Details About NULL Sessions

     This page is a detailed explanation for programmatically
     connecting to NT Server NULL Sessions and extracting the name of
     the true administrator account. Even non-programmer Admins should
     read through this and become familiar with the API's explained in
     order to better understand the NT environment and recognize code
     that might be used against them.

     The original purpose of NULL sessions is to allow unauthenticated
     hosts to obtain browse lists from NT servers and participate in MS
     networking. Mostly this is useful for Win95/98/NT hosts who are
     not domain members, but still need to obtain browsing information.

     The problem occurs in cases where a NULL session becomes included
     in the everyone group and now has access to resources to which
     they weren't authenticated, but that the authenticated group had
     permissions for. Originally, 'everyone' did not mean 'anyone'. You
     still had to log on to be in the everyone group. however, NULL
     Sessions are the one case where 'everyone' could mean 'anyone'.
     This is the reason MS created the *NEW* Authenticated group. The
     Authenticated group does not include NULL Sessions and so can
     never mean 'anyone' - until someone finds an exploit.

     The following code segments are commented to show exactly what is
     happening, what API's are being used, and how the true
     administrator name can be identified.

     First - making a  NULL Session connection

     One way to this is by using the Net Use command with an empty
     password. Programmatically, it looks like this....

     //This function called from dialog that fills listbox with
     connections

     BOOL EstablishNullSession(CString TargetHost, CNTOHunterDlg* pDlg)
     {
     //Setup for UNICODE
     char* pTemp = TargetHost.GetBuffer(256);
     WCHAR wszServ[256];
     LPWSTR Server = NULL;

     //Convert to Unicode
     MultiByteToWideChar(CP_ACP, 0, pTemp,
                             strlen(pTemp)+1, wszServ,
                             sizeof(wszServ)/sizeof(wszServ[0]) );

     //Create the IPC$ share connection string we need
     Server = wszServ;

     LPCWSTR szIpc = L"\\IPC$";
     WCHAR RemoteResource[UNCLEN + 5 + 1]; // UNC len + \IPC$ + NULL
     DWORD dwServNameLen;
     DWORD dwRC;

     //Setup Win32 structures and variables we need
     NET_API_STATUS nas;

     USE_INFO_2 ui2;
     SHARE_INFO_1* pSHInfo1 = NULL;
     DWORD            dwEntriesRead;
     DWORD            dwTotalEntries;

     //Set up handles to tree control to insert connection results

     HTREEITEM machineRoot, shareRoot, userRoot, adminRoot, attribRoot;

     char sharename[256];
     char remark[256];

     if(Server == NULL || *Server == L'\0')
     {
     SetLastError(ERROR_INVALID_COMPUTERNAME);
     return FALSE;
     }

     dwServNameLen = lstrlenW( Server );

     //Test for various errors in connection string and recover
     if(Server[0] != L'\\' && Server[1] != L'\\')
     {
     // prepend slashes and NULL terminate
     RemoteResource[0] = L'\\';
     RemoteResource[1] = L'\\';
     RemoteResource[2] = L'\0';
     }
     else
     {
     dwServNameLen -= 2; // drop slashes from count
     RemoteResource[0] = L'\0';
     }

     if(dwServNameLen > CNLEN)
     {
     SetLastError(ERROR_INVALID_COMPUTERNAME);
     return FALSE;
     }

     if(lstrcatW(RemoteResource, Server) == NULL) return FALSE;
     if(lstrcatW(RemoteResource, szIpc) == NULL) return FALSE;
     //Start with clean memory
     ZeroMemory(&ui2, sizeof(ui2));
     //Fill in the Win32 network structure we need to use connect API
     ui2.ui2_local = NULL;
     ui2.ui2_remote = (LPTSTR) RemoteResource;
     ui2.ui2_asg_type = USE_IPC;
     ui2.ui2_password = (LPTSTR) L""; //SET PASSWORD TO NULL
             ui2.ui2_username = (LPTSTR) L"";
             ui2.ui2_domainname = (LPTSTR) L"";

     //MAKE THE NULL SESSION CALL
     nas = NetUseAdd(NULL, 2, (LPBYTE)&ui2, NULL);

             dwRC = GetLastError();
             if( nas == NERR_Success )
             {
                 machineRoot = pDlg->m_Victims.InsertItem(TargetHost,
     0, 0,

     TVI_ROOT);
             }

     //THIS IS WHERE NT HANDS OUT IT INFORMATION
     nas = NetShareEnum((char*)Server, 1, (LPBYTE*)&pSHInfo1,
                             MAX_PREFERRED_LENGTH,
                             &dwEntriesRead,
                             &dwTotalEntries, NULL);

             dwRC = GetLastError();
             if( nas == NERR_Success )
             {
                 if(dwTotalEntries > 0)
                 {
                     shareRoot = pDlg->m_Victims.InsertItem("Shares",

     machineRoot,TVI_LAST);
                     userRoot = pDlg->m_Victims.InsertItem("Users",

     machineRoot,TVI_LAST);
                     adminRoot = pDlg->m_Victims.InsertItem("Admin",

     machineRoot,TVI_LAST);

                 }
                 for(int x=0; x<(int)dwTotalEntries; x++)
                 {
                     // Convert back to ANSI
                     WideCharToMultiByte(CP_ACP, 0, (const unsigned

     short*)pSHInfo1->shi1_netname, -1,
                                                     sharename, 256,
     NULL, NULL );

