Wireshark Error Reading From Pipe the Operation Completed Successfully (Error 0)

Hello,

TLDR; I think I plant three new ways to do user enumeration on Windows domain controllers, and I wrote some scripts for it.

Over the years, I have often used the NULL session vulnerability to enumerate lists of users, groups, shares and other interesting information from remote Windows systems.

For the uninitiated, Windows exposes several administrative and subconscious shares via SMB past default.

Some of these shares let one to access the complete storage device on remote systems. For example, C$ will allow 1 to access the C Drive. Another share, Admin$, allows one to admission the Windows installation directory. To be able to mount these shares however, one needs to be an administrator on the remote organization.

IPC$ is a special share that is used to facilitate inter-process communication (IPC). That is, it doesn't allow i to access files or directories like other shares, but rather allows one to communicate with processes running on the remote system. Specifically, IPC$ exposes named pipes, that 1 can write to or read from to communicate with remote processes. Such named pipes are created when an application opens a pipage and registers it with the Windows Server service (SMB), such that it tin be exposed past the IPC$ share. Any data written to such a named pipe is sent to the remote process, and conversely any output data written by the remote procedure can be read past a local awarding from the pipe. 1 tin utilize such named pipes to execute specific functions, frequently referred to as Remote Procedure Calls (RPC) on the remote system.

Sure versions of Windows allowed one to authenticate and mountain the IPC$ share without providing a username or password. Such a connectedness is often referred to as a NULL session, which while limited in its privileges, could exist used to execute diverse RPC calls and as a result obtain useful information virtually the remote system. Arguably the about useful information one could extract in this manner is user and grouping listings, which can be used in creature force attacks.

NULL sessions is pretty old news. I recollect learning well-nigh information technology in "Hacking For Dummies" in 2004, and by then it was already well known. Later on applications like Cain& Able and others allowed one to exploit it, Microsoft clamped down on it. From Windows XP onwards 1 can disable Nix sessions, or information technology is disabled by default. There are numerous guides on how to disable Cypher sessions, with some somewhat confusing advice from Microsoft'south side regarding what setting does what exactly.

An application that has grown in popularity to test for Zilch sessions is rpcclient, which other tools similar enum4linux and ridenum uses nether their hoods. Another is Nmap'southward smb-enum-user NSE script.

During some tests, I plant that when I used rpcclient confronting known vulnerable systems, that it would oftentimes produce error letters and fail to enumerate user information. In a penetration examination scenario, this behaviour could make one believe that the remote system does not allow one to admission the IPC$ share and execute RPC calls, while it could exist possible.

In these tests, I ran rpcclient and nmap'southward smb-enum-users NSE script against the aforementioned vulnerable system and viewed the output.

Below, the output of the smb-enum-users script shows that it was possible to enumerate the user information:

Nether the hood, the smb-enum-users' script executes the QueryDisplayInfo RPC call to enumerate user data. Notwithstanding, when I used rpcclient to execute the QueryDisplayInfo RPC call, it failed to enumerate the user information and instead produced the following output:

To sympathize why this behaviour occurs, let'southward look at the Wireshark trace of each connection starting with the capture of smb-enum-users which was able to enumerate a list of users on the organisation:

The smb-enum-users script goes through diverse phases, equally highlighted by the different boxes. It firsts establishes an anonymous session with the SMB server and then accesses the IPC$ share. It then opens up the samr named pipe, and runs several RPC calls, including Connect4, EnumDomains, LookupDomain,OpenDomain and QueryDisplayInfo, each of which completes successfully. The starting time few RPC calls extracted information regarding the arrangement's local domain, while QueryDisplayInfo used that information to produce a list of all users within that domain.

