MicrosoftI think this post needs an update since it's the top search result for "SMB Null Sessions" and contains some slightly misleading information regarding domain controllers. The premise is still true: it's probably a false positive when running the tests against domain controllers. But it's not due to default credentials.
I think you've clarified it succinctly in the comments. Domain controllers will allow null sessions against the following three named pipes and should be allowed to do so: LSARPC, NETLOGON, and SAMR.
But the issue is that the NET USE test against IPC$ will show a successful connection for domain controllers which is contradictory to the article contents.
In the screenshots above, when the command returns "System error 53 has occurred. The network path was not found," this is caused by SMB not connecting on tcp/445.
Whether that was due to a firewall or other network issue when those tests were run isn't clear. But if named pipes are secured, the error will be "System error 5 has occurred. Access is denied." And again, for domain controllers there will be no error at all. Which is fine.
For anyone else that comes across this looking for a solution that might not exist, the following additional links may be helpful:
Interestingly enough, it looks like servers with the RDS Licensing role may also have the following anonymous named pipes: HydraLSPipe and TermServLicensing.
