares with no username or password.  They are usually connections to the IPC$ (Inter-Process Communication) share on a Windows computer.  This share is hidden if you try to browse it in Windows, but usually you can see it if you type in this line in the command prompt:

C:\> net view \\TargetComputer

This will show all the shares including IPC$.

Next I made a NULL session to the TargetComputer:

C:\> net use \\TargetComputer\IPC$ "" /user:""

If the other computer allows NULL sessions you would probably see This operation completed successfully.  This means that your computer made a connection to the TargetComputer.

The next part is enumeration.  The IPC$ share is a share that contains a lot of data about the TargetComputer (users, lists of shares, groups, etc.).  You can request all that information off of that computer if it allows you to do so (most of the time it does!).

One of the best programs for this is a program called ENUM.EXE, which is a DOS program that you can easily find on the Internet.

By running ENUM.EXE and listing a few options and the TargetComputer, you can see all the users, groups, shares, etc.

I'm not going to go into detail with the complete list of information you can get.  I tested this program on Windows NT 4.0, Windows 2000, and Windows XP.  It works on Windows NT 4.0 and Windows 2000, but Windows XP blocks out most of the information.

Many computers are unsecured from this (for example, I tried it on our school district's domain server and ended up with all the names of the 5,000+ users).

Enumeration also helps if the username of the Administrator is changed.  By running ENUM.EXE you can see the names of the new Administrator in the list, in this case you would see:

SpongeBob (Built-in account for the administrator)

There is also an option to turn this off which requires you to go into the system registry and insert a new key, which would enable you to disable NULL connections to your computer.

In the folder:

KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Create a key called RestrictAnonymous and set it to: 1

This will block out NULL connections.

I hope this helps secure your computer or improve your knowledge.

Greetz to Guybrush, DadyShEre, Kommando, and OrangeBeast.