usch
Apr 8 2004, 08:30 AM
hi there
i think i read something about null-sessions and there was written , that u can access several parts of the registry with this null-sessio.
which parts are accessible?
or did i misunderstand anything?
thanks for help
dr0zaxx
Apr 8 2004, 08:39 AM
Not all can be retrieved. Those i know off are just plainly settings just as the domain name, domain controller, password policies setting what files are shared etc. nothing useful u can find
Killaloop
Apr 8 2004, 09:06 AM
| QUOTE (usch @ Apr 8 2004, 08:30 AM) |
hi there
i think i read something about null-sessions and there was written , that u can access several parts of the registry with this null-sessio.
which parts are accessible?
or did i misunderstand anything?
thanks for help |
it all depends on your operating system and your settings.
normally a nullsession leaks out this information:
list of User-ID, Grouplist, Accountnames, Eventlogs (no securitylogs), Domainname, Computername, Operatingsystem, Subdomains, Password Policies, user settings, public shares (those which are set to be viewed by everyone)
there is more stuff this is only what I can think about right now.
with nullsession you cannot change alot you mostly few settings to gain more information about a certain server for social engineering needs. on nt4.0 it was possible to change user information using domainmanager, isn't possible anymore.
kronk
Apr 8 2004, 02:26 PM
The most dangerous part of a null session is that it allows you to dump the valid user accounts on the system. These accounts often have administrator privileges with very weak passwords, meaning they are either equivalent to the username or easily guessed.
ringo
Apr 8 2004, 02:29 PM
To clarify this a bit:
Improperly configured NETBIOS (SMB) will allow users with the right tools to take control of the target. Klez, Sircam and Nimda all exploited this vulnerability.
Null Sessions (Anonymous Logon) is what is exploited to leak out sensitive information like users, groups, shares and password policies.
Remote Registry Access can allow the complete control of a target, if it is enabled.
A good writeup on these vulnerabilities and how to test and secure systems against these exposures can be found here:
http://www.sans.org/top20/#w5r
Killaloop
Apr 8 2004, 02:38 PM
| QUOTE (ringo @ Apr 8 2004, 02:29 PM) |
To clarify this a bit:
Improperly configured NETBIOS (SMB) will allow users with the right tools to take control of the target. Klez, Sircam and Nimda all exploited this vulnerability.
Null Sessions (Anonymous Logon) is what is exploited to leak out sensitive information like users, groups, shares and password policies.
Remote Registry Access can allow the complete control of a target, if it is enabled.
A good writeup on these vulnerabilities and how to test and secure systems against these exposures can be found here: http://www.sans.org/top20/#w5
r |
not true
remote registry access for a nullsession only means you can read the registry. (users etc as said befor)
AgentOrange
Apr 8 2004, 04:06 PM
Well for reading the registry you can then steal the LM password hash. You can crack it using a Rainbow Crack table in under 10 minuets. Then you *could* login via netbios as the super-user. Upload your back-door and run it remotely. Thus you would take complete control of the machine.
Peace out
ringo
Apr 8 2004, 04:22 PM
| QUOTE (Killaloop @ Apr 8 2004, 02:38 PM) |
| QUOTE (ringo @ Apr 8 2004, 02:29 PM) | To clarify this a bit:
Improperly configured NETBIOS (SMB) will allow users with the right tools to take control of the target. Klez, Sircam and Nimda all exploited this vulnerability.
Null Sessions (Anonymous Logon) is what is exploited to leak out sensitive information like users, groups, shares and password policies.
Remote Registry Access can allow the complete control of a target, if it is enabled.
A good writeup on these vulnerabilities and how to test and secure systems against these exposures can be found here: http://www.sans.org/top20/#w5
r |
not true
remote registry access for a nullsession only means you can read the registry. (users etc as said befor)
|
OK, My phrasing was a bit odd...The point is, once you control the registry on a Windows box, you can pretty much do anything. Thanks AgentOrange for the example.
r
Killaloop
Apr 8 2004, 04:52 PM
| QUOTE (AgentOrange @ Apr 8 2004, 04:06 PM) |
Well for reading the registry you can then steal the LM password hash. You can crack it using a Rainbow Crack table in under 10 minuets. Then you *could* login via netbios as the super-user. Upload your back-door and run it remotely. Thus you would take complete control of the machine.
Peace out |
still wrong
using a nullsession you dont have the proper rights to get the hashes
you need already administrator rights to do that
ringo
Apr 8 2004, 05:44 PM
If a box has this vulnerability, the owner hasn't patched for several years, so the liklihood that there are better ways to get in. But for sake of argument, I'd bet dollars to donuts that one or more local admin accounts have null passwords or easily-guessed ones. Use the Null Session vuln to get a list of accounts or use CIS or LanGuard to pull back names plus basic password attack to get the correct PW out. If all other ports of entry are closed (HIGHLY unlikely), you can use that account combination to modify the registry remotely. Lotsa if's and conditions, but when have you seen a straightforward exploit?
Killaloop
Apr 8 2004, 05:59 PM
yes ringo you are right but the point is usch asked what you can view using a nullsession (no password no username) and I didn't want that he gets confused now
ringo
Apr 8 2004, 07:05 PM
Point taken and understood.
binary_hashes
Apr 13 2004, 10:50 AM
Null session is exploitable if some famous coders (virus coders) reveal their codes publically.Because the knowledge never ends
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
