Skip to main content

SMB Null Sessions

Connecting to an SMB share without authentication.

Category: Reconnaissance 🎯 Trench — Connecting to an SMB share without authentication. If null sessions are accepted, you can list shares, users, and password policy without compromising anything yet. 🔗 Kill chain — Reconnaissance. Gives you: domain users (for spraying), machine names, password policy (min length → optimal dictionary). 📡 Defensive footprint — Event ID 4624 with Logon Type 3 and user ANONYMOUS LOGON. Trivial to detect; rarely enabled in 2025. ⚠️ False friend — Confusing enum4linux (which fails more often than not) with enum4linux-ng (the modern Python version). 🛡️ RemediationRestrictAnonymous=2, RestrictAnonymousSAM=1 via GPO. Only machines in the same domain should list users.

Back to the full glossary Last updated: 2026-06-11