Blog Post

Storage at Microsoft
11 MIN READ

SMB and Null Sessions: Why Your Pen Test is Probably Wrong

JamesKehr's avatar
JamesKehr
Icon for Microsoft rankMicrosoft
Feb 21, 2020
Hi everyone, James Kehr here with a guest post. One of the SMB cases we get regularly at Microsoft Support is, “my pen test says you allow Null sessions!” Followed by a string of CVE numbers; like, C...
Updated May 21, 2024
Version 3.0
security
dryara's avatar
dryara
Copper Contributor
Dec 25, 2021

JamesKehr and DS128 - I'm try to understand null session enumeration in the context of different behavior between Domain Controllers and member servers. Specifically, I don't seem to be able to find a way to block enumeration of users and groups on DCs, and I'm wondering if it's possible to do that. The pcaps I've examined show that the username being used for authentication was empty, or null, and yet the authentication comes back as a success, and I'm not doing it from a system that would have valid machine credentials within the domain. Can you help me understand what I'm missing?

 

Specifically, when I use a Linux command (from a Kali Linux instance, running in Virtual Box on a non-domain-joined machine), I can run something like:

 

rpcclient -W '' -c querydispinfo -U''%'' '10.x.y.z'
 
And get back a list of users from the domain controller.  When I look at the Wireshark, it appears to be passing the garbage hostname that I created randomly on the Linux VM, with a null username and domain name, yet it comes back as authenticated, as shown below in this response:
 
(snipped from frame 20 of the pcap)

SMB2 (Server Message Block Protocol version 2)
SMB2 Header
ProtocolId: 0xfe534d42
Header Length: 64
Credit Charge: 1
NT Status: STATUS_SUCCESS (0x00000000)
Command: Session Setup (1)
Credits granted: 33
Flags: 0x00000001, Response
Chain Offset: 0x00000000
Message ID: 3
Process Id: 0x00000000
Tree Id: 0x00000000
Session Id: 0x0001a40b4400048d Acct: Domain: Host:FTZKXYAA
[Account: ]
[Domain: ]
[Host: FTZKXYAA]
[Authenticated in Frame: 20]
Signature: 00000000000000000000000000000000
[Response to: 19]
[Time from request: 0.008970000 seconds]
Session Setup Response (0x01)
[Preauth Hash: 4170b1bd5b3386a9a6261365ce07f7c8abbc44390152d7ae1cdb442b108729360d0c8536…]
StructureSize: 0x0009
0000 0000 0000 100. = Fixed Part Length: 4
.... .... .... ...1 = Dynamic Part: True
Session Flags: 0x0000
.... .... .... ...0 = Guest: False
.... .... .... ..0. = Null: False
.... .... .... .0.. = Encrypt: False
Blob Offset: 0x00000048
Blob Length: 9
Security Blob: a1073005a0030a0100
GSS-API Generic Security Service Application Program Interface
Simple Protected Negotiation
negTokenTarg
negResult: accept-completed (0)

 

So, is this a "null session" or an "authenticated session"? I think it's authenticated ... but without valid domain credentials I don't understand how that can be. Can you point out something I'm missing to help it make sense?