Null session attacks: Who's still vulnerable?

Null session vulnerabilities have fallen off the radar for many Windows shops, but at what price? Kevin Beaver explains which Windows machines are still at risk.

In part one of this two-part series below, Windows Security Threats site expert Kevin Beaver explains where and

why null session vulnerabilities continue to run rampant. Part two will discuss solutions to prevent null session attacks.


Ever wonder what could be considered the biggest security vulnerability in Windows history? It's arguably the null session. There are hundreds of others, but this is truly an oldie but goodie. Null session attacks were all we heard about during Windows NT 4.0's heyday. But where does this vulnerability stand now? It's still running rampant throughout many Windows-based networks.

The problem
To bring you up to speed, null sessions are a type of Windows Server Message Block (SMB) communication that provides the foundation of network file and print sharing services. The null session vulnerability allows an attacker from across a network -- or the Internet -- to connect to an unsecured Windows system's IPC$ (interprocess communication) share.

A null session can be created by using the Windows net program to map a connection using a blank username and password. On Windows systems that are vulnerable, you simply have to enter:
net use \\ip_address\ipc$ "" "/user:" at a Windows command prompt.

Once a null session has been manually established (some tools can do this for you automatically), an attacker can use programs such as Winfo, Walksam, certain Windows Resource Kit tools and even the net program that's built into Windows to glean tons of information off a Windows system -- all without having to log in. Information that can be obtained includes user IDs, share names, security policy settings, users currently logged in and more. The Windows registry can even be tapped remotely with the right tools.

Good news, bad news
The good news is that, by default, Windows XP and Windows Server 2003 (excluding domain controllers) are not vulnerable to null session attacks. The bad news is that all (dare I say millions) of the Windows 2000 and NT systems still running are vulnerable to null session attacks unless they've been properly configured to keep this from happening. This leaves the door to a very large number of networks wide open -- just what the hackers want. Interestingly XP and Server 2003 can be tweaked by someone who knows just enough to do damage, making them vulnerable as well.

To this day, the null session issue poses a serious security threat. Patches won't fix the problem and most Windows hardening techniques don't even come close to keeping it from being exploited. Every network I've ever performed a security assessment on has contained both workstations and servers that are vulnerable to this attack. Fortunately, for Microsoft's shareholders and the information security cause, more and more systems are being upgraded to Windows XP and Server 2003 every month.

Click for part two to get help preventing null session attacks.


About the author
Kevin Beaver is founder and principal consultant of Atlanta-based Principle Logic LLC, as well as a resident expert on SearchWindowsSecurity.com. He specializes in information security assessments and incident response and is the author of the new book "Hacking for dummies" by John Wiley and Sons. Kevin can be reached at kbeaver@principlelogic.com or ask him a question on Windows security threats today.

For More Information

Get eight ways to protect Windows from perimeter threats

Ask expert Kevin Beaver your Windows security threats questions

Share your best practices for handling Windows vulnerabilities



This was first published in September 2004

Dig deeper on Network intrusion detection and prevention and malware removal

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close