Server Message Block (SMB) is a service often overlooked by new penetration testers. An unfortunate result given the valuable information and opportunity for a quick initial foothold on a network. Do yourself a favor and don’t make this mistake as a budding hacker.
This blog will act as the first part in the SMB series to cover avenues for enumeration and paths to getting initial access, both applicable to the world of CTF boxes and to real-life penetration testing. Null sessions are one piece that pops up in CTF's consistently and in the real-world every so often. Regardless, many of the techniques demonstrated here can be used alone or with a limited account.
Enjoy the blog and let me know your favorite technique to pair with a Null Session.
What is a Null Sessions?
One of the easiest things to look for is signing in with an anonymous session or the default guest account. Although ‘Guest’ is not technically null, both can be authenticated without a password.
A null session is technically accessing the IPC$ share with an anonymous session to be a little more precise. To read more about null sessions, check out the for dummies page on null session attacks. I love how they explain stuff in easy-to-grasp terms.
They specify that Windows Server 2008, Windows XP to Windows 8(probably 10) are not configured this way by default. However, keep an eye out for Server 2000 systems. They are, in fact, vulnerable.
You may be asking, “I have seen this in CTF’s but does this still occur in real life?” Yes, it does. I still come across this flaw occasionally during my pen tests.
Default Vulnerable Versions: Windows Server 2000
Null sessions are one of those vulnerabilities that is quick to find and can result in tons of great info. Therefore I almost always check to see if the vulnerability exists in the environment.
Many tools are installed by default in Kali to help you take advantage of Null sessions. My favorite has always been enum4linux. A very simple tool that only requires a target to run.
From Null to User
If a Null Session exists and enum4linux runs successfully, you will be gifted good data. This information can be used to conduct password spraying, download files, or upload files on to the vulnerable system. From my personal experience, password spraying will be the technique that will most likely land you a foothold on a system.
Why? Users are lazy and administrators are often lazy (or busy). Typically within a couple of hours I will net a handful of accounts just by guessing passwords.
So what does this look like in real life? First I curate a list of accounts from enum4linux using the commandline utilities, grep and cut. This will be my target accounts.
Second I review the password policy to see how many guess I can make before the counter resets. This is listed in the "Password Policy Information" section of the enum4linux output. You are looking for the properties:
Sample Password Policy Output from HTB
The "Reset Account Lockout" tells you how long it takes before your failed logon counts resets to zero. This tells you how long you must wait in between your batches of guesses.
The "Account Lockout Threshold" tells you have many guesses per batch you can make before an account is locked out. In the real world, I live a two guess buffer to ensure I don't lock out a ton of accounts and create havoc on the network. This is just personal preference, but when I test I try not to piss off the IT team as much as possible.
The third piece is the "Locked Account Duration." This tells you that if you do lockout an account, how long you must wait before the account isn't locked out any more. If this is a really low number, feel free to be a little more liberal with your guesses.
Reset Account Lockout - Time between guess batches
Account Lockout Threshold - Number of guess per batch
Now that you know your guess frequency, it's time to put a list of passwords together. For password guess generation, I have heard all kinds of strategies. But for me three techniques work the best. The first is variations on the word password. This is still a standard base word for default passwords and easy to remember passwords after all these years.
Make sure to switch up the year for the current year. Also use the previous year in your guesses.
The next base word is the season and year. For example:
Make sure to try the seasons spring, fall, autumn, and winter.
If neither of these pan out, it's time to break out the big guns. I will look at password dumps for the domain and peruse the passwords. In the dumps, I am looking for a base word that looks like it could be common for the company or something that is being incremented by a user. I will then take the password or baseword and add the year and an exclamation at the end.
For instance, if I was targeting the Clemson Tigers and I found the base words GoTigers in the data leak. And I saw that these words were common across multiple user accounts. I could then surmise that these words maybe part of a default or just a common password at the organization. I would then create a list using those keywords.
The list may look like:
Password guessing is a very easy way to gain a foothold and I encourage you to try it out. Make sure to switch up the special character if you are struggling to get a valid account.
Sensitive File Access
One of the other big issues with Null Sessions is access to folders. Actually, guest access to folders is more common than a straight up Null Session. With this vulnerability, any user on the network can access the file share without valid credentials.
I like to think about this attack vector in two different way: ability to view and ability to upload. With the ability to view files, you may be able to find sensitive information to help you get a foothold on a system. This could be credentials in a configuration file or backup file.
SYSVOL Group Policy Preferences is a historical service that suffered from this issue and resulted in the attacker getting administrator level credentials. Check out Active Directory Security for more information on this flaw. But, others most definitely exist.
Use tools such as smbclient to look through or download the content.
Smbclient Null Session Syntax
* Notice that when I listed the shares I used a "-L" flag but when I wanted to browse, the flag was gone.
The ability to upload files is a different ballgame. Unfortunately I have yet to find a tool that looks to see what directories I have write access to. However, I do have a script that does trick.
First let's pause and answer the question, what can you do with write access?
If the target has a web server and you have access to a directory that is accessible through the web service, congrats, you can get a web shell.
Or, if you have access to a directory that is accessible by anyone a SCF Attack may be handy. Or maybe you can pair the ability with a command injection attack. The possibilities are limited only by your imagination.
Finally the script. I got this when I was checking out walkthroughs for the HTB machine, sizzle. Oxdf posted this script as his solution and I have kept it in my notes since. It is a one-liner that attempts to upload a file to ever folder recursively and tells you which were successful.
I hope this blog has given you some practical ideas to use Null Sessions to their maximum potential. This really is just a stepping stone to your growing knowledge. As you learn more, you will start figuring out how to pair attacks together in interesting ways.