A journey into forgotten Null Session and MS-RPC interfaces (PDF)
It has been almost 24 years since the null session vulnerability was discovered. Back then, it was possible to access SMB named pipes using empty credentials and collect domain information. Most often, attackers leveraged null sessions for gathering domain users through techniques such as RID (Relative Identifier) enumeration. RIDs uniquely identify users, groups, computers and other entities within the domain. To enumerate them, the attacker used MS-RPC interfaces to make some calls and collect information from the remote host.
To prevent such attacks, Microsoft restricted null session capabilities by limiting what an attacker can do after connecting to named pipes, and provided security policies that could be implemented to stop all null session activities. Today, although null sessions still exist and are enabled by default on domain controllers (most likely for compatibility purposes), most system administrators close this capability by hardening the security policies and monitoring domain controller activities, including anonymous access through SMB.
As penetration testers, we always pose the question: is it really as secure as it seems? In this case we asked if we can bypass policies and restrictions today, after 24 years, and bring the idea of anonymous access back to life. This research is tailored for security researchers and penetration testers seeking to enhance their understanding of MS-RPC interfaces and refine their research techniques. It’s important to note that all information in this article is intended for legitimate security research purposes only, and must not be used for illegal activities.
The research is di ..
Support the originator by clicking the read the rest link below.