                     WideCharToMultiByte( CP_ACP, 0, (const unsigned

     short*)pSHInfo1->shi1_remark, -1,
                                                     remark, 256, NULL,
     NULL );
                     CString ShareDetails = sharename;
                     ShareDetails = ShareDetails + " - " + remark;
                     //fill the tree with connect info
                     attribRoot =
     pDlg->m_Victims.InsertItem(ShareDetails,

     shareRoot,TVI_LAST);
                     pSHInfo1++;
                 }
             }

             //My Wrapper function for listing users - see below
             DoNetUserEnum(Server, pDlg, userRoot, adminRoot);

     //WE ARE DONE, SO KILL THE CONNECTION
     nas = NetUseDel(NULL, (LPTSTR) RemoteResource, 0);

     TargetHost.ReleaseBuffer();
     SetLastError( nas );
     return FALSE;
     }

     The following function is how one can programmatically determine
     the administrator status of an account......

     bool GetAdmin(char* pServer, char* pUser, CString& Name)
     {
         BOOL fAdmin = FALSE;
         DWORD dwDomainName,dwSize,dwAdminVal;
         SID_NAME_USE use;
         PSID pUserSID = NULL; // SID for user
         int rc;
         int iSubCount;

         bool bFoundHim = 0;
         dwDomainName = 256;
         dwSize = 0;
         dwAdminVal = 0;
         iSubCount = 0;

         //Call API for buffer size since we don't know size beforehand
         rc = LookupAccountName(pServer,
                         pUser, pUserSID,
                         &dwSize, szDomainName,
                         &dwDomainName, &use );
         rc = GetLastError();

                 //Allocate a larger buffer
                 if(rc == ERROR_INSUFFICIENT_BUFFER)
                 {
                     pUserSID = (PSID) malloc(dwSize);

             //Repeat call now that we have the right size buffer
                     rc = LookupAccountName(pServer,
                                         pUser, pUserSID,
                                         &dwSize, szDomainName,
                                         &dwDomainName, &use );
                 }

     //Scan the SIDS for the golden key - ADMIN == 500

     //Get a count of SID's
     iSubCount = (int)*(GetSidSubAuthorityCount(pUserSID));
     //Admin SID is the last element in the count
     dwAdminVal = *(GetSidSubAuthority(pUserSID, iSubCount-1));

     if(dwAdminVal==500) //TEST TO SEE IF THIS IS THE ADMIN
         {
             Name.Format("Admin is %s\\%s\n", szDomainName, pUser);
             bFoundHim = true;
         }

         delete pUserSID;
         return bFoundHim; //WE KNOW WHO HE IS, ADD HIM TO THE TREE
     }



     Wrapper for Listing the user accounts.....

     void DoNetUserEnum(const wchar_t* pServer, CNTOHunterDlg* pDlg,
                                      HTREEITEM userRoot, HTREEITEM
     adminRoot)
     {
         USER_INFO_10 *pUserbuf, *pCurUser;
         DWORD dwRead, dwRemaining, dwResume, dwRC;

         char userName[256];
         char userServer[256];

         dwResume = 0;

                 if(pServer[0] != L'\\' && pServer[1] != L'\\')
                 {
                     //Start sting with correct UNC slashes and NULL
     terminate
                     RemoteResource[0] = L'\\';
                     RemoteResource[1] = L'\\';
                     RemoteResource[2] = L'\0';
                 }
                 else
                 {
                     dwServNameLen -= 2; // drop slashes from count

                     RemoteResource[0] = L'\0';
                 }

                 if(dwServNameLen > CNLEN)
                 {
                     SetLastError(ERROR_INVALID_COMPUTERNAME);
                     return;
                 }

                 if(lstrcatW(RemoteResource, pServer) == NULL) return;

         do
         {

             pUserbuf = NULL;

     //THIS IS THE API THE NT USES TO HAND OUT IT's LIST
             dwRC = NetUserEnum(RemoteResource, 10, 0, (BYTE**)
                                              &pUserbuf, 1024,
                                             &dwRead, &dwRemaining,
     &dwResume);
             if (dwRC != ERROR_MORE_DATA && dwRC != ERROR_SUCCESS)
                 break;

             DWORD i;
             for(i = 0, pCurUser = pUserbuf; i < dwRead; ++i,
     ++pCurUser)
             {

                     // Convert back to ANSI.
                     WideCharToMultiByte( CP_ACP, 0,
     pCurUser->usri10_name,
                                                      -1, userName,
     256, NULL, NULL );
                     // Convert back to ANSI.
                     WideCharToMultiByte( CP_ACP, 0, pServer, -1,
                             userServer, 256, NULL, NULL );

     if(!GotAdmin)
             {
             //use char strings
             CString Admin;
             GotAdmin = GetAdmin(userServer, userName, Admin);
             if(GotAdmin)
             {
                 Admin.TrimRight();
                 HTREEITEM adminChild =
     pDlg->m_Victims.InsertItem(Admin,

     adminRoot, TVI_LAST);
                 pDlg->m_Victims.EnsureVisible(adminChild);
             }
             }

             CString strUserName = userName;
             pDlg->m_Victims.InsertItem(strUserName, userRoot,
     TVI_LAST);

             }
             if (pUserbuf != NULL)
                 NetApiBufferFree(pUserbuf);
         } while (dwRC == ERROR_MORE_DATA);

         if (dwRC != ERROR_SUCCESS)
             printf("NUE() returned %lu\n", dwRC);
     }



  Send mail to info@ntobjectives.com with questions or comments about this
                                  document.
         Copyright © 1999 NT OBJECTives, Inc.   All Rights Reserved.
         All trademarks are the property of their respective owners.
                        Last modified: June 28, 1999