 I'm Tim Mullen, and like we talked about a little earlier, we're going to be talking about restrict anonymous enumeration in the null user. Of course, the first question that comes up is what is a null user? Why do we need one? Why do we have one? Why is NT set up to accept one? Well, the null user, some people call it the anonymous user, special user account built in, all the NT boxes out there, 4.0, went to K, they lives and breathes. It's an account with no username and no password. You can't do anything about that, okay? You can't change it, you can't rename it, you can't do anything because it has no username and no password, has no credentials. Back in the day of NT 4.0, if you had a box that was part of a domain structure, when that guy boots up, he's going to initiate a secure channel on the network, talk to a domain controller and say, hey, am I part of this domain or not? That connection is established over null credentials, initially. No username, no password, bang, talks to the domain controller, says, hey, am I part of this domain? Yes or no? If you keep an NT box from using that connection, he will not authenticate. He won't even join the domain. It'll say no domain controller was found. It's also used in, I wish I had more stuff, I like to be an evangelist and come out. It's used when, remember multi-domain structures? You have some trust domains over here and like, I'll trust these guys but they won't trust me or normally they trust me but I don't trust them, right? If they were going to grant me access to their resources, well, they need to be able to grab a list of usernames to grant access to. Because I don't trust them, the way that they make a connection to enumerate what users they can set on their resources, that's also done with null credentials. Ooh, air conditioning. Could you stay right there? Thanks. Got a cool wind blowing in here. And SMS, some of the third-party Microsoft apps, also use that for discovery. Whenever SMS service goes out and wants to see what's on the box and who he is and what he's running, that initial connection to enumerate shares and all that stuff is done as a null user as well. So I mean, this guy really has some uses. All right, so who cares? I mean, everybody's heard of restrict anonymous and the null user and blah, blah, blah. It can actually be a substantial hole that evil hackers can use to enumerate information on your network. Say who? Yes, no passwords, though. What was the other one? Comment fields? Oh, yeah, passwords and comment fields. I mean, I would just shoot people and light them on fire if they did that. Because if you light them on fire and then shoot them, then it's over too quick. The way that you can do this, this has been in hacking, expose and all that stuff, you can use the net command line and NT, net use, server name slash IPC, inter-process communications resource, it's always there, IPC dollar sign, quote, quote, space, whack, user, colon, quote, quote. And what that does is implicitly set up a null session. You're using that resource, the IPC resource, with no username and no password. Well, there's programs out there, dump ACL, that's called what, dump sec now. Back in the old days, it was dump ACL and it's kind of stuck with me. I should change it. That guy uses the null user to enumerate all kinds of information, the modals, your policy information, what the guy can do, what the guy can't do, the shares that are on the machine, all the user names, the groups, all of that stuff can be done. Hey, look at there, groups, services, the services you have running can be enumerated in that manner as well. All kinds of information that I can use to footprint your network as an anonymous user. So let me do a quick little demo here. Part of the problem with being in the middle of doing JagerMeister shots and someone asks you to do a presentation is that some stuff is not always set up. Now, I'm going to see, let me get a little VMware session, VMware is cool. So for those of you that don't know what I'm doing is I'm actually instantiating a completely separate machine on the same machine. So inside of my active window here, I've got a Windows 2000 machine that's running, that's got RA set to one, a restrict anonymous set to one. I'll talk about that in just a second. And he's running here. And what I can do is from here, can you all see that, I made it big and yellow. So I actually thought about that. Just to show you I have connectivity, what is it, 190? Just to show you I have connectivity, did I tell you about my wife yet? So as you can see, my VMware session is working beautifully. I actually need to wait a second. It's a Win 2K. It's still loading up the, as you can imagine, a virtual disk. Loading up and install a Win 2K is a little big. So I'm going to try this one more time and not look like an idiot hopefully, well, other than the GIA, the whatever, I can't think that quick. And there was much rejoicing. Thank you. Thank you. Goodbye. Always leave on a high note. All right. So what I'm going to do is I'm going to run, I'm going to run this dump set program. Who's familiar with it? Oh, come on. Who's familiar with it? Where's your hand anyway? Okay. So what dump set does, and I'm just going to run it against my own box because my NTFORO box doesn't seem to be working very well. I made this kind of big too. So what I'm going to do is, now in real life, this isn't how we would do it. We would do a net use against the target box once we have that net use and that null session established, then we come back here and tell it to select the computer. I'm just going to use my own, you know, why didn't it do 10.1 to 1 to 1? Okay. Now the only reason that that worked is because I'm authenticated on my own machine. If I wasn't authenticated, it would come up and say, who are you? Go away. If I had done a net use, then it would also have established a connection here. So what I'm going to do is I'm going to dump users as