Enumerating MS-RPC interfaces and domain users without authenticatio... https://securelist.

com/no-auth-domain-information-enumeration/112629/

RESEARCH

A journey into forgotten Null Session and MS-RPC

interfaces
23 MAY 2024 3 minute read

Table of Contents

A journey into forgotten Null Session and MS-RPC interfaces (PDF)

It has been almost 24 years since the null session vulnerability was discovered. Back then, it was
possible to access SMB named pipes using empty credentials and collect domain information.
Most often, attackers leveraged null sessions for gathering domain users through techniques such
as RID (Relative Identi�er) enumeration. RIDs uniquely identify users, groups, computers and other
entities within the domain. To enumerate them, the attacker used MS-RPC interfaces to make
some calls and collect information from the remote host.

To prevent such attacks, Microsoft restricted null session capabilities by limiting what an attacker
can do after connecting to named pipes, and provided security policies that could be implemented
to stop all null session activities. Today, although null sessions still exist and are enabled by default

1 de 7 03/06/2024, 16:00
Enumerating MS-RPC interfaces and domain users without authenticatio... https://securelist.com/no-auth-domain-information-enumeration/112629/

on domain controllers (most likely for compatibility purposes), most system administrators close
this capability by hardening the security policies and monitoring domain controller activities,
including anonymous access through SMB.

As penetration testers, we always pose the question: is it really as secure as it seems? In this case
we asked if we can bypass policies and restrictions today, after 24 years, and bring the idea of
anonymous access back to life. This research is tailored for security researchers and penetration
testers seeking to enhance their understanding of MS-RPC interfaces and re�ne their research
techniques. It’s important to note that all information in this article is intended for legitimate
security research purposes only, and must not be used for illegal activities.

The research is divided into two parts. In this post we share the �rst part, devoted to the research
methodology against MS-RPC interfaces, developed after observing some interesting behavior
from one of the Windows interfaces. Also included is a discussion of how we can link this behavior
to null sessions, and revive their legacy by enumerating information from the domain controller,
speci�cally domain users without triggering any alerts.

About null session

Null sessions have emerged as a pivotal area of interest and concern within the �eld of
cybersecurity. They occur when access to a network resource, most commonly the IPC$ “Windows
Named Pipe” share, is granted with empty credentials. $IPC (Inter-Process Communication) is a
hidden share that processes on di�erent computers use to communicate with each other. After
obtaining anonymous access to this resource, an attacker can bind an MS-RPC interface exposed
by a particular named pipe inside the IPC$ share, and start to gather information such as shares,
users, groups, registry keys and much more.

In newer Windows versions, the null session capability has become more restricted, and is available
in Windows servers that act as domain controller only. When you upgrade your server to a domain
controller, null session access to the following named pipes is available by default:

“\pipe\netlogon”;

“\pipe\samr”;

“\pipe\lsarpc”.

To prevent null sessions, two related system policies were introduced: “Restrict anonymous access
to Named Pipes and Shares” and “Network access: Named Pipes that can be accessed
anonymously.” The �rst policy, “Restrict anonymous access to Named Pipes and Shares,” is enabled
by default. The second policy, “Network access: Named Pipes that can be accessed anonymously,”

2 de 7 03/06/2024, 16:00
Enumerating MS-RPC interfaces and domain users without authenticatio... https://securelist.com/no-auth-domain-information-enumeration/112629/

contains the three named pipes we discussed earlier (netlogon, samr, and lsarpc). To prevent any
action related to null sessions, the latter policy is set to empty so that these named pipes can be
accessed anonymously.

Enumerating network interfaces without authentication

During my work in tra�ic analysis, I noticed many packets related to DCOM communications
between domain controller and other endpoints, which were tagged by Wireshark under the
IOXIDResolver RPC interface and the ServerAlive2() method. The IOXIDResolver interface is actually the
IObjectExporter interface. As Microsoft mentions, it is used for OXID resolution, pinging and server
aliveness tests. In brief, it helps in the process of locating and connecting to remote objects
involved in resolving OXID references to actual network locations (such as IP addresses) of objects
in a DCOM environment.

One of the IObjectExporter methods is ServerAlive2. The ServerAlive2 (OPNUM 5) method was
introduced with version 5.6 of the DCOM Remote Protocol, and extends the ServerAlive method. It
returns string and security bindings for the object resolver, which allows the client to choose the
most appropriate settings, compatible with both client and server. The IObjectExporter interface uses
TCP port 135 as an MS-RPC endpoint.

