RestrictAnonymous: Enumeration and the Null user

• Timothy M. MullenAnchorIS.Com, Inc.

thor@hammerofgod.com

What is a ‘null’ user anyway?

• The Null user, or Anonymous user, is a special Built-in user account with no username or password. It is a valid user on any NT 4.0/ Win2k box.

• Used to perform special tasks such as initial secure channel setup, domain membership verification, user enumeration in one-way trusts, etc.

• Also used in MS/3rd party applications such as SMS for discovery, etc.

• Member of the ‘Everyone’ group; cannot be deleted!

Who Cares? Old news, or lingering concern? What can you do with a null

user anyway?

Net use \\Servername\ipc$ “” /user:””

DumpACL

User2Sid / Sid2User

User accounts, groups, policies, services, and other information are all enumerate-able via the “Null” user.

Plenty of information for an attacker to use to case your domain, and to gather intelligence for social attacks.

What do we do? NT 4.0, SP3, introduced support for a new registry value:

HKEY_Local_Machine\System\CurrentControlSet\Control\LSA RestrictAnonymous = 1 (DWORD)

Meant to stop null session enumeration- We’re safe! Break out the Champagne! If it was good enough for C2, it is good enough for us, right?

Not so fast! We still have some issues here… (But you can still drink the Champagne if you want to.)

Big Deal. What else you got? First, lets look at why DumpACL now fails: NetAPI32.lib

Net* enumeration functions now have ACL’s on them.NetServerGetInfoNetUserEnumNetGroupGetUsersNetShareEnumNetUserModalsGet

Now, lets look at why User2Sid/Sid2User still works:LookupAccountNameLookupAccountSIDThese guys have no ACL’s on them!

Other holes in the ACL’s… There are other functions that also have poor ACL’s on them,

even after RA is set to 1:NetServerTransportEnumAnd my FAVORITE,NetUserGetInfo.

NetUserGetInfo, has different “levels” that can be called… Let’s check ‘em out:

Level 0 UsernameLevel 1 Username, age, homedir, etc.Level 2 A bunch of stuff…Level 3 PAYDIRT!

Show me the code! UserInfo- get the low-down on the user account. This is the

good stuff.

∙ Password age ∙ Full name and comments∙ UserID (RID) ∙ Last logon/logoff∙ Role Privileges ∙ Operator Privileges∙ User Flags : All Extended user attributes…

Account Locked Out Account DisabledPassword Never ExpiresUser can’t change password, etc.

Even works on Win2K- call is upwardly compatable to get Win2k extended attributes:

Smartcard Required Trusted for delegation, etc.

But wait! There’s more! UserDump – Combines LookupAccountName, LookupAccountSid,

and NetGetUserInfo to dump all available user information for the entire domain! All with a Null user, and all with RA set to 1!!

∙ Get all the users with operator privileges

∙ Get all the administrators∙ Get all the users that never change their passwords∙ Get computer names∙ Get all full user names and notes

Yikes! What do we do now? Win2k supports a new value of “2” for RA (“No access without

explicit anonymous permissions” ). This guy removes the Null user from the ‘Everyone’ Group, and stops the Null user cold… But not without a cost:

Kills NT 4.0 Connectivity.

Bye-bye to down-level servers in trusted domains.Kills browser service lists.

Block UDP 137 & 138, TCP 139, and TCP 445.

The REAL solution is to fix RA=1. Keep your fingers crossed- MS DEV may actually go back and fix this in NT 4/ Win2k. The word is that this is handled in Whistler.

Thanks! AnchorIS.Com www.anchoris.com HammerofGod www.hammerofgod.com

Timothy M. Mullen tmullen@anchoris.comthor@hammerofgod.com