restrictanonymous enumeration and the null user
Skip this Video
Download Presentation
RestrictAnonymous: Enumeration and the Null user

Loading in 2 Seconds...

play fullscreen
1 / 10

RestrictAnonymous: Enumeration and the Null user - PowerPoint PPT Presentation

  • Uploaded on

RestrictAnonymous: Enumeration and the Null user. Timothy M. Mullen AnchorIS.Com, Inc. [email protected] What is a ‘null’ user anyway?. The Null user, or Anonymous user, is a special Built-in user account with no username or password. It is a valid user on any NT 4.0/ Win2k box.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'RestrictAnonymous: Enumeration and the Null user' - gordy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what is a null user anyway

What is a ‘null’ user anyway?

The Null user, or Anonymous user, is a special Built-in user account with no username or password. It is a valid user on any NT 4.0/ Win2k box.

Used to perform special tasks such as initial secure channel setup, domain membership verification, user enumeration in one-way trusts, etc.

Also used in MS/3rd party applications such as SMS for discovery, etc.

Member of the ‘Everyone’ group; cannot be deleted!

who cares

Who Cares?

Old news, or lingering concern? What can you do with a null user anyway?

Net use \\Servername\ipc$ “” /user:””


User2Sid / Sid2User

User accounts, groups, policies, services, and other information are all enumerate-able via the “Null” user.

Plenty of information for an attacker to use to case your domain, and to gather intelligence for social attacks.

what do we do

What do we do?

NT 4.0, SP3, introduced support for a new registry value:

HKEY_Local_Machine\System\CurrentControlSet\Control\LSA RestrictAnonymous = 1 (DWORD)

Meant to stop null session enumeration- We’re safe! Break out the Champagne! If it was good enough for C2, it is good enough for us, right?

Not so fast! We still have some issues here… (But you can still drink the Champagne if you want to.)

big deal what else you got

Big Deal. What else you got?

First, lets look at why DumpACL now fails: NetAPI32.lib

Net* enumeration functions now have ACL’s on them.






Now, lets look at why User2Sid/Sid2User still works:



These guys have no ACL’s on them!

other holes in the acl s

Other holes in the ACL’s…

There are other functions that also have poor ACL’s on them, even after RA is set to 1:




NetUserGetInfo, has different “levels” that can be called… Let’s check ‘em out:

Level 0  Username

Level 1  Username, age, homedir, etc.

Level 2  A bunch of stuff…

Level 3  PAYDIRT!

show me the code

Show me the code!

UserInfo- get the low-down on the user account. This is the good stuff.

∙ Password age ∙ Full name and comments

∙ UserID (RID) ∙ Last logon/logoff

∙ Role Privileges ∙ Operator Privileges

∙ User Flags : All Extended user attributes…

Account Locked Out Account Disabled

Password Never Expires User can’t change password, etc.

Even works on Win2K- call is upwardly compatable to get Win2k extended attributes:

Smartcard Required Trusted for delegation, etc.

but wait there s more

But wait! There’s more!

UserDump – Combines LookupAccountName, LookupAccountSid, and NetGetUserInfo to dump all available user information for the entire domain! All with a Null user, and all with RA set to 1!!

∙ Get all the users with operator privileges

∙ Get all the administrators

∙ Get all the users that never change their passwords

∙ Get computer names

∙ Get all full user names and notes

yikes what do we do now

Yikes! What do we do now?

Win2k supports a new value of “2” for RA (“No access without explicit anonymous permissions” ). This guy removes the Null user from the ‘Everyone’ Group, and stops the Null user cold… But not without a cost:

Kills NT 4.0 Connectivity.

Bye-bye to down-level servers in trusted domains.

Kills browser service lists.

Block UDP 137 & 138, TCP 139, and TCP 445.

The REAL solution is to fix RA=1. Keep your fingers crossed- MS DEV may actually go back and fix this in NT 4/ Win2k. The word is that this is handled in Whistler.





Timothy M. Mullen [email protected]

[email protected]