Full Report
If you have been doing internal assessments on Active Directory infrastructure you may have heard the following words: “Null session”, “Guest session” and “Anonymous session”. These words describe techniques that can be used on Windows servers to connect to resources and obtain information about a computer or Active Directory objects such as users or SMB shares you have access on. Even if these techniques are well known I realised that people, including myself, didn’t understand them completely. This got me wanting to better understand it, hence this blogpost :)!
Analysis Summary
# Tool/Technique: Guest Authentication / Null Session (Anonymous Authentication)
## Overview
This summary covers two distinct but related information disclosure and access techniques on Windows and Active Directory environments: **Guest Authentication** and **Null Session (Anonymous Authentication)**. Both techniques allow attackers to gather information or access resources without providing valid credentials, often due to misconfigurations or legacy permissions.
## Technical Details
- Type: Technique
- Platform: Windows Server, Active Directory
- Capabilities: Information disclosure (user enumeration, policy details), potential for resource access (SMB shares), and coercion attacks.
- First Seen: Legacy techniques, extensively documented dating back to earlier Windows versions.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1133 - External Remote Services (Applicable if accessing network shares externally)
- **TA0003 - Persistence** (Less direct, but persistent access via misconfigured service accounts)
- **TA0009 - Collection**
- T1087.002 - Account Discovery: Domain Account
- T1018 - Remote System Information Discovery
- **TA0011 - Command and Control** (Via coercion attacks like PrinterBug)
## Functionality
### Core Capabilities
* **Guest Authentication:** Relies on the presence and enablement of the *Guest Account* (either local or domain). Invalid or null credentials submitted during an SMB connection can implicitly fall back to this valid guest account, granting baseline resource access (e.g., listing SMB shares).
* **Null Session/Anonymous Authentication:** Relies on the built-in `Anonymous Logon` security principal (SID S-1-5-7) having permissions, often via membership or direct ACEs on the `Pre-Windows 2000 Compatible Access` group or related objects. This allows enumeration of domain users, password policy details, and other configuration data by accessing the **SAMR named pipe** remotely.
### Advanced Features
* **Implicit Fallback:** The Windows SMB service can transparently fall back from an invalid user attempt to the Domain or Local Guest account if the latter is enabled.
* **Coercion Attacks:** Once authenticated anonymously or via guest access, an attacker can leverage services (like unauthenticated printer connections) to force a target machine to authenticate back to an attacker-controlled server (e.g., using techniques like `printerbug`).
## Indicators of Compromise
- File Hashes: N/A (Technique-based, not a single malware binary)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Connection attempts to SMB (port 445) or named pipes (`svcctl`, `samr`) using blank or non-existent credentials.
- Behavioral Indicators:
* Successful SMB connection initiation without explicit credentials.
* Successful enumeration queries (user lists, share listings) following a null/guest negotiation.
* Traffic indicating an attempt to contact RPC endpoints associated with SAMR remote calls.
## Associated Threat Actors
This is a description of fundamental Windows/AD misconfigurations. Any threat actor with basic reconnaissance skills or specialized tools (like those used in the article) can leverage these techniques.
## Detection Methods
- Signature-based detection: Generally ineffective as legitimate protocols are used.
- Behavioral detection: Monitoring for processes (like NetExec or native SMB clients) initiating connections using empty user/password fields against network targets. Monitoring for remote SAMR pipe enumeration attempts.
- YARA rules: N/A
## Mitigation Strategies
- **Disable Guest Accounts:** Ensure both the Domain Guest account and all Local Guest accounts (especially on domain controllers or critical member servers) are disabled.
- **Review Anonymous Permissions:** Critically examine the Access Control Lists (ACLs) on Active Directory objects, particularly checking which permissions are granted to the **`Anonymous Logon`** group/SID, and remove permissions that allow remote SAMR calls.
- **Restrict Pre-Windows 2000 Compatible Access:** Ensure the `Pre-Windows 2000 Compatible Access` group only contains necessary accounts, or ideally, restrict its permissions if legacy compatibility is not required.
- **SMB Configuration:** Enforce SMB Signing to protect against potential man-in-the-middle or replay attacks related to authentication downgrades.
## Related Tools/Techniques
- **NetExec:** Used in the article to demonstrate the exploitation.
- **PrinterBug/Responder:** Tools and techniques used to exploit services authenticated via null sessions/guest access for credential harvesting via coercion.