lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20050818075852.GA2225@jbmarchand.in.germinus.com>
Date: Thu Aug 18 09:01:19 2005
From: jbm.lists at gmail.com (Jean-Baptiste Marchand)
Subject: NULL sessions on Windows 2000 systems [Was: Re: Re:
	It's not that simple...]

* yossarian <yossarian@...net.nl>:

> In the original X-Force paper named pipes were mentioned besides Null 
> Sessions. Does it need both or either one - the paper isn't clear on this? 
> The named pipes seem to have dropped from all discussion.... Anyway, never 
> broke anything by disabling them, either. This is a registry hack described 
> in the MS Hardening guides for 2000 and 2003 server. Just like Null 
> sessions. Elsewhere dunno, but probably, never bothered.

A NULL session usually refers to an anonymous connection to the IPC$
share, giving remote access to named pipes.

Some named pipes can be opened anonymously (these named pipes appear in
the NullSessionPipes registry value), i.e. in the context of a NULL
session.

In addition, 6 named pipes are harcoded in Windows 2000 and can always
be opened anonymously:

 http://www.hsc.fr/ressources/presentations/null_sessions/img7.html

The recent PnP vulnerability (MS05-039) can be anonymously exploited on
Windows 2000 systems with 139/tcp or 445/tcp open, *except* if the
RestrictAnonymous registry value is set to 2.

This is because the only way to disable NULL sessions *entirely* on
Windows 2000 is to set RestrictAnonymous to 2:

 http://www.hsc.fr/ressources/presentations/null_sessions/img23.html

Please read my recent presentation about NULL sessions, many people seem
to know about NULL sessions but fewer people really understand the
technical details:

 http://www.hsc.fr/ressources/presentations/null_sessions/


-- 
Jean-Baptiste Marchand

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