Insecure Logins

Always check that the domain allows you to log on as one of the following accounts. If the login is allowed, you can enumerate deeper into the domain to get a foothold without initial credentials. This can be done in a very simple way and can be considered as a major security vulnerability.

These login with insecure accounts/sessions typically do not work in Kerberos-only domains, because they require a pre-authentication with valid credentials.

Check for null session logon

(no Creds)

enum4linux

enum4linux -a -u '' -p '' <IP>

NetExec

nxc smb <IP> -u '' -p ''

nxc ldap <IP> -u '' -p ''

smbclient / rpcclient

smbclient -N -U '' -L \\<IP>

rpcclient -N -U "" -L \\<IP>

Check for guest logon

enum4linux -a -u "guest" -p "" <IP>

Check for anonymous logon

enum4linux -a -u "a" -p "" <IP>

Ressources:

Guest vs Null session on Windowsblog.whiteflag.io

PreviousBasic Enumeration Methodology NextBloodhound & ldapdomaindump

Last updated 11 months ago

Was this helpful?