MSRPC NULL sessions - Herve Schauer Consultants

Agenda- 2 -Introduction to NULL sessionsNULL sessions internalsTools to exploit NULL sessionsNULL sessions restrictionsDefault NULL session restrictions on Windows systemsWindows 2000Windows XP (SP0, SP1a), Windows XP SP2Windows Server 2003, Windows Server 2003 SP1Active Directory domain controllersHardening recommendationsConclusionCopyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

NULL session: network trace- 5 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

How a NULL session can fail?SMB-related ports (445/tcp, 139/tcp) filtered or disabledIP filtering, Server service not bound to the network adapter, ...Server service refusing unauthenticated SMB sessionsOnly theoretical, never happens in practiceIPC$ share disabled- 6 -Before Windows XP, IPC$ might be deleted (net share IPC$ /delete)Named pipe can not be opened anonymouslyXP SP2, W2K3 SP1: named pipe might be forbidden, even forauthenticated sessions (named pipe firewall)DCE-RPC server refusing unauthenticated bind requestsIndividual operations inside a DCE-RPC interface implementingaccess controlCopyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Named pipes used by MSRPC interfacesInteresting named pipes for NULL sessions\pipe\samr: SAM (Security Account Manager) RPC server\pipe\lsarpc: LSA (Local Security Authority) RPC server\pipe\netlogon: Netlogon RPC server\pipe\svcctl: SCM (Service Control Manager) RPC server\pipe\eventlog: Eventlog service RPC server\pipe\srvsvc: Server service RPC server\pipe\wkssvc: Workstation service RPC serverDetails of these interfaces:http://www.hsc.fr/ressources/articles/win_net_srv/- 7 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Hardcoded named pipes (1/2)The NullSessionPipes registry value is supposed to containnamed pipes allowed to be opened anonymouslyUp to Windows XP SP2 and Windows 2003 SP1, 6 named pipesare always implictly allowed to be opened anonymously\pipe\lsarpc \pipe\samr \pipe\netlogon\pipe\wkssvc \pipe\srvsvc \pipe\browserParticularly misleading, as these 6 named pipes do not appearin the NullSessionPipes registry valueSidenote: NullSessionPipes can not be modified to protectagainst recent MSRPC vulnerabilitieswkssvc vulnerability (MS03-049)dssetup vulnerability (MS04-011)- 8 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Hardcoded named pipes (2/2)Microsoft removed hardcoded named pipes inWindows XP SP2Windows 2003 SP1NullSessionPipes now explictly containsWindows XP SP2\pipe\browserWindows 2003 SP1\pipe\lsarpc\pipe\samr\pipe\netlogon\pipe\browser- 9 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Named pipes aliases: introductionWindows named pipes are implemented by a file system drivernpfs.sys : named pipe file system driverNamed pipes file system related tools (Sysinternals)pipelist: named pipes enumerationfilemon: file systems activity, including npfspipeacl: named pipes security descriptor viewerThe npfs driver supports aliasesAlias names stored in the registryHKLM\SYSTEM\CurrentControlSet\Services\Npfs\Aliases\ keyTwo values : lsass and ntsvcsSome named pipes do not exist in the npfs namespace but are aliases ofeither lsass or ntsvcs- 10 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Named pipes aliasesNamed pipe aliases\pipe\lsass aliases :Windows 2000: \pipe\lsarpc, \pipe\samr, \pipe\netlogonWindows 2003: \pipe\lsarpc, \pipe\samr, \pipe\netlogon,\pipe\protected_storage\pipe\ntsvcs aliasesWindows 2000: \pipe\srvsvc, \pipe\wkssvc, \pipe\svcctl, \pipe\eventlog, ...Windows 2003: \pipe\svcctl, \pipe\eventloghttp://www.hsc.fr/ressources/presentations/sambaxp2003/slide21.htmlImmediate consequenceAll aliases of \pipe\lsass are equivalentAll aliases of \pipe\ntsvcs are equivalent- 11 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Named pipe and MSRPCMSRPC: all RPC services running inside a process can bereached using any opened endpointMost Windows services run RPC services and are executed in sharedprocesses (lsass.exe, services.exe, svchost.exe)RPC services need to register a security callback function toavoid this vulnerabilityThe security callback function must verify if the expected endpoint wasusedRpcServerRegister2() and RpcServerRegisterIfEx() APIshttp://msdn.microsoft.com/library/enus/rpc/rpc/be_wary_of_other_rpc_endpoints_running_in_the_same_process.asp- 12 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Tools to exploit NULL sessionsrpcclientCommand-line tool implementing interesting MSRPC interfacesTwo versions (Samba-TNG, Samba), supporting different set of MSRPCoperationsSamba4's rpcclient currently in development (using Python wrappers)Nessus NASL scriptsTenable recently developped new SMB and MSRPC implementations forNessusSome NASL scripts can be used standalone, with the nasl command- 13 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Using NULL sessions: the usual wayOpening a named pipe that can be opened anonymouslyEither one of the six hardcoded named pipes or one appearing inNullSessionPipesBinding to the RPC interface supported by the named pipeExamplesOpening \pipe\lsarpc and binding to lsarpcOpening \pipe\samr and binding to samrOpening \pipe\netlogon and binding to netlogonOpening \pipe\srvsvc and binding to srvsvcOpening \pipe\wkssvc and binding to wkssvc...- 14 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Using NULL sessions: the new wayOpening a named pipe that can be opened anonymouslyEither one of the six hardcoded named pipes or one appearing inNullSessionPipesBinding to one of the RPC interfaces run by services runninginside the process that created the named pipeExamplesOpening \pipe\{srvsvc,wkssvc,browser} and binding to svcctl or eventlogSupported by Windows 2000's services.exe process (fixed by UpdateRollup 1 for Windows 2000 SP4)Opening \pipe\browser and binding to wkssvc or srvsvc in Windows XPSP2 and Windows Server 2003 SP1- 15 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Anonymous enumeration of Windows2000 services- 17 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

