Steps to establish a NULL session

• TCP connection to port 445/tcp or 139/tcp

  • NetBIOS session establishment if the NetBT transport is used (139/tcp)

• SMB session establishment, authenticated with NULL credentials (empty login and password)

• Connection to IPC$ share

• Opening of a named pipe

  • Ex : \pipe\samr to reach the SAM RPC server

• Binding to a DCE-RPC interface

  • A DCE-RPC interface is identified by a UUID
  • No additional authentication required, already done at the SMB level

• Call of RPC operations