Windows IPC$ Connections

The IPC$ (Inter-Process Communication) share is a standard hidden share on an NT machine which is mainly used for server to server communication. NT machines were designed to connect to each other and obtain different types of necessary information through this share. As with many design features in any operating system, intruders have learned to use this feature for their own purposes. By connecting to this share an intruder has, for all technical purposes, a valid connection to your server. By connecting to this share as null, the intruder has been able to establish this connection without providing it with credentials.

To connect to the IPC$ share as null, an intruder would issue the following command from a command prompt:

	c:\>net use \\[ip address of target machine]\ipc$ "" /user:""

     If the connection is successful, the intruder could do a number of things other than gleaning a user list, but lets start with that first. As mentioned earlier, this technique requires a null IPC session and the SID tools. Written by Evgenii Rudnyi, the SID tools come in two different parts, User2sid and sid2user. User2sid will take an account name or group and give you the corresponding SID. Sid2user will take a SID and give you the name of the corresponding user or group. As a stand alone tool, this process is manual and very time consuming. Userlist.pl is a perl script written by Mnemonix that will automate this process of SID grinding, which drastically cuts down on the time it would take an intruder to glean this information.

     At this point, the intruder knows what services are running on the remote machine, which major software packages have been installed (within limits), and has a list of valid usernames and groups for that machine. Although this may seem like a ton of information for an outsider to have about your network, the null IPC session has opened other venues for information gathering. The Rhino9 team has been able to retrieve the entire native security policy for the remote machine. Such things as account lockout, minimum password length, password age cycling, password uniqueness settings as well as every user, the groups they belong to and the individual domain restrictions for that user, all through a null IPC session. This information gathering ability will appear in Rhino9's soon to be released Leviathan tool.

     With the null IPC session, an intruder could also obtain a list of network shares that may not otherwise be obtainable. For obvious reasons, an intruder would like to know what network shares you have available on your machines.

For this information gathering, the standard net view command is used:

	c:\>net view \\[ip address of remote machine]

Depending on the security policy of the target machine, this list may or may
not be denied. Take the example below (ip address has been left out for
obvious reasons):

	C:\>net view \\0.0.0.0
	System error 5 has occurred.

	Access is denied.

	C:\>net use \\0.0.0.0\ipc$ "" /user:""
	The command completed successfully.


	C:\>net view \\0.0.0.0
	Shared resources at \\0.0.0.0


	Share name   Type  Used as  Comment
	---------------------------------------------------------------------
	Accelerator  Disk           Agent Accelerator share for Seagate backup
	Inetpub      Disk
	mirc         Disk
	NETLOGON     Disk           Logon server share
	www_pages    Disk
	The command completed successfully.

As you can see, the list of shares on that server was not available until after the IPC null session had been established. At this point you may begin to realize just how dangerous this IPC connection can be, but the IPC techniques that are known to us now are actually very basic. The possibilities that are presented with the IPC share are just beginning to be explored.

How to access shares after creation of null session:

	net view \\IP_ADDRESS

How to list administrators after creation of null session:

	local.exe administrators \\IP_ADDRESS

How to list group members in "domain admins" after creation of null session:

	global.exe "domain admins" \\IP_ADDRESS

Disabling Netbios or blocking the ports 137-139 doesn't close Null-Sessions,
as they can still use SMB on port 445.

By standard it is possible for anonymous users to view:

	Minimum Password lenght 
	If blank passwords are permitted 
	Maximum password age 
	Password history 
	Userlist 
	Network shares 

This can be retricted by changing this DWORD in the registry:

	[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \LSA]
	RestrictAnonymous = 2 (Default = 0)

	0 = None. Rely on default permissions
	1 = Do not allow enumeration of SAM accounts
	    and names (Will stop NULL session exploits)
	2 = No access without explicit anonymous permissions
	    (Win2k only)

	Note if enabling this restriction it will disable guest account
	users from seeing Network Shares, as they will fail login with
	security error code : 3221225572 (Logon Failed : The username
	doesn't exist)

It is possible to log unsuccesful logins to your machine, to detect if
someone is trying to access your machine, do this :

	Run the program MMC using "Start Button" -> "Run..." 
	In the program menu select "Console" -> "Add/Remove Snap in" 
	Press the button "Add" and select "Group Policy" and press "Ok" 
	In the Console Window go to this folder "Local Computer Policy"
	  -> "Windows Settings" -> "Security Settings" -> "Local Policies"
	  -> "Audit Policy" 
	For minimum logging select to audit failure in "Account Logon Events",
	  "Directory Service Access" and "Logon Events"