1 / 10

RestrictAnonymous: Enumeration and the Null user

RestrictAnonymous: Enumeration and the Null user. Timothy M. Mullen AnchorIS.Com, Inc. thor@hammerofgod.com. What is a ‘null’ user anyway?. The Null user, or Anonymous user, is a special Built-in user account with no username or password. It is a valid user on any NT 4.0/ Win2k box.

gordy
Download Presentation

RestrictAnonymous: Enumeration and the Null user

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. RestrictAnonymous: Enumeration and the Null user Timothy M. Mullen AnchorIS.Com, Inc. thor@hammerofgod.com

  2. What is a ‘null’ user anyway? The Null user, or Anonymous user, is a special Built-in user account with no username or password. It is a valid user on any NT 4.0/ Win2k box. Used to perform special tasks such as initial secure channel setup, domain membership verification, user enumeration in one-way trusts, etc. Also used in MS/3rd party applications such as SMS for discovery, etc. Member of the ‘Everyone’ group; cannot be deleted!

  3. Who Cares? Old news, or lingering concern? What can you do with a null user anyway? Net use \\Servername\ipc$ “” /user:”” DumpACL User2Sid / Sid2User User accounts, groups, policies, services, and other information are all enumerate-able via the “Null” user. Plenty of information for an attacker to use to case your domain, and to gather intelligence for social attacks.

  4. What do we do? NT 4.0, SP3, introduced support for a new registry value: HKEY_Local_Machine\System\CurrentControlSet\Control\LSA RestrictAnonymous = 1 (DWORD) Meant to stop null session enumeration- We’re safe! Break out the Champagne! If it was good enough for C2, it is good enough for us, right? Not so fast! We still have some issues here… (But you can still drink the Champagne if you want to.)

  5. Big Deal. What else you got? First, lets look at why DumpACL now fails: NetAPI32.lib Net* enumeration functions now have ACL’s on them. NetServerGetInfo NetUserEnum NetGroupGetUsers NetShareEnum NetUserModalsGet Now, lets look at why User2Sid/Sid2User still works: LookupAccountName LookupAccountSID These guys have no ACL’s on them!

  6. Other holes in the ACL’s… There are other functions that also have poor ACL’s on them, even after RA is set to 1: NetServerTransportEnum And my FAVORITE, NetUserGetInfo. NetUserGetInfo, has different “levels” that can be called… Let’s check ‘em out: Level 0  Username Level 1  Username, age, homedir, etc. Level 2  A bunch of stuff… Level 3  PAYDIRT!

  7. Show me the code! UserInfo- get the low-down on the user account. This is the good stuff. ∙ Password age ∙ Full name and comments ∙ UserID (RID) ∙ Last logon/logoff ∙ Role Privileges ∙ Operator Privileges ∙ User Flags : All Extended user attributes… Account Locked Out Account Disabled Password Never Expires User can’t change password, etc. Even works on Win2K- call is upwardly compatable to get Win2k extended attributes: Smartcard Required Trusted for delegation, etc.

  8. But wait! There’s more! UserDump – Combines LookupAccountName, LookupAccountSid, and NetGetUserInfo to dump all available user information for the entire domain! All with a Null user, and all with RA set to 1!! ∙ Get all the users with operator privileges ∙ Get all the administrators ∙ Get all the users that never change their passwords ∙ Get computer names ∙ Get all full user names and notes

  9. Yikes! What do we do now? Win2k supports a new value of “2” for RA (“No access without explicit anonymous permissions” ). This guy removes the Null user from the ‘Everyone’ Group, and stops the Null user cold… But not without a cost: Kills NT 4.0 Connectivity. Bye-bye to down-level servers in trusted domains. Kills browser service lists. Block UDP 137 & 138, TCP 139, and TCP 445. The REAL solution is to fix RA=1. Keep your fingers crossed- MS DEV may actually go back and fix this in NT 4/ Win2k. The word is that this is handled in Whistler.

  10. Thanks! AnchorIS.Com www.anchoris.com HammerofGod www.hammerofgod.com Timothy M. Mullen tmullen@anchoris.com thor@hammerofgod.com

More Related