a column. Do I want to do that on my own machine in front of all of you people? Okay. If none of you figured out that my username was Thor, then you don't deserve to be here anyway. So you can see I've got my IWAM user account and all these other, just a couple of users on this box. All right. So this is what dump set does. So what I'm going to do now is I've established that connection. We saw that I have connectivity with this box, registry settings. Oh, come on. Okay. So this was a problem at one point. Okay. Let's kind of jump back to where we were. No users are out there. I can enumerate all this information. So everybody gets pissed off at Microsoft, right? So, and still are. The dev crew decided to introduce this new key, the new value, actually, inside the HKE local machine system current control set, control LSA key. You create a value called restrict anonymous, dword, and you set it to one. So what that does is supposedly make some API checks whenever these API calls are being made. It checks the context that the user is in, and if they're anonymous, it keeps them from doing that. It meant to stop null session enumeration and back in the days of C2 specification, which was the highest level of security a business could attain, right? Because the C2 audit, it could pass a C2 audit. It was required for that. So this key being required for C2 made it seem pretty important. I mean, it gave it a lot of credential. It gave it some validity. But there's some problems here. So I'm going to show you that, hopefully. So I'm going to, first, establish a null session to my NT2000 box. Note that it has, this box has restrict anonymous set to one. I can show you if you want, but, you know, let's start the trust model off right here. That's right. It is Vegas. You want to see it? Well, I'm not going to show you. Okay, good grief. We really want to see that it's set to one. Thank you. Thank you. See, we only got 15 minutes. Yay. So I'm going to do a net use, whack, whack, about a bing, about a bang, IPC dollar sign. It's wrapping, so no password. The password comes first in this context. I don't know why. User, whack, whack, or bang, bang, whatever you want to call it. The command completed successfully. Oh, wait. The command completed successfully. Okay. Oh, and I'm sorry. Hey, man, that thing is cool. My kids love it. Huh? Oh, yeah, yeah. If you don't, if you have a cat and don't have a laser pointer, you have no life. I mean, little Yeager, the laser pointer, the cat. Okay. So you'll notice that it completed successfully, even though we've told it not to let us use null session. Well, it's not really what we told it. We told it to restrict what an anonymous user can do. So I can still link up to that guy. However, let's go to my desktop, go back to dumpsec, select that computer, bang. So it blows up saying error in processing, net server, get info, status five, it dies. Now I got sucked into this back in the day. Back when a restrict anonymous came in, you know, I don't trust anything, right? Besides, we all have our development things that we test everything on first. Then we put it all into production. So I said R8-1, ran dumpsec or dumpacl in this case, it died. I was happy. I said, great, that works. So let's go over why that there are some problems. I got to talking to somebody on the security focus news group, we're going back and forth about some different things that you could do. And the point made was that down here, if you look, user to SID and SID to user, who's familiar with that program, real old. I'm used to bars doing that, right? It's two o'clock and they shut the lights off. That program still works with restrict anonymous set to one and that got us talking about why. So I started doing a bunch of research, started testing different API calls that one could make under the context of a null user. And came to find out that we had a bunch of them that we could do. When you set R8-1, it goes out there and says, okay, net server get info, remember that's the first thing that dumpacl died on. We set an ACL on that. If you're the null user, it dies. You can't run it. You can't do it on that user enum, which enumerates users. You can't get the users in a group. You can't get the shares. You can't get the modals. Users to SID and SID to user work because they use these two API calls called lookup account name and lookup account SID. It's kind of a cheesy little program, but it works. You basically say, look up the account name for a given SID and it tells you the name of that account. Or tell it to look up the SID of a user name and it gives you its SID. So if you can connect up to a box, you can say, lookup account SID guest. Well we know guest lives on that box, right? We know it's called guest. They can't rename it. They can't delete it. We know that the name guest is a valid, that's actually a group, valid group on that box. So if we do a lookup account SID guest, bang, we get the fully qualified SID for that domain. Well we know that all they've done is taken the rid, which is the last portion of your SID, the last sub-authority. And all we have to do is put a 500 on that. Take off the guest, put a 500, resubmit that entire SID and it tells us the name of the administrator account, right? Because 500 is always the administrator. So we can always tell, who renames your administrator account? Right. It doesn't really matter, because all we have to do is say, well lookup account SID, bang, 500, I know what the name of your administrator is, just like that. You can't stop us from doing that, okay? And that's old. However, in addition, there are some that don't have proper ACLs put on them. One of them is net server transport enum. That enumerates the transports in use on a box, which can be kind of cool. Back in NT4, whenever you had a RAS device, it had a really nice name of the transport called RAS. So you could enumerate a subnet as an anonymous user, find out all the transports. If