Null Session Attacks
Null Session Attack Tools
Enumeration using enum4linux
enum4linuxenum4linux -a <IP-Address>
enum4linux -n <IP-Address>
Notations
Enumeration and Exploitation Using smbclient
smbclientShare Enumeration can be performed using tools provided by Samba Suitesmbclient is an FTP like client to access Windows shares; this tool can, among other things, enumerate the shares provided by a host
Command Example
smbclient -L //10.130.40.80 -N
Checking for Null Sessions with Linux
We can also perform the very same checks by using smbclient:
smbclient //10.130.40.80/IPC$ -N
smbclient //10.130.40.80/C$ -N
smbclient \\\\\\\\192.168.99.162\\\\WorkSharing -N
useful smbclient commands
smbclient -L WORKGROUP -I 192.168.99.162 -N -U ""
Exploiting Null Sessions with winfo
winfoWinfo is another command line utility we can use to automate null session exploitation. To use it, you just need to specify the target IP address and use the -n command line switch to tell the tool to use null sessions.
winfo is available in packetstorm
Basic Command Syntax
winfo <ip-address> -n
Notation
Exploiting Null Sessions with enum
enum** Please Note ** It will note administrative shares too.enum is available in packetstorm
enum -S <ip-address>
enum -U <ip-address>
enum -P <ip-address>
Notations
Enumerate Using nmblookup
nmblookupTo perform the same operations of nbstat, we can use nmblookup with the same command line switch:
Command Syntax
nmblookup -A <target-IP-Address>
Enumerate using NET VIEW
NET VIEWOnce an attacker knows that a machine has File Server service running, they can enumerate the shares by using the NET VIEW command
Command Syntax
NET VIEW <target-IP>
Checking Null Sessions with Windows
To connect, we have to type the following command in a Windows shell:
NET USE \\\\<target-IP-address>\\IPC$ '' /u:''
This tells Windows to connect to the IPC$ share by using an empty password and an empty username!
Last updated
Was this helpful?