Full Report
Hello, TLDR; I think I found three new ways to do user enumeration on Windows domain controllers, and I wrote some scripts for it. Over the years, I have often used the NULL session vulnerability to enumerate lists of users, groups, shares and other interesting information from remote Windows systems. For the uninitiated, Windows exposes several administrative and hidden shares via SMB by default. Some of these shares allow one to access the complete storage device on remote systems. For example, C$ will allow one to access the C Drive. Another share, Admin$, allows one to access the Windows installation directory. To be able to mount these shares however, one needs to be an administrator on the remote system.
Analysis Summary
# Tool/Technique: New NULL Session User Enumeration Methods (Scripts for UserEnum)
## Overview
The subject of this analysis relates to the discovery and implementation of **three new methods** for user enumeration on Windows Domain Controllers, building upon the concept of **NULL sessions** via SMB. These methods use custom scripts, shared via the `UserEnum` repository, to exploit lesser-known Windows service interactions over SMB/IPC$ or related protocols to bypass limitations observed with traditional tools like `rpcclient`. The ultimate goal is to extract user and group listings for subsequent credential attacks.
## Technical Details
- Type: Technique / Tool (Custom Scripts)
- Platform: Windows Domain Controllers (Target)
- Capabilities: User, group, and share enumeration via non-standard RPC/protocol interactions over SMB or related services (CLDAP, Mailslot Ping, DsrGetDcNameEx2).
- First Seen: May 11, 2018 (Publication Date)
## MITRE ATT&CK Mapping
The primary goal is reconnaissance and information gathering before credential compromise.
- **TA0043 - Reconnaissance**
- **T1087 - Account Discovery**
- T1087.002 - Domain Account
- **T1049 - System Network Connections Discovery** (Related endpoint interaction)
- **TA0003 - Persistence** (If used to establish pre-cursors for further access, though primarily reconnaissance)
## Functionality
### Core Capabilities
The analysis focuses on three distinct techniques demonstrated via custom Python scripts (leveraging Scapy for packet construction):
1. **Mailslot Ping User Enumeration:** Checking for user existence by sending a specially crafted mailslot ping request (including username encoded in UTF-16) to the Netlogon service and analyzing the server's response code (looking for 0x17 - `LOGON_SAM_LOGON_RESPONSE_EX` versus 0x19 - `LOGON_SAM_USER_UNKNOWN_EX`).
2. **CLDAP Enumeration:** Using the Client LDAP interface (CLDAP) for enumeration, noted as the fastest technique observed.
3. **DsrGetDcNameEx2 Enumeration:** Utilizing the `DsrGetDcNameEx2` RPC call, which, unlike traditional methods, generated an anonymous logon entry in the security event logs.
### Advanced Features
* **Bypassing Traditional Failures:** The script methods were specifically developed because traditional NULL session enumeration tools like `rpcclient` failed to enumerate users on systems where the `smb-enum-users` NSE script succeeded, indicating deviations in how RPC calls are handled or interpreted across different tools/implementations.
* **Custom Packet Crafting:** Implementation required modifying Scapy structures and understanding the `NETLOGON_SAM_LOGON_REQUEST` format, including precise calculation of length fields and UTF-16 encoding.
* **Performance Insight:** Compared the enumeration speed of the three techniques: CLDAP (fastest), Mailslot (second), and DsrGetDcNameEx2 (third).
## Indicators of Compromise
Since these are PoC scripts exploiting native functionality, traditional malware IOCs are generally absent, focusing instead on network traffic and system logs.
- File Hashes: N/A (Reference is to scripts on GitHub, hashes provided in the source material are not summarized here as they relate to the script files themselves).
- File Names: `UserEnum_NBS.py` (Example script name)
- Registry Keys: N/A
- Network Indicators: Enumeration traffic primarily occurs over **SMB (TCP 445)** for IPC$ related calls, or potentially other ports related to **CLDAP**.
- Behavioral Indicators:
* Successful anonymous connection to IPC$ share via SMB.
* Execution of specific RPC calls (`QueryDisplayInfo` alternative methods).
* For the DsrGetDcNameEx2 technique, generation of an anonymous logon event log entry containing the attacker's source IP address.
## Associated Threat Actors
* No specific threat actors are associated with the *discovery* of these techniques, as the work is attributed to the author (Reino Mostert) from SensePost, intended for penetration testing and security research purposes.
* However, the underlying techniques (NULL session exploitation, user enumeration) are common TTPs utilized by various threat groups during the initial reconnaissance phase.
## Detection Methods
* **Signature-based detection:** Difficult for custom scripts unless network signatures target the exact packet sequences generated by the CLDAP or Mailslot Ping methods.
* **Behavioral detection:** Monitoring for successful anonymous logins over SMB or excessive, rapid execution of non-standard RPC calls over known administrative shares or pipes.
* **YARA rules:** Not applicable for network traffic analysis described here.
* **Log Analysis:** Specifically look for Event Logs related to **anonymous logons** tied to the execution of the `DsrGetDcNameEx2` method.
## Mitigation Strategies
The primary mitigation involves disabling or restricting the underlying vulnerability (anonymously accessing SMB/IPC$ services).
* **Disable/Restrict NULL Sessions:** Configuration changes on Windows systems to prevent anonymous access to SMB shares used for enumeration (historical best practice, though effectiveness varies based on OS version and configuration).
* **Restrict SMB Access:** Limit which hosts can connect to SMB ports (TCP 445) via host-based or network firewalls.
* **Network Segmentation:** Isolate Domain Controllers to limit the scope of lateral reconnaissance.
* **Principle of Least Privilege:** Ensure that enumeration techniques requiring administrative credentials (which these *bypass*) are the primary avenue for data access.
## Related Tools/Techniques
* **rpcclient:** Explicitly mentioned as a tool whose standard implementation failed to yield results where the new scripts succeeded.
* **enum4linux & ridenum:** Tools that traditionally rely on the same underlying protocols/RPCs for enumeration.
* **Nmap smb-enum-users NSE script:** Used as a baseline comparison against which the test system's behavior was validated.
* **NULL Session Vulnerability:** The foundational concept that these new scripts are adapting or bypassing limitations related to.