desktop security software  
security desktop order software software library technical support

security desktop

Home

Desktop Security

Internet Security

PC Time Limit

Protect Files

Security FAQ

Windows Tips

Internet FAQ

 

limit, kids, pc, time, security, desktop, child, online, limits, password, control, user, restrict, access, protect, privacy, internet, children

 

 

 

Version for print

How is information enumerated through NULL session access, Remote Procedure Calls and IPC$?

A NULL session connection is an unauthenticated connection to an NT/W2000 machine. Gaining NULL session access to an NT\W2000 system is the number one method for hackers to enumerating information about an NT\W2000 machine. 
From a NULL session hackers can call APIs and use Remote Procedure calls to enumerate information. These techniques can, and will provide information on passwords, groups, services, users and even active processors. NULL session access can also even be used for escalating privileges and perform DoS attacks.

See the below table for TCP/UDP ports and their use within NT\W2000.

Keyword Decimal Description
---------------------------------------------------------------
loc-srv 135/tcp Location Service (RPC endpoint mapping)
loc-srv 135/udp Location Service (RPC endpoint mapping)
netbios-ns 137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name Service
netbios-dgm 138/tcp NETBIOS Datagram Service
netbios-dgm 138/udp NETBIOS Datagram Service
netbios-ssn 139/tcp NETBIOS Session Service
netbios-ssn 139/udp NETBIOS Session Service

For more information on port usage, see RFC1001, RFC1002

The above ports are often found open on a standard NT\W2000 installation. A null session can only be made to TCP port 139, but the above other ports are often required for code to be called effectively. Port 135 for example is used for RPC endpoint mapping.

From a hackers point of view when thinking about written code to enumerate this information; Exactly what can be called is hard to know, except for the things that are already known. There is little documentation available outside of Microsoft that describes the different calls available after a null session has been established. The only thing hackers can do is try whatever they can think of and see what happens, then try to understand why it works the way it does.

There could be things nobody outside Microsoft knows of yet. A lot of what is known though is wrote into tools to enumerate this information, tools such as penetration scanners, DumpACL, epdump, Getmac and even net view use these techniques. This is the only way currently coded into NT/Windows 2000 to gather such information remotely. These tools are unfortunately a doubled edged sword, a balance between usability and security. Windows 2000 uses this same method for information enumeration so the same problems/usability will persist.

What this does tell us though is that these NULL sessions, RPC etc should not be allowed on public networks or even private networks on some occasions if security is of concern. This type of access requires the use of session layer protocols Server Message Block (SMB) and NetBIOS that provide I higher layer functionality to that of simply TCP/UDP/IP. The TCP/IP connection to port 139 is made, then the session layer protocols SMB and NetBIOS are used to access the NT hidden share IPC$. From the NT command line this can be performed with the following: net use \\127.0.0.1\ipc$ "" /user:"" This technique was programmatically written into an old exploit called the Redbutton attack.

From this NULL session connection all the above mentioned tools can be used and standard Microsoft APIs called. For example the WIN32 functions, LookupAccountName and LookupAccountSid, which reveal the SID or RID to account name and account name to SID or RID. Examples of these functions being called can be seen in user2sid.exe and sid2user.exe developed by Evgenii Borisovich Rudnyi.

What is shown below is a programmatic connection to an NT\W2000 machines via NULL sessions that then enumerates the true administrator account. This is achieved by using APIs to scan for the SID with the value 500, which is always the Administrator account renamed or otherwise. The following code segment was supplied by JD Glaser from NT OBJECTives, Inc which is an excellent site for NT tools which demonstrate this same level of remote access (http://www.ntobjectives.com/).
 

Security FAQ

Windows Privacy Tools - http//www.privacywindows.com

 

l Security Officer l Internet Explorer Security l Protect Files l User Time Control l Security Desktop l Site Map

Copyrights 2006 Eugene Mihailov. All rights reserved