Let'southward now look at the rpcclient connection:

In this capture, we tin can see that the rpcclient goes through four stages before finally reaching an fault status. The start stage, every bit highlighted by the kickoff box, show that rpcclient was able to connect and authenticate to the server, using a bare username and password. The second stage shows that rpcclient was able to access the IPC$ share, and the third stage shows that it was able to open the lsarpc named piping. Only in the fourth phase, when rpcclient tries to execute the LsaOpenPolicy RPC phone call does the remote server reply with an admission denied mistake bulletin. It is important to highlight that this behaviour is default to rpcclient, and is run before executing any provided RPC commands, such equally QueryDisplayInfo.

By looking at these network traces, we encounter that the authentication and authorization steps for the connections are performed separately. That is, nosotros first authenticate with the SMB server, using a bare username and countersign. After this authentication has succeeded, authorisation is performed at three different places: when we endeavour to open the IPC$ share, when we endeavour to open up a pipe, and finally when we endeavor to execute an RPC call available via the pipe. As we've seen with LsaOpenPolicy, a system may allow one to perform most of these actions, but prevent one from finally executing the RPC role call. This nevertheless doesn't mean that the system prevents Null session authentication. It simply ways that the organization does not allow an bearding user to execute a particular RPC office telephone call.

By default, rpcclient commencement opens the LSARPC pipe and then requests the remote system to execute the LsaOpenPolicy and LsaQueryInformationPolicy functions. If an anonymous user is not allowed to execute these part, rpcclient exits. Nearly RPC calls all the same don't require the data provided by these functions. In our test for example, the smb-enum-users script could however execute QueryDisplayInfo, and enumerate user information, without access to these functions.

Considering of this behaviour, one may thus obtain simulated negatives when using rpcclient to determine whether a organization allows Zilch sessions, and whether that session could exist used to provide useful information.

After playing effectually with rpcclient and Wireshark, I started to wonder which RPC function calls, if any, one could execute on a default Windows organization using a Nil session. With this in mind, I consulted MSDN, which contained details on diverse different named pipes, and the functions that each of these named pipes exposed. I too started testing various versions of Windows. I particularly looked at domain controllers, every bit I have noted during several pentests that they oftentimes allowed one to connect using a NULL session, and and so enumerate all users within the domain.

The tests showed that not but was it possible to authenticate to a default Windows 2012 domain controller without providing credentials, but 1 could likewise open the IPC$ share and several dissimilar pipes. In particular, as soon every bit one promoted a Windows 2012 system to go a domain controller, its security configuration was modified to allow anonymous access to the samr, lsarpc and netlogon pipes. In a default configuration, most functions within the SAMR and LSARPC pipes could hnot be executed.

Even so, one could execute a few functions inside the NETLOGON pipage anonymously, including GetDcName, DsrGetDcName, DsrGetDcNameEx and DsrGetDcNameEx2.

These functions allow one to request the remote organisation to detect a domain controller for any specified domain name. Note that the domain does not need to be the same as the domain to which the remote organisation is joined to.

From https://msdn.microsoft.com/en-the states/library/cc237228.aspx, one can see that the DsrGetDcNameEx2 function allows one to request the remote system to locate a domain controller, for a specified domain proper noun, which contains a specific user. If the remote arrangement tin locate a domain controller for such a domain, and the specified user exists, the remote system will return with a successful response including details regarding the domain controller. If the remote organisation tin discover a domain controller for the specified domain, merely the user does however non be, the remote system will return an ERROR_NO_SUCH_USER fault message.

The DsrGetDcNameEx2 function requires one to specify an AllowableAccountControlBits field. This field is a set of 32 bits, six of which signify some specific aspect the user business relationship should possess. For the most part, nosotros are interested in normal domain accounts, which is selected by the 10th bit. This thus becomes 0000000000000000000001000000000, or 1000000000 for short, which when converted to decimal is 512.

With this information in manus, i can execute the DsrGetDcNameEx2 function using rpcclient. If the provided username exists in the domain, the response looks every bit follows:

If one however provided a username that does non exist, rpcclient returns the following error message:

One can thus establish if a user on a remote domain exists, or non. While this type of user enumeration requires one to provide the username (i.eastward. an oracle), and can merely validate if the username exists or not, it tin can all the same be useful in several situations.

