Null Session

A null session occurs when you log in to a system with no username or password. NetBIOS null sessions are a vulnerability found in the Common Internet File System (CIFS) or SMB, depending on the operating system.

Note: Microsoft Windows uses SMB, and Unix/Linux systems use CIFS.

Once an attacker has made a NetBIOS connection using a null session to a system, they can easily get a full list of all usernames, groups, shares, permissions, policies, services, and more using the Null user account. The SMB and NetBIOS standards in Windows include APIs that return information about a system via TCP port 139.

One method of connecting a NetBIOS null session to a Windows system is to use the hidden Inter-Process Communication share (IPC$). This hidden share is accessible using the net use command.

The “net use” command is a built-in Windows command that connects to a share on another computer. The empty quotation marks (” “) indicate that you want to connect with no username and no password. To make a NetBIOS null session to a system with the IP address 192.21.7.1 with the built-in anonymous user account and a null password using the net use command, the syntax is as follows:

net use \\192.21.7.1 \IPC$ "" /u: ""

Once the net use command has been successfully completed, the attacker has a channel over which to use other hacking tools and techniques.

« Back to Glossary Index

Security news and stories right to your inbox!