Empty session

Empty session definition

According to the access control model of WIN2000 (take win2000 as an example), the establishment of an empty session also requires a token, but the empty session does not pass through during the establishment process. User information authentication, so this token does not contain user information. Therefore, this session cannot allow the system to send encrypted information, but this does not mean that the empty session token does not contain the security identifier SID (it identifies the user and Group), for an empty session, the SID of the token provided by LSA is S-1-5-7, which is the SID of the empty session, and the user name is: ANONYMOUS LOGON (this user name can be seen in the user list Yes, but it cannot be found in the SAM database. It belongs to the built-in account of the system). This access token contains the following disguised groups:



Under the restriction of the security policy, this empty session will be authorized to access all the information that the above two groups have access to.

The role of empty sessions

For NT, under the default security settings, with the help of empty connections, users and shares on the target host can be listed, shared with everyone's permission, and a small part of the registration can be accessed. Tables, etc., do not have much use value; it has a smaller effect on 2000, because by default in Windows 2000 and later versions, only administrators and backup operators have the right to access the registry from the network, and it is inconvenient to implement. Need tools.

From these we can see that this kind of untrusted session is not very useful, but from a complete ipc$ intrusion, the empty session is an indispensable springboard, because we are from it You can get the user list, and most weak password scanning tools use this user list to guess the password. The successful export of the user list greatly increases the success rate of the guess. This alone is enough to explain the empty session. Security risks, so it is incorrect to say that empty conversations are useless. The following are some specific commands that can be used in an empty session:

1 First, we first establish an empty connection (of course, this requires the target to open ipc$)

Command: net use \ \ip\ipc$ "" /user:""

Note: The above command includes four spaces, one space between net and use, one after use, and one space on the left and right of the password.

2 View the shared resources of the remote host

Command: net view \\ip

Explanation: The premise is that after an empty connection is established, this command can be used to view For the shared resources of the remote host, if it is opened for sharing, you can get the following results, but this command cannot display the default sharing.

Shared resources in \\*.*.*.*

Resource sharing name type usage comment

---------- -------------------------------------------------< /p>

NETLOGON Disk Logon server share

SYSVOL Disk Logon server share

The command completed successfully.

3 View the current time of the remote host

Command: net time \\ip

Explanation: Use this command to get the current time of a remote host.

4 Get the NetBIOS user name list of the remote host (you need to open your own NBT)

Command: nbtstat -A ip

Use this command to get a remote The host's NetBIOS user name list, returns the following result:

Node IpAddress: [*.*.*.*] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status

------------------------------------ ---------

SERVER <00> UNIQUE Registered

OYAMANISHI-H <00> GROUP Registered

OYAMANISHI-H &lt ;1C> GROUP Registered

SERVER <20> UNIQUE Registered



SERVER <03> UNIQUE Registered


..__MSBROWSE__.<01> GROUP Registered


INet~Services <1C> GROUP Registered

IS~SERVER......<00> UNIQUE Registered

MAC Address = 00-50- 8B-9A-2D-37

5. Some people add a $ to the share name to achieve the hidden effect, but this can be seen with the net share under DOS;

This kind of hiding is only a limitation of the Microsoft Windows standard client net view, not a limitation of the server. The network transmission process is treated equally, so you can directly modify the client to remove this limitation or use third-party client software to see The so-called hidden sharing, such as smbclient, is a typical representative.

6. Some people add a password to the share, but I heard that there is a way to crack it.

This cracking depends on what level it is. It doesn’t need to be said that it is pure brute force cracking. Yes, of course it’s always possible. There is another vulnerability in 95 and 98. It is his famous vredir.vxd. The length used by the server to verify the password is actually provided by the client, which means that at most 256 guesses (in fact, not so many, consider printable characters) Range) to enter. At the beginning, N many people used this method to browse other people's machines illegally. Reported to Microsoft in 2000 and has now been patched.

By the way, using this vulnerability can quickly exhaust the original password, although this is unnecessary in the attack.

7. In 2000, SMB can run directly on tcp/ip without additional NBT layer, using TCP 445 port. Therefore, it should change slightly more than NT in 2000.

In fact, it is the opposite. In the ssaxh_capabilities field, it is specified that "Extended Security Authentication" is not used. In this case, the original authentication mechanism is used, and only the Session Request of the NBT layer is removed, and the 139/TCP is changed to 445 /TCP, you can also successfully establish an empty session and successfully open //IPC$.

As for the higher-level RPC Over SMB, there is no need to make any changes. In other words, from 139/TCP to 445/TCP, a pair of NBT Session Request/Response is reduced during the entire communication process, and the following messages are completely the same for both.

The so-called NBT layer, even in the 445 communication, has not been removed, and has always existed. The difference is only the above paragraph.

8. If the client has enabled NBT, it will access ports 139 and 445 at the same time when connecting. Microsoft has not allowed 139/TCP to compete fairly with 445/TCP. The SYN packet that initiates the connection is sent at the same time in a macroscopic view. To be specific, sometimes the connection request is initiated to 139/TCP first, and sometimes the connection request is initiated to 445/TCP, which is a bit random.

When sending the last ACK message of the three-way handshake to 139/TCP, Windows easily carried the data, here is a deliberately mistaken NetBIOS name (*SMBSERV<00...(8)&gt ;Make a NBT Session Request. And 445/TCP does not need NBT session.

Due to the deliberately mistaken NetBIOS name, it is difficult for 139/TCP to compete with 445/TCP. The server returns Negative NBTSession Response, and performed the close() operation. This makes it necessary to re-establish the connection to 139/TCP (transport layer TCP connection).

It can be seen that the deliberately mistaken NetBIOS name is just for Give 445/TCP a preemptive opportunity. Unfortunately, 445/TCP is not up for grabs. The tasks on this port are heavy and the load is high. Even in this unfair competition, 139/TCP may still be able to regain its lead. An NBT session was established before 445/TCP (note that it is not a TCP connection). Then port 445 will send back an RST, and subsequent SMB sessions are established on the 139/TCP connection.

Microsoft’s own operating system does not recognize"* SMBSERV<00...(8)>", but Samba Server 2.2.5 recognizes that it actually returns a Positive Session Response. This has become one of the ways to accurately identify Samba Server.

Microsoft is in<&gt ; I won’t mention these, but that 139/TCP and 445/TCP compete fairly and use the earliest response message first. Don’t believe its nonsense.

By the way, if it is not due to demand , You don’t have to care about this difference at all. When there is a demand, this difference is fatal.

9. The most obvious is that an empty session can be easily connected to other domains to enumerate users and machines. Etc. This is the principle of the scanning software for detection.

XP and 2003 prohibit the PolicyAccountDomainInformation query on an empty session by default. You can see that LsarOpenPolicy2(44) failed and the permission is denied. If you specify a valid account in advance , The password establishes an SMB session instead of an empty session. LsarOpenPolicy2(44) will return successfully.

The above is what we often do with empty sessions. It seems that we can get a lot of things, but we should pay attention to it. : The operation of establishing an IPC$ connection will leave a record in the Event Log, regardless of whether you log in successfully.

Related Articles