they're running IP, IPX, net buoy, RAS devices, all of this stuff, and you know that people have RAS devices on their network, which is not real good, right? Rogue RAS devices lurking in the dark. Net user get info also doesn't have any, and that's my favorite. Net user get info has a couple of different levels that can be called. Level zero gives you the username. Level one gives you the age of the account, the home directory. Level two gives you even more stuff. And level three, I call it pay dirt, gives you everything. The password age, the rid, the privileges, the role privileges of that account, user flags, all of this extended information. You have to parse out. The flag comes back as a D word, though. So you have to parse that out, and it's a little arduous to do so. But I went ahead and did it. It was like four or five white Russians, and I was done. And it works on Windows 2000. So let me show you that. So we've got, we've got my null session established. We saw how dumps ACL failed. Hopefully whoever wrote that's not in the... I'm going to get you, you bastard. Okay. We've got six minutes. I'll talk quickly. So user info. The way user info works is you have to submit a name. To get the name, you need the SID, the full SID, in order to be able to provide it with the... You need to provide it with a SID. So I'm going to say user info, whack whack, 192.168.5.190, and let's give it administrator. Do I spell it right? I'm used to doing it with two hands. Bang. So here's what, here's what user info is going to give us. Now what's the cheesy part about user info? You've got to know the name of an account. That kind of stinks. I mean, you're not going to guess B. Jones to see if it's a valid account. But this is a way to see if it's really the administrator. See the user ID? We know that that's really the administrator, because it's read as 500. We know that somebody hasn't created this account called administrator. They renamed the real administrator, they have an account called administrator, and they're trying to screw with us. So if we try to log in, is that they know that we're trying to get in. We see the password age. We don't have any of these system flags, but what the system flags are going to tell us are if this person is an administrator. Actually, I'm sorry, that's going to be under the operator proofs. You kicking me out? I got six minutes, right? Okay, right. So here we've got the miscellaneous info and all this other crap, and I even have this neat little graph. You know, this was the hardest part about writing the entire program, was getting these stupid little ones and zeros for the hours that they could log on, and for you on this side. Okay. So the problem here is that user info has to be presented with a name. You have to know the name of the account. So we got to thinking, well, we know lookupaccountsid and lookupaccountname work. We know user info works. So what we're going to do is write another program called userdump, and we're going to combine lookupaccountname, lookupaccountsid, and getuserinfo into one program to kind of create a SID walker. We'll provide it with an account that we know exists, and my example I'm going to do, I'm running. Guest, what it's going to do is look up the account SID, and it's going to start at 500. This thing is going to increment its way up from there and then dump the SID back out to it to get the name and then dump that name into getuserinfo. So what we can do, I'm going to give it 1,000. There's some similar programs that after 20 dead entries die, and I don't think that that's right, because we can delete massive amounts of users and then add them again, and of course the RIDs increment. So in a single command line, I'm going to execute this guy, and so what we see going by on my Windows 2000 machine is every user, their privileges, if they're account operators, if they're server operators, if they're administrators or not, if their passwords never expire, if they have to have a smart card to log on, what their log on hours are. Everything that we need to know, the last time they changed the password, and I guess these guys don't exist, and it's going to go up to 1,900. So we can dump all that information out to a text file, and we already have a beautiful map of all of the users on that domain. And it's all been done using a null user account, even when we've specifically said to restrict access to that information. Ta-da! Can I have 60 seconds? Yeah! No! Now, there's one additional program I don't have here, and we don't have time to show it to you. It's called TSE Num. It's on the Hammer God website. If you're interested in enumerating machines, it's a new method that we've been, Eric Berkholz, Clinton Mudge, the guys at Foundstone like to hide their terminal servers. That way you don't know they're there, and that's a bad thing, because terminal servers can be really dangerous. If one of your users hides a terminal server on your network, it can open up some bad things. So what this program does, if you're interested in it, it's called TSE Num. You can go to the website and download it. It will... You specify a target. You say TSE Num, that guy. What that guy will do is ask its master browser, what machines can you see on this network? It will then tunnel that information back to me. You can use that as an anonymous user. So a buddy of mine tested on one of his resource domains, and in two seconds got 598 machines. It tells you the type of machine, if it's a domain controller, if it's a SQL server, if it's a terminal server, all of that information is registered with the master browser when the machine boots up, right? He boots up to the master browser and says, hey, I'm on the network, and I happen to be a SQL server and a terminal server and a domain controller. Thank you very much. So then you can download all that information as well. So they're kicking me out of here. Thanks very much. Thanks for putting up with me.