Null Session

A null session occurs when you log in to a system with no username or password. NetBIOS null sessions are a vulnerability found in the Common Internet File System (CIFS) or SMB, depending on the operating system.

Note: Microsoft Windows uses SMB, and Unix/Linux systems use CIFS.

Once an attacker has made a NetBIOS connection using a null session to a system, they can easily get a full list of all usernames, groups, shares, permissions, policies, services, and more using the Null user account. The SMB and NetBIOS standards in Windows include APIs that return information about a system via TCP port 139.

One method of connecting a NetBIOS null session to a Windows system is to use the hidden Inter-Process Communication share (IPC$). This hidden share is accessible using the net use command.

The “net use” command is a built-in Windows command that connects to a share on another computer. The empty quotation marks (” “) indicate that you want to connect with no username and no password. To make a NetBIOS null session to a system with the IP address 192.21.7.1 with the built-in anonymous user account and a null password using the net use command, the syntax is as follows:

net use \\192.21.7.1 \IPC$ "" /u: ""

Once the net use command has been successfully completed, the attacker has a channel over which to use other hacking tools and techniques.

Disable Null Sessions in Windows For Security

Disabling null sessions is a key way to help you strengthen your organization’s security and reduce your attack surface. Learn How to Disable Null Session in Windows in our security guide from Blumira’s security team.

Detect and respond to Microsoft Windows security threats, including null session attacks by known hacker tools with Blumira’s detection and response platform to gain visibility in your Windows servers.

Get started with Blumira Free SIEM and fully deploy within minutes.