NULL session restrictions: registryvalues and security options (1/2)RestrictAnonymous (Windows NT 4.0 and >)Windows NT 4.0: 0 or 1Windows 2000: 0, 1 or 2 (disable NULL sessions)Additional restrictions for anonymous connections security optionWindows XP and Windows 2003: 0 or 1Network access: Do not allow anonymous enumeration of SAM accountsand shares security optionEveryoneIncludesAnonymous (Windows XP, Windows 2003)Network access: Let Everyone permissions apply to anonymous usersDisabled by default (EVERYONE does not include ANONYMOUSLOGON)- 18 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

NULL session restrictions: registryvalues and security options (2/2)RestrictAnonymousSam (Windows XP, Windows 2003)Network access: Do not allow anonymous enumeration of SAM accountsEnabled by default, preventing anonymous access to samrNetwork access: Allow anonymous SID/Name translationDisabled by defaultModifies the security descriptor on LSA policy object, to deny or allowanonymous SID to name translationTurnOffAnonymousBlock (Windows 2003)Not present by default, preventing anonymous access to lsarpcWhen present and set to 1, allow anonymous access to lsarpc- 19 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

NULL session restrictions in Windows2000 (1/2)6 hardcoded named pipesRestrictAnonymous set to 0 by default0: no restriction1: prevent direct enumeration of accounts and groups using samr2: prevent NULL sessions (anonymous connections to IPC$ denied)Anonymous access to samrDetailed user accounts enumerationGroup memberships (including BUILTIN\Administrators)Prevented by setting RestrictAnonymous to 1Anonymous access to lsarpcCan be used to translate SID to names to indirectly discover useraccounts when RestrictAnonymous is set to 1- 20 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

NULL session restrictions in Windows2000 (2/2)Anonymous access to wkssvc and srvsvcSome hardcoded restrictions, documented in MSDN (Securityrequirements section)Some additional restrictions for srvsvc operations whenRestrictAnonymous is set to 1Security descriptors for srvsvc operations stored under theDefaultSecurity registry keyCan be modified in Windows XP and Windows Server 2003 with theTweakUI for Windows XP tool- 21 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Windows 2000: RestrictAnonymous == 0- 22 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Windows 2000: RestrictAnonymous == 1- 23 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Windows 2000: RestrictAnonymous == 2- 24 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

NULL session restrictions in WindowsXP (SP0 and SP1a)6 hardcoded named pipesAnonymous access to samr forbiddenRestrictAnonymousSam registry value set to 1 by defaultAnonymous access to lsarpc allowedHowever, anonymous SID to name translation forbiddenSecurity option Network access: Allow anonymous SID/Name translationdisabled by defaultAnonymous access to wkssvc and srvsvc allowedRestrictAnonymous set to 0 by defaultIf set to 1, some additional restrictions for srvsvc operations- 25 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Windows XP SP1a- 26 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

NULL session restrictions in WindowsXP SP2\pipe\samr, \pipe\lsarpc and \pipe\netlogon no longer hardcodedPrevents all anonymous access to RPC services running insidelsass.exe (including samr and lsarpc)One interesting named pipe remaining: \pipe\browserCan be used to reach another RPC interface running in the samesvchost.exe instance, such asWorkstation service RPC server (wkssvc)Server service RPC server (srvsvc)RestrictAnonymous set to 0 by defaultWhen set to 1, restricts some operations of srvsvc- 27 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Windows XP SP2- 28 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

NULL session restrictions in Windows20036 hardcoded named pipesAnonymous access to samr forbiddenRestrictAnonymousSam registry value set to 1 by defaultAnonymous access to lsarpc forbiddenDefault setting for a Windows 2003 systemCan be allowed by adding and setting TurnOffAnonymousBlock to 1In addition, the security option Network access: Allow anonymousSID/Name translation is disabled by defaultAnonymous access to wkssvc and srvsvc allowedRestrictAnonymous set to 0 by defaultIf set to 1, some additional restrictions for srvsvc operations- 29 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Windows Server 2003- 30 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

