Null session functionality within the SMB protocol enables anonymous access to hidden administrative shares on a system. Once a user is connected to the a share through a null session they can enumerate information about the system and environment.
Information that can be gained includes (but not limited to):
- Users and groups
- Operating system information
- Password policies
- Privileges
- Available shares
Easy to use tools are freely available that can automate the enumeration and gathering of this data, providing an attacker with a wealth of information that may aid in an internal attack. For example, the enumeration of identified user accounts in combination with details of the password policy in use, provides an attacker with the ability to conduct specific targeted password guessing attacks. Increasing the overall likelihood of success and resulting in account compromise.
Exposure to null sessions can be tested by issuing the following from a command line:
net use \\remote_IP_address\ipc$ ”” /u:””
In this example the ipc$ share is a common default share, often is use. Other options include admin$ and C$.
Taking action to disable null sessions can be an important step in hardening the overall security posture of an organisation. It should be noted that current operating systems limit access by default, with older operating systems providing configuration options to apply additional security controls.
In order to restrict or disable null sessions the following steps can be taken:
Local Based:
Edit the following registry key and then set the ‘Value‘ accordingly:
Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Value Name: RestrictAnonymous
Type: DWORD
Value: x
Setting the value to 2 disables anonymous access and therefore requires an authenticated account to communicate with the service.
Setting the value to 1 allows anonymous access but will deny enumeration of user accounts and admin shares.
Once the value has been changed, verify the changes a have taken affect by rebooting the devices and attempting to initiate a null session.
GPO Based:
This can also be achieved through group policy by setting the following:
- Network Access: allow anonymous SID/Name translation: disabled
- Network Access: Do not allow anonymous enumeration of SAM accounts: enable
- Network Access: Do not allow anonymous enumeration of SAM accounts and shares: enable
- Network Access: let everyone permissions apply to anonymous users: disabled
- Network Access: restrict remote access to named pipes and shares: enable
Note: Disabling anonymous access could have a negative impact on functionality that relies on it. 7 Elements recommends that consideration be given to the potential impact, and testing should be carried in a non-production environment before making changes to production systems.