Solved Netbios Null Session vulnerability

August 15, 2012 at 08:53:27
Specs: Windows Server 2003
There was a security audit run on our network and one of the vulnerabilities is that Windows Server 2003 allows null sessions. I've done some research on this and it looks like setting these options should take care of it.

Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Default)
Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled

My question is, how do I know if changing these fixed it? I am still able to connect using null values using: net use \\<IP address>\ipc$ "" /u:"". It says, "The command completed successfully".

But when I run "winfo <ip address> -v", I get this:

SYSTEM INFORMATION:

Warning: Unable to retrieve system information.
Reason : Access denied.

DOMAIN INFORMATION:

Warning: Unable to retrieve policy.
Reason : Access denied.

PASSWORD POLICY:

Warning: Unable to retrieve password policy.
Reason : Access denied.

LOCOUT POLICY:

Warning: Unable to retrieve lockout policy.
Reason : Access denied.

SESSIONS:

Warning: Unable to retrieve sessions.
Reason : Access denied.

LOGGED IN USERS:

Warning: Unable to retrieve the list of logged in users.
Reason : Access denied.

USER ACCOUNTS:

Warning: Unable to enumerate users.
Reason : Access denied.

WORKSTATION TRUST ACCOUNTS:

Warning: Unable to enumerate workstation trust accounts.
Reason : Access denied.

INTERDOMAIN TRUST ACCOUNTS:

Warning: Unable to enumerate interdomain trust accounts.
Reason : Access denied.

SERVER TRUST ACCOUNTS:

Warning: Unable to enumerate server trust accounts.
Reason : Access denied.

SHARES:

Warning: Unable to enumerate shares.
Reason : Access denied.

Furthermore, I tried: "net view \\<IP address>" and get an access denied error.


To me, this looks good and indicates that the server is no longer giving out any info to a null sessions. But since i'm still able to connect with a NULL session, is this issue really fixed? Any thoughts on this?


Thanks!


See More: Netbios Null Session vulnerability

Report •

#1
August 15, 2012 at 15:54:05
✔ Best Answer
There is a GPO you can set:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares

Tony


Report •

#2
August 16, 2012 at 14:28:15
That GPO was already set to Enabled. Is it safe to assume that this is no longer vulnerable? I can still connect with a null session but get access denied when I try to see any information.

Report •

#3
August 17, 2012 at 08:29:43
Yes, you're fine. The whole reason attackers/pentesters use NULL session attacks is to anonymously enumerate usernames and shares.

Tony


Report •


#4
August 17, 2012 at 08:32:37
Great, Thanks!

Report •

Ask Question