Enumerate Null Sessions

Check if Null Session, also known as Anonymous session, is enabled on the network. Can be very useful on a Domain Controller to enumerate users, groups, password policies, etc.

nxc smb <target> -u '' -p ''
nxc smb <target> -u '' -p '' --shares
nxc smb <target> -u '' -p '' --pass-pol
nxc smb <target> -u '' -p '' --users
nxc smb <target> -u '' -p '' --groups

You can also reproduce this behavior with smbclient or rpcclient

smbclient -N -U "" -L \\<target>

rpcclient -N -U "" -L \\<target>
rpcclient $> enumdomusers
user:[bonclay] rid:[0x46e]
user:[zoro] rid:[0x46f]

{% embed url="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852200(v=ws.11)" %}

Example

Forest or Monteverde machines are good examples to test null session authentication with NetExec

{% embed url="https://www.hackthebox.com/machines/forest" %}

{% embed url="https://www.hackthebox.com/machines/monteverde" %}