For instance, if one has established the naming convention of a detail domain, one could generate all possible variations and check which have been created. For example, if one user has the username M1000, one could generate all users betwixt M1000 and M9999, and check which exists on the domain.

Alternately, i could employ a list of commonly used domain usernames that typically bypass password complexity rules. We maintain an internal ane, but if you lot pull accounts from a few GALs or hashes from a few DCs you'll be able to create your own.

With the previously mentioned issues of rpcclient in listen, I decided that it may exist a better idea to write a custom application that could call DsrGetDcNameEx2 on a remote system.

To this extent, I used the impacket framework, which allows ane the power to call diverse RPC functions via SMB. The application takes in a list of potential usernames, and tries to establish if each i exists by calling DsrGetDcNameEx2 on a remote system. You tin go it here. I have had information technology field tested, and while it was reported to work on all domain controllers, it did have a while to complete the enumeration. The tests also indicated that information technology only seemed to piece of work on domain controllers.

In an attempt to speed up the enumeration, I investigated how DsrGetDcNameEx2 works.

The GetDcName, DsrGetDcName, DsrGetDcNameEx and DsrGetDcNameEx2 functions are able to locate a domain controller for any provided domain name. To practise then, they can either use DNS and LDAP, or NetBIOS.

The details of this procedure is provided at https://msdn.microsoft.com/en-the states/library/cc223817.aspx, however in brusque it works equally follows:

1. The organisation obtains the IP address of a domain controller related to the provided domain name either by using DNS lookups, or by sending NetBIOS circulate requests for the domain name.
2. If the arrangement obtained an IP address using DNS, it volition send an LDAP ping packet to that address, while if information technology obtained an accost via NetBIOS, it will send a mailslot ping bundle to it. Both the LDAP and NetBIOS packets are UDP based, and contains a list of requirements that the domain controller should possess.
3. The domain controller checks if information technology possesses the required attributes, and replies to the system'southward asking.
4. The arrangement processes the response ship by the remote system to either the LDAP ping or mailslot ping packets.

What'due south interesting nigh these approaches are that they do not use any hallmark past blueprint. Since the implementation of DsrGetDcNameEx2 can use either of these methods, i.east. DNS and LDAP, or NetBIOS, we can assume that we will be able to use both to enumerate users in the same way.

Permit'due south first wait at the DNS and LDAP, approach. Since we are not actually interested in finding a domain controller using the method, we volition skip the DNS part, and focus only on the LDAP packet.

Specifically, the method sends a LDAP search query to the remote arrangement. This is often referred to as a CLDAP parcel, or connectionless LDAP packets, every bit information technology uses UDP instead of TCP. Across this, in that location is little departure between the structure of a CLDAP package and a normal LDAP search bundle, equally they both use ASN.1.

As tin be seen in the above pic, the CLDAP package requests the LDAP server to search for an object that matches various filters. These include:

• the provided domain name (BLACK.COM)
• the requested username (Ambassador)
• the proper name of the host that requested the search, in both NetBIOS and DNS class (DC01.LABS.com)
• The GUID of the sought domain, which tin be left blank.
• The NETLOGON_NT_VERSION, which can exist used to configure the reply of the server every bit detailed at https://msdn.microsoft.com/en-united states/library/cc223801.aspx.
• the AAC or AllowableAccountControl, bits. This value is mapped from the AAC value provided by the DsrGetDcNameEx2 request, according to the table at https://msdn.microsoft.com/en-u.s./library/cc245737.aspx/. One can go the values at https://msdn.microsoft.com/en-us/library/cc245514.aspx and https://msdn.microsoft.com/en-u.s./library/cc245515.aspx. For a normal account, i.east. UF_NORMAL_ACCOUNT (512), the value is changed to USER_NORMAL_ACCOUNT(16) which has a hex value of 0x00000010.

The request also specifies that but the Netlogon aspect of the object be returned.

