NULL Session Enumeration
NULL Session
LDAP, SMB, and RPC may allow a user to authenticate to the service without providing a credential. Depending on the configurations of these services, you may be able to enumerate a great deal of information about resources on the domain with very minimal effort.
Example showing successful enumeration of usernames via null session RID cycling
NetExec
nxc smb dc-ip-or-fqdn -d domain.tld -u 'anonymous' -p '' --rid-brute 3000Internal or via ligolo-ng (or similar) layer 3 tunnel
proxychains -q nxc smb dc-ip-or-fqdn -d domain.tld -u 'anonymous' -p '' --rid-brute 3000External via SOCKS proxy -- e.g. chisel or ssh
Enum4Linux
If NULL sessions are allowed, we can use a technique called RID cycling to enumerate usernames from a domain controller. The idea is that enum4linux will infer the domain SID from LDAP and append user RIDs to the end of the domain SID and cycle to through the RIDs until the specified stopping point.
enum4linux -hShow help message
enum4linux -a -r -K 5000 domain-controller-ipInternal or via ligolo-ng (or similar) layer 3 tunnel
enum4linux -a -r -K 5000 domain-controller-ipExternal via SOCKS proxy -- e.g. chisel or ssh
Syntax Explainer
-
-a: Do all enumeration steps-r: Enumerate user accounts using the-K <int>: End RID cycling at this number