In the tra�ic for each TCP stream related to DCOM communication, there were four packets. The
�rst is related to binding the IObjectExporter interface, the second to the server binding response,
the third to the ServerAlive2 function call, and the �nal packet is the response for the ServerAlive2
function, which contains all the network interfaces for the domain controller.

Bind request packet

The image above shows a bind request for IObjectExporter interface. You can see that the Auth
Length header is equal to zero, indicating that the authentication level is None, and hence, there is
no authentication. With just two packets from the client, we can enumerate network interfaces for
the remote host without authentication.

3 de 7 03/06/2024, 16:00
Enumerating MS-RPC interfaces and domain users without authenticatio... https://securelist.com/no-auth-domain-information-enumeration/112629/

The idea struck me: what if there are other RPC interfaces vulnerable to no authentication? What
kind of enumeration could be obtained from them? Can we map it to the famous null session? And
what research strategy should I follow to �nd this out? In the full version of the research (PDF), I try
to answer these questions, discuss a new path for enumerating domain information, and share a
tool that implements the idea of this new path.

MS-RPC NULL SESSION OFFENSIVE CYBERSECURITY PENTEST SECURITY ASSESSMENT

Authors

HAIDAR KABIBO

A journey into forgotten Null Session and MS-RPC interfaces

Your email address will not be published. Required �elds are marked *

Type your comment here

Name * Email *

Comment

// LATEST POSTS

4 de 7 03/06/2024, 16:00
Enumerating MS-RPC interfaces and domain users without authenticatio... https://securelist.com/no-auth-domain-information-enumeration/112629/

ShrinkLocker: Turning BitLocker into ransomware A journey into forgotten Null Session and MS-RPC
CRISTIAN SOUZA, EDUARDO OVALLE, ASHLEY MUÑOZ,
interfaces
CHRISTOPHER ZACHOR HAIDAR KABIBO

Stealers, stealers and more stealers QakBot attacks with Windows zero-day
(CVE-2024-30051)
GREAT BORIS LARIN, MERT DEGIRMENCI

// LATEST WEBINARS

TECHNOLOGIES AND SERVICES THREAT INTELLIGENCE AND IR

11 DEC 2023, 4:00PM 60 MIN 30 NOV 2023, 4:00PM 70 MIN

The Future of AI in cybersecurity: what to expect Responding to a data breach: a step-by-step
in 2024 guide

5 de 7 03/06/2024, 16:00
Enumerating MS-RPC interfaces and domain users without authenticatio... https://securelist.com/no-auth-domain-information-enumeration/112629/

VLADIMIR DASHCHENKO, VICTOR SERGEEV,

VLADISLAV TUSHKANOV, DENNIS KIPKER ANNA PAVLOVSKAYA

CYBERTHREAT TALKS CYBERTHREAT TALKS

14 NOV 2023, 4:00PM 60 MIN 09 NOV 2023, 5:00PM 60 MIN

2024 Advanced persistent threat predictions Overview of modern car compromise techniques
IGOR KUZNETSOV, DAVID EMM, MARC RIVERO, DAN DEMETER,
and methods of protection
SHERIF MAGDY ALEXANDER KOZLOV, SERGEY ANUFRIENKO

// REPORTS
APT trends report Q1 2024
The report features the most signi�cant developments relating to APT
groups in Q1 2024, including the new malware campaigns DuneQuixote and
Durian, and hacktivist activity.

ToddyCat is making holes in your infrastructure

DuneQuixote campaign targets Middle Eastern entities with “CR4T”

malware

HrServ – Previously unknown web shell used in APT attack

// SUBSCRIBE TO OUR WEEKLY E-MAILS

The hottest research right in your inbox

Email Subscribe

6 de 7 03/06/2024, 16:00
Enumerating MS-RPC interfaces and domain users without authenticatio... https://securelist.com/no-auth-domain-information-enumeration/112629/

I agree to provide my email address to “AO Kaspersky Lab” to receive

information about new posts on the site. I understand that I can
withdraw this consent at any time via e-mail by clicking the
“unsubscribe” link that I �nd at the bottom of any e-mail sent to me for
the purposes mentioned above.

Threats

Categories

Archive All tags

Webinars APT Logbook
Statistics Encyclopedia
Threats descriptions KSB 2023

© 2024 AO Kaspersky Lab. All Rights Reserved.

Registered trademarks and service marks are the property of their respective owners.

Privacy Policy License Agreement Cookies

7 de 7 03/06/2024, 16:00