Null Authentication – Active Directory Enumeration


Null Authentication

Null Authentication: The client connects to a server (SMB, RPC, etc) without providing any credentials. The server will not be able to verify the client’s identity but the client will be granted access to the server without any restrictions. This is a feature that was common in legacy machines (Windows XP, Windows Server 2003, etc). However, as cybersecurity started getting more attention, the null authentication feature got disabled, as it allows attackers to connect to a server without any authentication.

SMB Null Authentication

We can check if SMB null authentication is enabled by using “smbmap”.

  • -H is the ip of the host
  • -u and -p are left blank because its a null authentication
smbmap -H 192.168.5.14 -u '' -p ''

The output above shows us that the “SecretsNStuff” share is readable but we don’t have any access to the other ones.

We can also use a tool called “crackmapexec”. Crackmapexec is one of my favorite tools for network pentesting. In this scenario, we can enumerate for users, password lockout policies, etc.

  • smb specifies the protocol we’re using. If we we’re using winrm, we’d specify “winrm”, instead of “smb”
  • -u and -p are left blank just like before since we’re trying to null authenticate.
  • –users shows the users in the machine
  • –pass-pol
crackmapexec smb 192.168.5.14 -u '' -p '' --users
crackmapexec smb 192.168.5.14 -u '' -p '' --pass-pol

To actually view the files in the shares I like to use a tool called smbclient. It lets us directly interact with the shares.

  • -L specifies to list the shares
  • ‘//192.168.5.14/’ is how you should be typing the ip of the machine that you’re enumerating
  • -U is where you specify the username. Make sure to specify % instead of nothing.
smbclient -L '//192.168.5.14/' -U '%'

Now to actually access the shares, remove the -L and type the name of the share after the IP. We can also list the files in the share using “dir”

smbclient '//192.168.5.14/SecretsNStuff' -U '%'

Then, download the file using “get”

If we exit smbclient, we can see that the file is in our Kali machine and we found credentials.

RPC Null Authentication

RPC is a software communication protocol that allows domain controllers to communicate with each other and replicate the Active Directory database. This helps to ensure that the Active Directory database is kept consistent across all domain controllers in the domain.

To check if RPC has null authentication enabled, we can use the “rpcclient” tool. The “enumdomusers” command shows us all the users that are in the domain.

rpcclient -U '%' 192.168.5.14

The “querydispinfo” command shows us the usernames and the descriptions belonging to those usernames.

querydispinfo

Anonymous LDAP bind Demo

LDAP Bind: LDAP bind operations are a way for clients to identify themselves to the directory server and gain access to its resources. The client provides the server with its credentials, such as a username and password, and the server validates these credentials. If the credentials are valid, the server grants the client access to the directory server. Anonymous Bind is when the directory server doesn’t require credentials allowing potential to query it without any credentials.

To query ldap for information, we can use a tool on Kali called “ldapsearch”

  • -x specifies it to use simple authentication
  • -H is the host. It should be followed by ldap://<domaincontroller_ip>
  • -D and -w specify the Distinguished name and password, respectively. They are left blank because we’re specifying Anonymous bind.
  • -b is where to search for information. We’re setting it to the domain name (WANDA.local).
ldapsearch -x -H ldap://192.168.5.5 -D '' -w '' -b "DC=WANDA,DC=local"

The output is very very large which is why I recommend using grep to single out the useful information.

  • grep “CN=Person” -B34 finds every line that has “CN=Person” and spits out the 34 lines before that line.
  • grep “sAMAccountName” will make the output only contain lines that have “sAMAccountName”.
  • awk ‘{print $2}’ will output the second word in the output of each line
ldapsearch -x -H ldap://192.168.5.5 -D '' -w '' -b "DC=WANDA,DC=local" | grep "CN=Person" -B34 | grep "sAMAccountName" | awk '{print $2}'

The output above shows the usernames of the users in the Domain.

We are even able to see the description of these users. To only filter out the description and the user it belongs to, grep for the description and make it check for the previous line as well.

ldapsearch -x -H ldap://192.168.5.5 -D '' -w '' -b "DC=WANDA,DC=local" | grep "CN=Person" -B34 | grep "description" -B1

Replicate the Vulnerability

Replicating the SMB and RPC null authentication vulnerabilities are impossible in the recent versions of Windows. They can only be enabled on Windows Server 2003 and below.

As for the LDAP null bind, you can follow the detailed steps below. I have to mention that I wouldn’t have figured this out without this tutorial.

On your Domain Controller, open up ADSI edit

Right click “ASCI Edit” and click “Connect to…”

That should open up the connection settings. There, set the Naming Context to “Configuration”. Then click “OK”

After you click ok, you should be met with the screen below. From there, right click on “CN=Directory Service” and click “properties”

Once the directory service properties tab is open, set dSHeuristics to 0000002. Click “OK”.

Now, open up Active Directory Users and Computers

Go to the top and go to View > Advanced Features. This should allow you to modify the security of the domain.

Right click on the domain name and click properties

Then go to the “Security” tab and click “Advanced”

It should bring up the Advanced Security settings for the domain. From there, click “Add”

Then click “Select a principal”

Type in “Anonymous Logon” and hit “Check Names”. Then click “OK”

Now you have anonymous bind enabled on the Domain. Try it out with Kali!

Thank you for reading! If you enjoyed this post, be sure to share it.