Enumerate Null Sessions

Checking if Null Session, also known as Anonymous session, is enabled on the network, can be very useful on a Domain Controller to enumerate users, groups, password policy etc

nxc smb 10.10.10.161 -u '' -p ''
nxc smb 10.10.10.161 -u '' -p '' --shares
nxc smb 10.10.10.161 -u '' -p '' --pass-pol
nxc smb 10.10.10.161 -u '' -p '' --users
nxc smb 10.10.10.161 -u '' -p '' --groups

You can also reproduce this behavior with smbclient or rpcclient

smbclient -N -U "" -L \\10.10.10.161

rpcclient -N -U "" -L \\10.10.10.161
rpcclient $> enumdomusers
user:[bonclay] rid:[0x46e]
user:[zoro] rid:[0x46f]

Network access: Shares that can be accessed anonymouslydocsmsft

Example

Forest or Monteverde machines are good examples to test null session authentication with NetExec

https://www.hackthebox.eu/home/machines/profile/212www.hackthebox.eu

https://www.hackthebox.eu/home/machines/profile/223www.hackthebox.eu

PreviousEnumerate Hosts NextEnumerate Guest Logon

Last updated 19 days ago