RestrictAnonymous: Enumeration and the Null user. Timothy M. Mullen AnchorIS.Com, Inc. email@example.com. What is a ‘null’ user anyway?. The Null user, or Anonymous user, is a special Built-in user account with no username or password. It is a valid user on any NT 4.0/ Win2k box.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
RestrictAnonymous: Enumeration and the Null user
Timothy M. MullenAnchorIS.Com, Inc.
What is a ‘null’ user anyway?
The Null user, or Anonymous user, is a special Built-in user account with no username or password. It is a valid user on any NT 4.0/ Win2k box.
Used to perform special tasks such as initial secure channel setup, domain membership verification, user enumeration in one-way trusts, etc.
Also used in MS/3rd party applications such as SMS for discovery, etc.
Member of the ‘Everyone’ group; cannot be deleted!
Old news, or lingering concern? What can you do with a null user anyway?
Net use \\Servername\ipc$ “” /user:””
User2Sid / Sid2User
User accounts, groups, policies, services, and other information are all enumerate-able via the “Null” user.
Plenty of information for an attacker to use to case your domain, and to gather intelligence for social attacks.
What do we do?
NT 4.0, SP3, introduced support for a new registry value:
HKEY_Local_Machine\System\CurrentControlSet\Control\LSARestrictAnonymous = 1 (DWORD)
Meant to stop null session enumeration- We’re safe! Break out the Champagne! If it was good enough for C2, it is good enough for us, right?
Not so fast! We still have some issues here… (But you can still drink the Champagne if you want to.)
Big Deal. What else you got?
First, lets look at why DumpACL now fails: NetAPI32.lib
Net* enumeration functions now have ACL’s on them.
Now, lets look at why User2Sid/Sid2User still works:
These guys have no ACL’s on them!
Other holes in the ACL’s…
There are other functions that also have poor ACL’s on them, even after RA is set to 1:
And my FAVORITE,
NetUserGetInfo, has different “levels” that can be called… Let’s check ‘em out:
Level 0 Username
Level 1 Username, age, homedir, etc.
Level 2 A bunch of stuff…
Level 3 PAYDIRT!
Show me the code!
UserInfo- get the low-down on the user account. This is the good stuff.
∙ Password age∙ Full name and comments
∙ UserID (RID)∙ Last logon/logoff
∙ Role Privileges∙ Operator Privileges
∙ User Flags : All Extended user attributes…
Account Locked OutAccount Disabled
Password Never ExpiresUser can’t change password, etc.
Even works on Win2K- call is upwardly compatable to get Win2k extended attributes:
Smartcard RequiredTrusted for delegation, etc.
But wait! There’s more!
UserDump – Combines LookupAccountName, LookupAccountSid, and NetGetUserInfo to dump all available user information for the entire domain! All with a Null user, and all with RA set to 1!!
∙ Get all the users with operator privileges
∙ Get all the administrators
∙ Get all the users that never change their passwords
∙ Get computer names
∙ Get all full user names and notes
Yikes! What do we do now?
Win2k supports a new value of “2” for RA (“No access without explicit anonymous permissions” ). This guy removes the Null user from the ‘Everyone’ Group, and stops the Null user cold… But not without a cost:
Kills NT 4.0 Connectivity.
Bye-bye to down-level servers in trusted domains.
Kills browser service lists.
Block UDP 137 & 138, TCP 139, and TCP 445.
The REAL solution is to fix RA=1. Keep your fingers crossed- MS DEV may actually go back and fix this in NT 4/ Win2k. The word is that this is handled in Whistler.
Timothy M. Mullentmullen@anchoris.com