Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / SMB / Access

Null and Guest

Null and Guest access checks tell us whether SMB or RPC leaks information before we have real credentials. Modern domains should usually block this, but labs, appliances, NAS devices, legacy servers, and misconfigured shares still expose useful data.

Null session with smbclient

smbclient -N -L //10.10.10.200
smbclient -N //10.10.10.200/IPC$ -c "help"

Guest access with smbclient

smbclient -U '%' -L //10.10.10.200
smbclient -U 'guest%' -L //10.10.10.200
smbclient -U 'guest%' //10.10.10.200/Public -c "ls"

smbmap

smbmap -H 10.10.10.200 -u '' -p ''
smbmap -H 10.10.10.200 -u guest -p ''
smbmap -H 10.10.10.200 -u guest -p '' -r

NetExec

nxc smb 10.10.10.200 -u '' -p ''
nxc smb 10.10.10.200 -u '' -p '' --shares
nxc smb 10.10.10.200 -u guest -p '' --shares

enum4linux-ng

enum4linux-ng -A 10.10.10.200
enum4linux-ng -A -u '' -p '' 10.10.10.200
enum4linux-ng -A -u guest -p '' 10.10.10.200

RPC null session

rpcclient -U "" 10.10.10.200 -c "srvinfo"
rpcclient -U "" 10.10.10.200 -c "lsaquery"
rpcclient -U "" 10.10.10.200 -c "enumdomusers"
rpcclient -U "" 10.10.10.200 -c "netshareenumall"

Notes

  • Null access means no username and no password.
  • Guest access means the server accepted the Guest identity.
  • They are different conditions, and both should be tested.