In part one of this two-part series below, Windows Security Threats site expert Kevin Beaver explains where and why null session vulnerabilities continue to run rampant. Part two will discuss solutions to prevent null session attacks.
Ever wonder what could be considered the biggest security vulnerability in Windows history? It's arguably the null session. There are hundreds of others, but this is truly an oldie but goodie. Null session attacks were all we heard about during Windows NT 4.0's heyday. But where does this vulnerability stand now? It's still running rampant throughout many Windows-based networks.
To bring you up to speed, null sessions are a type of Windows Server Message Block (SMB) communication that provides the foundation of network file and print sharing services. The null session vulnerability allows an attacker from across a network -- or the Internet -- to connect to an unsecured Windows system's IPC$ (interprocess communication) share.
A null session can be created by using the Windows net program to map a connection using a blank username and password. On Windows systems that are vulnerable, you simply have to enter:
net use \\ip_address\ipc$ "" "/user:" at a Windows command prompt.
Once a null session has been manually established (some tools can do this for you automatically), an attacker can use programs such as Winfo, Walksam, certain Windows Resource Kit tools and even the net program that's built into Windows to glean tons of information off a Windows system -- all without having to log in. Information that can be obtained includes user IDs, share names, security policy settings, users currently logged in and more. The Windows registry can even be tapped remotely with the right tools.
Good news, bad news
The good news is that, by default, Windows XP and Windows Server 2003 (excluding domain controllers) are not vulnerable to null session attacks. The bad news is that all (dare I say millions) of the Windows 2000 and NT systems still running are vulnerable to null session attacks unless they've been properly configured to keep this from happening. This leaves the door to a very large number of networks wide open -- just what the hackers want. Interestingly XP and Server 2003 can be tweaked by someone who knows just enough to do damage, making them vulnerable as well.
To this day, the null session issue poses a serious security threat. Patches won't fix the problem and most Windows hardening techniques don't even come close to keeping it from being exploited. Every network I've ever performed a security assessment on has contained both workstations and servers that are vulnerable to this attack. Fortunately, for Microsoft's shareholders and the information security cause, more and more systems are being upgraded to Windows XP and Server 2003 every month.
Click for part two to get help preventing null session attacks.
About the author
Kevin Beaver is founder and principal consultant of Atlanta-based Principle Logic LLC, as well as a resident expert on SearchWindowsSecurity.com. He specializes in information security assessments and incident response and is the author of the new book "Hacking for dummies" by John Wiley and Sons. Kevin can be reached at firstname.lastname@example.org or ask him a question on Windows security threats today.
For More Information
Get eight ways to protect Windows from perimeter threats
Ask expert Kevin Beaver your Windows security threats questions
Share your best practices for handling Windows vulnerabilities
This was first published in September 2004