Restrictanonymous enumeration and the null user
This presentation is the property of its rightful owner.
Sponsored Links
1 / 10

RestrictAnonymous: Enumeration and the Null user PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on
  • Presentation posted in: General

RestrictAnonymous: Enumeration and the Null user. Timothy M. Mullen AnchorIS.Com, Inc. [email protected] What is a ‘null’ user anyway?. The Null user, or Anonymous user, is a special Built-in user account with no username or password. It is a valid user on any NT 4.0/ Win2k box.

Download Presentation

RestrictAnonymous: Enumeration and the Null user

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Restrictanonymous enumeration and the null user

RestrictAnonymous: Enumeration and the Null user

Timothy M. MullenAnchorIS.Com, Inc.

[email protected]


What is a null user anyway

What is a ‘null’ user anyway?

The Null user, or Anonymous user, is a special Built-in user account with no username or password. It is a valid user on any NT 4.0/ Win2k box.

Used to perform special tasks such as initial secure channel setup, domain membership verification, user enumeration in one-way trusts, etc.

Also used in MS/3rd party applications such as SMS for discovery, etc.

Member of the ‘Everyone’ group; cannot be deleted!


Who cares

Who Cares?

Old news, or lingering concern? What can you do with a null user anyway?

Net use \\Servername\ipc$ “” /user:””

DumpACL

User2Sid / Sid2User

User accounts, groups, policies, services, and other information are all enumerate-able via the “Null” user.

Plenty of information for an attacker to use to case your domain, and to gather intelligence for social attacks.


What do we do

What do we do?

NT 4.0, SP3, introduced support for a new registry value:

HKEY_Local_Machine\System\CurrentControlSet\Control\LSARestrictAnonymous = 1 (DWORD)

Meant to stop null session enumeration- We’re safe! Break out the Champagne! If it was good enough for C2, it is good enough for us, right?

Not so fast! We still have some issues here… (But you can still drink the Champagne if you want to.)


Big deal what else you got

Big Deal. What else you got?

First, lets look at why DumpACL now fails: NetAPI32.lib

Net* enumeration functions now have ACL’s on them.

NetServerGetInfo

NetUserEnum

NetGroupGetUsers

NetShareEnum

NetUserModalsGet

Now, lets look at why User2Sid/Sid2User still works:

LookupAccountName

LookupAccountSID

These guys have no ACL’s on them!


Other holes in the acl s

Other holes in the ACL’s…

There are other functions that also have poor ACL’s on them, even after RA is set to 1:

NetServerTransportEnum

And my FAVORITE,

NetUserGetInfo.

NetUserGetInfo, has different “levels” that can be called… Let’s check ‘em out:

Level 0  Username

Level 1  Username, age, homedir, etc.

Level 2  A bunch of stuff…

Level 3  PAYDIRT!


Show me the code

Show me the code!

UserInfo- get the low-down on the user account. This is the good stuff.

∙ Password age∙ Full name and comments

∙ UserID (RID)∙ Last logon/logoff

∙ Role Privileges∙ Operator Privileges

∙ User Flags : All Extended user attributes…

Account Locked OutAccount Disabled

Password Never ExpiresUser can’t change password, etc.

Even works on Win2K- call is upwardly compatable to get Win2k extended attributes:

Smartcard RequiredTrusted for delegation, etc.


But wait there s more

But wait! There’s more!

UserDump – Combines LookupAccountName, LookupAccountSid, and NetGetUserInfo to dump all available user information for the entire domain! All with a Null user, and all with RA set to 1!!

∙ Get all the users with operator privileges

∙ Get all the administrators

∙ Get all the users that never change their passwords

∙ Get computer names

∙ Get all full user names and notes


Yikes what do we do now

Yikes! What do we do now?

Win2k supports a new value of “2” for RA (“No access without explicit anonymous permissions” ). This guy removes the Null user from the ‘Everyone’ Group, and stops the Null user cold… But not without a cost:

Kills NT 4.0 Connectivity.

Bye-bye to down-level servers in trusted domains.

Kills browser service lists.

Block UDP 137 & 138, TCP 139, and TCP 445.

The REAL solution is to fix RA=1. Keep your fingers crossed- MS DEV may actually go back and fix this in NT 4/ Win2k. The word is that this is handled in Whistler.


Thanks

Thanks!

AnchorIS.Comwww.anchoris.com

HammerofGodwww.hammerofgod.com

Timothy M. [email protected]

[email protected]


  • Login