In the to a higher place case, the user Administrator exists on the BLACK.COM domain, and thus the server replies with the following structure:

The functioning code is perhaps the about important value, as it indicates if the search returned a consequence or not. Every bit detailed at https://msdn.microsoft.com/en-us/library/cc223803.aspx,the number 23 indicates that the server responded with a valid LOGON_SAM_LOGON_RESPONSE_EX structure, which contains data about the domain controller. This indicates that the user existed in the specified domain.

When the same parcel is sent, but for a user that doesn't exists, we get an operation code of 25 and the LOGON_SAM_USER_UNKNOWN_EX structure, as is shown below for the username John:

We tin can thus send such a parcel to a remote domain controller, and make up one's mind if a user exists past checking if it responds with an performance lawmaking of 23 or of 25.

To do so, we need to however be able to craft a CLDAP packet. The Samba source code includes an example perl script which tin create such a CLDAP package, located at https://github.com/samba-team/samba/blob/chief/examples/misc/cldap.pl.

Based on this example, I created a python script which volition have in a list of usernames, and for each user create a CLDAP packet, send information technology to a remote domain controller, and based on the response determine if the user exists or not. Specifically, I used the asn1tools python module to create the packet, which consist completely of an ANS.1 structure. Only the DnsDomain, NtVer, User, and AAC fields were required for a server to respond. You can get the script here.

I tested this script on a remote domain controller, and it worked fairly chop-chop, checking about 3500 usernames in forty seconds.

While implementing the script, I wondered if it would exist possible to alter the LDAP search filter to use wildcards in the search. This would allow one to enumerate users without fully knowing their usernames. If one could search for all usernames matching a pattern, 1 could increment the pattern until an exact match is plant. For instance, one could start at B*, then Bo*, and finally Bob. To this extent, I modified the script to rather use a substring filter than an equality lucifer filter. However, this did not piece of work as the server only refused to respond. I'll continue to play around with the request, but at this betoken it seems like one tin but ostend if a known username exists or not.

With the CLDAP method consummate, I wanted to see if 1 could implement the NetBIOS mailslot ping method, and in one case again consulted Wireshark.

I continued to the DC01.labs.com system (192.168.57.2) and issued the DsrGetDcNameEx2 command, requesting DC01.labs.com to discover a domain controller for the domain name Blackness (192.168.57.120), with has a user called Ambassador.

In the trace below, we tin run into the packets sent directly after the DsrGetDcNameEx2 command is executed.

The DC01.labs.com system first sends out a NBNS name query broadcast, trying to observe any domain controller <1C> for the domain name BLACK.

At #148 we see the BLACK domain controller respond to the NBNS query circulate, telling the DC01.labs.com its IP accost. In #150, the DC01 arrangement starts to process the response, and sends out ARP requests to connect the Blackness domain controller.

In #149 the DC01.labs.com organization broadcasts a UDP SMB_NETLOGON packet, and then later on in #153 specifically sends the same packet to the BLACK domain controller, using its IP address.

When the Black domain controller processes the SMB_NETLOGON package, it tries in #152 to establish the IP address of DC01 via a NBNS lookup, and gets a NBNS response in #153.

Finally, in #155, the Blackness domain controller sends its response to the SMB_NETLOGON packet.

From this trace, we can see that we can cause both the system that we execute the DsrGetDcNameEx2 function on, and the domain controller that responds to the SMB_NETLOGON asking, to do NBNS lookup requests. Nosotros also control the names that both systems will lookup via NBNS, and can respond to those requests with any IP address. This effectively allows one, without providing whatever hallmark, to instruct a Window domain controller to connect to any provided IP address via NetBIOS. I wondered if this could be used to obtain hashes using something similar Responder, however as all packets resulting from theDsrGetDcNameEx2 are UDP based, and no SMB TCP connections are established, it doesn't seem to be fiddling. I'm notwithstanding playing effectually with Responder to come across what one could do with this, merely at the very least 1 seem to be able to utilize this approach to proactively poison a system's cache with a NETBIOS proper name and a respective IP.

