What are Null Sessions?
The null sessions are the unauthenticated sessions of the Server Message Block, which is the core network protocol of the Windows operating system.
It is a method that allows an anonymous user to retrieve information such as usernames and share this over the network or connect without authentication.
Null sessions are also referred to as null session connections, anonymous logon, and anonymous connections.
With a null session connection, you can use other utilities to gather critical Windows information remotely. Anyone can take the output of these enumeration programs and attempt to
- Crack the passwords of the users found.
- Map drives to the network shares.
Windows allows anonymous connections to access the IPC$ share ($: hidden share).
The IPC$ is a hidden share maintained by the Server service (Disabling the service will remove the share). The IPC$ share is used for Inter Process Communication by using RPC (Remote Procedure Call), allowing the client to send different commands to the server.
The IPC$ share is also known as a null session connection. By using this session, Windows lets anonymous users perform certain activities, such as enumerating the names of domain accounts and network shares.
It is advisable to set Network access: Restrict anonymous access to Named Pipes and Shares to Enabled. Enabling this policy setting restricts null session access to unauthenticated users to all server pipes and shares except those listed in the NullSessionPipes and NullSessionShares registry entries.