OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Greg Shipley (gshipleyneohapsis.com)
Date: Fri Jun 21 2002 - 01:13:13 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Archive: http://msgs.securepoint.com/ids
    FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
    FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
    IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
    HELP: Having problems... email questions to ids-owneruow.edu.au
    NOTE: Remove this section from reply msgs otherwise the msg will bounce.
    SPAM: DO NOT send unsolicted mail to this list.
    UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
    -----------------------------------------------------------------------------

    On Thu, 20 Jun 2002 idsinz2cl01.rzffm.db.de wrote:

    > I don't understand what the signature type Window_Null_Session really
    > means. The research insult said, there are two computers communicating
    > using an anonymous user.It may indicate a Red Button null session attack.
    >
    > Do you have any exact information about this?
    > In which cases it must be a neccessary session my network needs and
    > therefore it indicates a false positive?

    It's been a while since I've had my NT sysadmin hat on (years), so bear
    with me if this isn't 100% dead-on (it might not be), but I believe null
    sessions can be used for both reconnaissance purposes (get user/share
    lists), as well as in normal day-to-day administration tasks.

    I know you can disable null sessions using some registry tweaks, but if
    memory serves this breaks some things. For example, I remember having
    problems with using the user administration tool on/with users in a
    trusted domain when null sessions were disabled. I believe there are
    other legitimate applications that use null sessions - most of them being
    administration-based.

    It's a standard feature, and common, in NT-based deployments.

    So it could be a false positive, or it could be someone trying to do
    recon. Do a search in MS' KB on "null sessions" - I'm sure you'll get
    plenty. The alert description is correct though - it is a NETBIOS session
    that is essentially anonymous (no login credentials needed).

    Tony?

    Hope this is at least somewhat helpful (and hopefully accurate!),

    -Greg