When you are training in anything. On-line material can be a godsend. However, only if it is of sound value and actually works.
Windows Server 2008 R2 – Enumerating Users & Shares
I built a dummy Domain controller with a few users to test. I tried to emulate the live environment, but with a default instance of the server platform. I thought an unpatched server would at least help train the mind to spot one in the field.
Server Message Block (SMB), is essentially how Windows users use folders, shares and resources over a network in the background. Users don’t really need to know what it is. Only that they get access to the correct resources.
Attackers can use tools to gain information about default shares and users on the network. Even Administrator accounts and SID’s. In older server platforms like Server 2003, there was a way you could see this information by logging in anonymously. Such open access is called a NULL Session.
Quite often in blogs you seeing people pulling all sorts of data from systems using a tool in linux called ‘rpcclient’ It’s very useful. Unless you are using modern server platforms like Server 2008 R2 & 2012, where Null sessions are disabled. A valid user account must be used in order to enumerate anything over SMB.
Logging in on a Null Session is not disabled by default on Server 2008, however, gaining any information over the network was disabled for any unauthenticated users.
As you can imagine, this can be very frustrating to anyone looking to ‘test’ a network.
There is still hundreds of blogs out there with really out of date information. I don’t doubt that it will still be useful to people who test older server platforms, however, for newer server operating systems, there will need to be another way of enumerating users and default shares.
So how can we get around this?
I’m sure I will find out through testing other methods. This post will remain a marker for start of the journey.