ChkLock: Technical Overview

ChkLock: Technical Overview


The computer security community has long been aware of the risks associated with anonymous NetBIOS connections (also known as "NULL sessions"). Once a NULL session is established, there is a well- known API for gathering information from remote machines. Tools such as Cerberus Internet Scanner, utilities from the Windows NT resource kit (LOCAL.EXE and GLOBAL.EXE, for example), and even software regularly distributed as part of the NT operating system (such as NBTSTAT.EXE, and NET.EXE) make use of these services to gather information.

The functions they use are documented in the network management functions reference portion of Microsoft's Platform SDK.

The most frequent examples of information gathered by these applications include:

A number of other such functions exist, and no doubt a comparable set of utilities for Active Directory features will soon be available.

ChkLock uses an API function called NetUserModalsGet(), which is presumably the same one used by the User Manager applet to populate the Account dialog screen on the Policies menu. The information retrieved by NetUserModalsGet() is more extensive and more granular than that which is displayed by User Manager. Measures of time are expressed in seconds, rather than minutes or days, and there are options (such as forcing logoff for expired accounts after a specified grace period) which are not available through the User Manager tool.

ChkLock calls NetUserModalsGet() four times (in four different ways, referred to as "levels" in the API documentation), to populate four different data structures: USER_MODALS_INFO_0, USER_MODALS_INFO_1, USER_MODALS_INFO_2, and USER_MODALS_INFO_3. Each of these structures has different information:

One of the parameters for the NetUserModalsGet() call is the name of the server from which to gather information. This means that, like the rest of the "Net" family of functions, NetUserModalsGet() can be run against remote machines, via an RPC mechanism which is transparent to the caller.

It is not necessary to have authenticated with the remote machine using any actual credentials: a "NULL" or anonymous NetBIOS session is sufficient. To establish a null session, execute the following at the command line:

net use \\target_machine_name_or_IP_address\ipc$ /u:"" ""
This is a standard prerequisite for using a number of NT resource kit tools. Some commentary is available at http://oliver.efri.hr/~crv/security/bugs/NT/rb2.html. Some other tools handle establishing the NULL session themselves (RedButton, for example, is available from PacketStorm).

Once the session has been established, ChkLock simply calls NetUserModalsGet() with the appropriate memory buffers for each level and reports the results.

Back to the main ChkLock page


This page is maintained by Peyton Engel.
Last updated 13 October 2000