Re: Using Null Session information from NAT.EXE

From: H Carvey (keydet89@yahoo.com)
Date: 11/03/01 

Date: 3 Nov 2001 12:54:18 -0000
Message-ID: <20011103125418.2586.qmail@mail.securityfocus.com>
From: H Carvey <keydet89@yahoo.com>
To: pen-test@securityfocus.com
Subject: Re: Using Null Session information from NAT.EXE
('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus
In-Reply-To: <F40AaNUqsGo9Fr6QCpz0000b3e8@hotmail.com>

Ian,

I'm not sure why this is the case, perhaps it has
something to do with how LM passwords are
handled...you know, the whole thing about
splitting it in 7-byte segments, forcing the
password to all caps, etc.

Anyway, my experience with this on pen tests and
vulnerability assessments has shown that against a
single system, the "/u:domain_name" or
"/u:computer_name" stuff really isn't an issue.
And from the error you're seeing, it's clear that
NAT is cleaning up it's connections so you don't
have a conflict. In fact, the error message seems
to point out that there's something wrong with
either the username or password...perhaps a
capitalization problem with either one.

If you do any Perl scripting, I have something
that might help you out. Go to:

http://patriot.net/~carvdawg/perl.html

Get 'null.pl'. This script uses Win32::Lanman,
and attempts null session connections/enumeration.
 A couple of simple mods will turn some of the
code into a brute force password cracker. If you
look at the ConnectIPC() and Disconnect()
functions, you'll see where this is possible.

HTH,

Carv

>NET USE Z: xxx.xxx.xxx.xxx\c$ /user:administrator
password
>
>to map the C$ to a local z:
>
>However every time I try that it gives me a
>
>System error 1326 has occurred.
>Logon Failure: unknown user name or bad password.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Re: Using Null Session information from NAT.EXE
    ... Using Null Session information from NAT.EXE ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: Using Null Session information from NAT.EXE
    ... Using Null Session information from NAT.EXE ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Using Null Session information from NAT.EXE
    ... Using Null Session information from NAT.EXE ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Using Null Session information from NAT.EXE
    ... Using Null Session information from NAT.EXE ... Running NAT.EXE on a machine my local network gives me the following results ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Firewall Load Testing
    ... > least to get at least 40,000 simultaneous connections. ... sniffing the traffic generated by the other side) and you let the firewall ... Of course you need at least two hosts, ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)