NULL Session Enumeration (Internal/External)
NULL Session
LDAP, SMB, and RPC may allow a user to authenticate to the service without providing a credential. Depending on the configurations of these services, you may be able to enumerate a great deal of information about resources on the domain with very minimal effort.
CrackMapExec
crackmapexec smb dc-ip-or-fqdn -d domain.tld -u 'anonymous' -p '' --rid-brute 3000
Enum4Linux
If NULL sessions are allowed, we can use a technique called RID cycling to enumerate usernames from a domain controller. The idea is that enum4linux
will infer theĀ domain SID from LDAP and append userĀ RIDs to the end of the domain SID and cycle to through the RIDs until the specified stopping point.
# Show help message
enum4linux -h
# Enum4Linux NULL Session Enumeration
# -a : Do all enumeration steps
# -r : Enumerate user accounts using the
# -K <int> : End RID cycling at this number
enum4linux -a -r -K 5000 domain-controller-ip
You can almost always be certain you've found the domain controller by looking at the open ports on the target. Common services running on the domain controller are:
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl