Monday, November 1, 2010

Null session attacks

Null session attack is an exploit that uses unauthenticated NetBIOS connections to enumerate a target host.

Usually Microsoft Windows Servers run many services and programs. Some of these services then communicate with other windows servers to complete some specific tasks. For such communications and tasks to complete successfully, windows servers also logs into a remote windows server using a blank username and password. This is referred as a “Null Session”.

However, its not only always the genuine servers that can login to the remote server but also hackers who have enough skills can do so and its not that tough either. They can use this to obtain NetBios information from this machine, and to perform various other exploits against this machine. This is referred to as a “Null Session Attack”.

To carry out a Null Session attack, in most of the occasions hackers try to get a command promt (cmd.exe).

Protect your computer from a Null Session Attacks
Null Session Attacks are mostly carried out on ports 139 and 445 on a Windows PC. Therefore the best option is to is to simply block SMB communications by limiting traffic on TCP ports 139 and 445 (excluding NT which doesn’t use 445) to trusted networks. If you use Windows XP, install service pack 3 without any delays. SP3 has an improved firewall which prevents null session attacks, so that at least if someone tries to login to your computer over the internet, it is blocked.

0 comments: