how-to block ads
The original purpose of null sessions was to allow unauthenticated hosts to obtain browse lists from NT servers and participate in MS networking.
Null sessions are one of the most frequently used methods for network reconnaissance employed by "hackers." A null session connection allows you to connect to a remote machine without using a user name or password. Instead, you are given anonymous/guest access. Please note, even if you have disabled the Guest account, this will still work.
Using a null session connection to a remote machine and tools freely available on the Internet, "hackers" are able to export all manner of information from your machine, including password policy, user names on the machine, account lockout period, last logon time, blank password, etc. This will also inform the "hacker" if you have changed the name of the local administrator account, and it will neatly display the name of all accounts on the target machine, including the renamed Admin account.
Once a null session connection has been established, all that is needed is to type "Net view \\TargetComputerName" to be presented with a list of shared resources on the Target machine.
How do I stop this?
1. Get a Firewall.
a) Disable Netbios over TCP/IP, since Null Sessions are a "feature" of Netbios.
b) Add RestrictAnonymous=1 to HKLM\SYSTEM\CurrentControSet\Control\LSA, even though there are tools which sidestep this measure.
How do I know if this is happening to me?
Certain utilities are available on the Net, Desktop Sentry for one, which enable you to see who is connected to your machine, giving user name and IP address and if the connection is a null session or not.
It is estimated that 80% of attacks on NT systems occur in this manner.
Submitted by JohnD76