Re: Null Session

From: H D Moore (sflist_at_digitaloffense.net)
Date: 03/07/05

  • Next message: Randy Golly: "RE: Testing large networks"
    To: pen-test@securityfocus.com
    Date: Mon, 7 Mar 2005 15:04:33 -0600
    
    

    Windows XP and 2003 will map an invalid login to an anonymous session. You
    can tell whether your authentication is a real or anonymous one by
    checking the "Action" flag in the response to your SessionSetup request.
    For some goofy reason, Windows XP will deny "null" authentication, but
    allow null sessions with an invalid username. The server will accept
    connections to the remote registry service and the ADMIN$ share, but you
    will not have access to view or modify the contents in a default
    configuration.

    -HD

    On Sunday 06 March 2005 06:54, Wbsony wrote:
    > Anybody encountered this situation before and could enlighten me?


  • Next message: Randy Golly: "RE: Testing large networks"

    Relevant Pages

    • Re: HELP Connection error on Release mode
      ... "Off" Always display detailed ASP.NET error information. ... This section sets the authentication policies of the application. ... Set trace enabled="true" to enable application trace logging. ... <!-- SESSION STATE SETTINGS ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Session Fixation Vulnerability in Web-based Applications
      ... session, without modifying the way servers generate session ID's is as ... Think of the http server generated sessions as "UI Sessions" and as ... no impact on authentication. ... "authentication key" for this domain (usually in the form of a new ...
      (NT-Bugtraq)
    • Re: [PHP] Re: a question on session ID and security
      ... constructed to produce the actual authentication token. ... looking at the cookies on the client gets no indication that you're ... testing for remote session hijacking weaknesses. ... blinded by a bright shiny new algorithm. ...
      (php.general)
    • Re: Forms authentication vs session variable
      ... There is a known security vulnerability called "Session Hijacking", ... and there are standard ways of protection. ... With forms authentication being the standard approach, ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Forms authentication vs session variable
      ... There is a known security vulnerability called "Session Hijacking", ... and there are standard ways of protection. ... With forms authentication being the standard approach, ...
      (microsoft.public.dotnet.framework.aspnet)