NULL session restrictions in Windows2003 SP1\pipe\samr, \pipe\lsarpc, \pipe\netlogon, \pipe\browser present inNullSessionPipesAnonymous access to samr forbiddenRestrictAnonymousSam registry value set to 1 by defaultAnonymous access to lsarpc forbiddenDefault setting for a Windows 2003 SP1 systemAnonymous access to wkssvc and srvsvc still possible through\pipe\browserRestrictAnonymous set to 0 by defaultIf set to 1, some additional restrictions for srvsvc operations- 31 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

samr interfaceNULL session restrictions in ActiveDirectory domain controllers: samrActive Directory uses the Pre-Windows 2000 Compatible Access localgroup to grant or revoke anonymous access to Active Directory objectsOn Windows 2000 Active Directory domain controllers, EVERYONE isincluded in Pre-Windows 2000 Compatible Access, allowing anonymousenumeration of Active Directory accountsOn Windows 2003, EVERYONE does no longer include ANONYMOUSLOGON, thus anonymous enumeration is only possible if ANONYMOUSLOGON explictly appears in Pre-Windows 2000 Compatible AccessRestrictAnonymous (Windows 2000) and RestrictAnonymousSam(Windows 2003) settings have no effect on samr restrictions on ActiveDirectory domain controllers- 32 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Windows Server 2003 domain controller(with ANONYMOUS LOGON)- 33 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Windows Server 2003 domain controller(without ANONYMOUS LOGON)- 34 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Summary of NULL sessions protectionBefore Windows XP SP2 and Windows 2003 SP16 hardcoded named pipes always implictly allowed for NULL sessionsWindows 2000 is the only system where NULL sessions canbe completely disabledWith RestrictAnonymous == 2RestrictAnonymous == 2 is not supported in Windows XP andWindows Server 2003 (equivalent to 1)- 35 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Windows 2000SummaryNot protected by default against NULL sessionsSetting RestrictAnonymous to 1 does not really improve security, using 2is highly recommended on workstations and serversApply Update Rollup Package 1 for Windows 2000 SP4Windows XPProtected by default against access to samr and lsarpcIn XP SP2, \pipe\browser can be used to reach srvsvc or wkssvcWindows 2003Protection equivalent to Windows XPActive Directory domain controllersTypically not protected by default against account enumeration via samr- 36 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Hardening recommendations (1/4)If server-side SMB support is not needed, disable SMBOnly possible for isolated (not part of a Windows domain) systemsIf needed, remote administration still possible using Terminal Services orSSHTo disable SMB supportDisable NetBIOS over TCP/IP supportStop the server (lanmanserver) serviceMore details on Windows network services hardeninghttp://www.hsc.fr/tips/min_srv_res_win.en.htmlhttp://www.hsc.fr/tips/min_w2k3_net_srv.html- 37 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Windows 2000Hardening recommendations (2/4)Set RestrictAnonymous to 2 (disable NULL sessions)Apply Update Rollup Package 1 for Windows 2000 SP4Windows XPSet RestrictAnonymous to 1Windows XP SP2: set NullSessionPipes to "" (empty string)Windows 2003Set RestrictAnonymous to 1Set TurnOffAnonymousBlock to 0Windows 2003 SP1: consider setting NullSessionPipes to "" (emptystring), at least remove browser- 38 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Hardening recommendations (3/4)Active Directory domain controllersWindows 2000: remove EVERYONE from the Pre-Windows 2000Compatible Access aliasWindows 2003: verify that ANONYMOUS LOGON is not in the Pre-Windows 2000 Compatible Access aliasWindows 2003: set TurnOffAnonymousBlock to 0- 39 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

Hardening recommendations (4/4)Using the named pipe firewall available in XP SP2 and W2K3SP1Named pipe filtering can be dynamically enabled by setting thePipeFirewallActive registry value to 1 (not present by default)Named pipe filtering applies to all SMB sessions (NULL sessions andauthenticated sessions)List of allowed named pipes specified in the AllowedPipes registry value(REG_MULTI_SZ)Setting PipeFirewallActive to 1 and AllowedPipes to "" (empty string) isthe equivalent of removing the IPC$ share- 40 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

ConclusionWindows NULL sessions are here to stayStill needed in some environments for backward compatibilityUsed as attack vectors to exploit recent MSRPC vulnerabilities (MS03-049, MS04-011)A good knowledge of network protocols and Windows internalsare recommended to understand NULL sessionsA third-party MSRPC implementation is required to exploit NULLsessions effectivelyRecent Windows systems are more and more protected againstNULL sessionsAdditional hardening measures are still required- 41 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite

ReferencesWindows network services internalshttp://www.hsc.fr/ressources/articles/win_net_srv/Includes a detailed section about MSRPC NULL sessionsWindows 2000, Null Sessions and MSRPC (Todd Sabin)http://www.bindview.com/Services/RAZOR/Resources/nullsess.pptetherealhttp://www.ethereal.com/http://wiki.ethereal.com/rpcclienthttp://www.samba-tng.org/http://www.samba.org/- 42 -Copyright Hervé Schauer Consultants 2000-2005 - Reproduction Interdite