Skip to main content

NULL Session Enumeration (Internal/External)

NULL Session

LDAP, SMB, and RPC may allow a user to authenticate to the service without providing a credential. Depending on the configurations of these services, you may be able to enumerate a great deal of information about resources on the domain with very minimal effort.


crackmapexec smb dc-ip-or-fqdn -d domain.tld -u 'anonymous' -p '' --rid-brute 3000


If NULL sessions are allowed, we can use a technique called RID cycling to enumerate usernames from a domain controller. The idea is that enum4linux will infer theĀ domain SID from LDAP and append userĀ RIDs to the end of the domain SID and cycle to through the RIDs until the specified stopping point.

# Show help message
enum4linux -h

# Enum4Linux NULL Session Enumeration
	# -a : Do all enumeration steps
    # -r : Enumerate user accounts using the 
    # -K <int> : End RID cycling at this number
enum4linux -a -r -K 5000 domain-controller-ip

You can almost always be certain you've found the domain controller by looking at the open ports on the target. Common services running on the domain controller are:

53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl