Using NULL sessions: the new way

• Opening a named pipe that can be opened anonymously

  • Either one of the six hardcoded named pipes or one appearing in NullSessionPipes

• Binding to one of the RPC interfaces run by services running inside the process that created the named pipe

• Examples

  • Opening \pipe\{srvsvc,wkssvc,browser} and binding to svcctl or eventlog
    • Supported by Windows 2000's services.exe process (fixed by Update Rollup 1 for Windows 2000 SP4)
  • Opening \pipe\browser and binding to wkssvc or srvsvc in Windows XP SP2 and Windows Server 2003 SP1