SMB Null Sessions
Connecting to an SMB share without authentication.
Category: Reconnaissance 🎯 Trench — Connecting to an SMB share without authentication. If null sessions are accepted, you can list shares, users, and password policy without compromising anything yet. 🔗 Kill chain — Reconnaissance. Gives you: domain users (for spraying), machine names, password policy (min length → optimal dictionary). 📡 Defensive footprint — Event ID 4624 withLogon Type 3 and
user ANONYMOUS LOGON. Trivial to detect; rarely enabled in 2025.
⚠️ False friend — Confusing enum4linux (which fails more
often than not) with enum4linux-ng (the modern Python version).
🛡️ Remediation — RestrictAnonymous=2, RestrictAnonymousSAM=1 via GPO. Only
machines in the same domain should list users.
← Back to the full glossary Last updated: 2026-06-11