With regards to enumerating users, let's wait at the SMB_NETLOGON packet. While Wireshark classifies this package every bit SMB_NETLOGON, information technology is in fact a mailslot write packet, every bit discussed by MSDN in https://msdn.microsoft.com/en-u.s./library/cc223816.aspx,https://msdn.microsoft.com/en-us/library/cc234511.aspx , https://msdn.microsoft.com/en-us/library/ee442092.aspx and https://msdn.microsoft.com/en-us/library/cc223804.aspx.

The structure of the package is quite involved, and includes various fields. In Wireshark a asking such as the one sent in #153, would look as follows:

The majority of this packet is simply preamble, working its way towards the request which Wireshark puts under the section "Microsoft Windows Logon Protocol (Old)", and MSDN calls the NETLOGON_SAM_LOGON_REQUEST structure in the Databytes field. The exception to this is the requested domain name, in this case BLACK, which is sent in the first of this packet.

Looking at the NETLOGON_SAM_LOGON_REQUEST structure we can see three fields of interest, i.east. UnicodeComputerName, UnicodeUserName and AllowableAccountControlBits.

The AllowableAccountControlBits value is the same as before, i.e. 0x00000010 as was used in the structure of the CLDAP packet. The Estimator Name field contains the NetBIOS host name of the system from which the request originated. It is this value that the domain controller volition lookup using NBNS requests, as previously discussed. This isn't ideal, as this requires an implementation of NBNS response packets to obtain the mailslot ping response. One can avert this behaviour, by but setting the value to an IP address. The MSDN documents land that both the Computer Proper name and User Name fields should exist encoded in UTF-16.

Looking at the response provided for this bundle, nosotros meet a near identical construction, with the exception of the Databytes field:

Wireshark somewhat confusingly interprets the response lawmaking incorrectly equally "user unknown". Every bit mentioned earlier, MSDN states that the response code 23, or 0x17 in hex is reserved for "LOGON_SAM_LOGON_RESPONSE_EX". Response code 25, or 0x19 is even so reserved for "LOGON_SAM_USER_UNKNOWN_EX".

When sending a mailslot ping request with a username that doesn't be, the server does reply with the 25 response lawmaking, however Wireshark fails to interpret the response construction:

Regardless, nosotros tin thus found if a user exists by sending a mailslot ping parcel, and checking if the response code is 23 or 25.

Crafting these packets is somewhat complicated, and then I looked at scapy for some help. I had to make some changes to the existing scapy structures, and also had to implement the NETLOGON_SAM_LOGON_REQUEST structure. In addition, both the username and source hostname needed to exist encoded with UTF-16. Another affair to take into business relationship, as highlighted in the above captures, was the length and size fields that change with unlike usernames and hostnames. MSDN and RFC 1001 and RFC 1002 helpfully state the required calculations needed for these fields. Putting this birthday I was able to create a script that can enumerate users using this method, which yous can get over here.

Comparing the three unlike approaches, I plant that the CLDAP technique to exist the fastest, with the mailslot arroyo 2nd, and the DsrGetDcNameEx2 coming in third. Via a remote connection, I have been able to test virtually 3500 usernames in about 40 seconds using the CLDAP technique. Note that the scripts at this stage are only PoCs, and haven't really been optimised for speed. Using multiple threads and then forth could lead to an increment.

Regarding the logs that these techniques generate, information technology would seem that both the CLDAP and mailslot ping approach generate no entries, while the DsrGetDcNameEx2 approach does generate an anonymous logon entry which contains the IP accost of the system that executed the script.

Hopefully the provided scripts tin can assistance you lot in enumerating a listing of domain users. I'm non enlightened of whatsoever existing scripts that use these techniques, still, in either mode I learned quite a lot in implementing them.

Thanks for reading, and happy hacking.
Reino

daughertyharioned49.blogspot.com

Source: https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/

Share this post