5 Replies Latest reply on Jul 20, 2015 4:54 PM by Radioteacher

    Null Session Enumeration

    Radioteacher

      I would like to alert if any thing or anyone attempts Null Session Enumeration against Active Directory.

       

      This is two fold since I want to know if it is being done and want to stop it if possible.  Alerting on it would be great as well.

       

      I have been looking for something in the logs to key into but have not found it yet.

       

      RT

        • Re: Null Session Enumeration
          Radioteacher

          I might have found the answer for Snort but not LEM.

           

          From The Anatomy of a Attack

           

          Identify Null Sessions with IDS

          If the registry changes or firewall rules mentioned earlier break the functionality of network applications, then you must switch to a reactive approach rather than a proactive one. Rather than preventing enumeration through null sessions the best we can hope to do is catch it when it happens and react to it as we would a normal network security incident.


          If you are using Snort, the most popular IDS in production today, then the following rule will detect null session enumeration (taken from the Intrusion Detection with Snort, by Jack Koziol):


          alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:”NETBIOS NT NULL session”; flow:to_server.establshed;


          content: ‘|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|’; classtype:attempted-recon;)


          This would not prevent null session connections from occurring, but it will alert you when they do so you can react appropriately.

            • Re: Null Session Enumeration
              Radioteacher

              I am going to test this and see if it shows up in the logs this week.  If it works I will monitor Security Log ID 4625 and alert if it is logged when anything attemps Null Session Enumeration (NSE).

               

              Even if your Domain is setup to block NSE this might be a way to find internal attackers/hackers or poorly written apps that use NSE.

               

              RT

                • Re: Null Session Enumeration
                  nicole pauls

                  For reference - in LEM, 4625 will either appear as MachineLogonFailure or UserLogonFailure, depending on whether the account name has a $... I'm not sure how the null SID and other details will appear, though, so if you get those details I'll be curious to see if we can distinguish them and how it looks in the event log.

                    • Re: Null Session Enumeration
                      Radioteacher

                      I will be working with a team to generate fresh logs in the Lab.  When I get the logs I will definitely know what I should search and find.

                       

                      I hope to have more on this tomorrow.  Until then try the search below in nDepth.

                       

                      ( ProviderSID = "Microsoft-Windows-Security-Auditing 4625" )

                       

                      RT