Posted on Wednesday, 23rd September 2009 by Michael
Null Session Scanning
For a recent audit I was tasked with checking a class C network for null sessions. The task itself sounds simple doesn’t it? But I am not one to just run a quick scan without verifying my work. This caused a interesting discovery. My first run at the network I used NTscan and discovered 1 machine with a null session open. If this would of been correct then the client would of definitely improved their security posture since the last audit they had from another company. To verify my work I then ran xscan v3, though I prefer their older versions I could not find a working clean copy in the short time frame I had to use it. This scan returned 3 open machines. Now this was odd but I chalked it up to maybe another machine came up in the time frame it took to run the tools. The third scan I ran with a tool called netscan and this tool not only returned 16 machines open but returned all the drive information with their permissions. Now this totally baffled me, so I ran all three tools one after another and the same results came up. I also manually checked the machines that returned results and each one was indeed open. Now with this in mind I figured the only safest way to confirm what was truly open was to manual test the full class C using net commands. So to this I wrote a simple shell script for CYGWIN to verify the machine was up then to check it for null sessions. The script returned 26 null sessions, which I verified a sampling of them and confirmed my results. The script is attached. The script was not written with the ability to quickly change it with variables as I needed it quickly and did not have time to make it look real pretty. If you would like to customize the script please feel free to do it, or if you need help please feel free to ask.
Part 1:
Verify the node is up: ShareScan: http://genxweb.net/wp-content/uploads/2007/06/shareup.zip
This script will go through a txt file and verify that the ips inside the file are up and if they are up moves it to another file that will be used by the scanner to check for null sessions.
Part 2:
Check for null session: Scan Share: http://genxweb.net/wp-content/uploads/2007/06/scanshare.zip
This script takes the IP addresses that are up from the results from the first part of the script and runs the net use commands on them checking for null sessions. Error checking is basic as we use a simple truth statement && to say if it was mapped successfully then disconnect it.
Side note: I first published this article on my old site http://www.genxweb.net
Posted in Code | Comments (0)