Listing usernames via a null session on
As you know, Windows XP no longer allows the LookupAccountName API combined with the LookupAccountSid API to list account user names via a null session. If you use the NetWkstaUserEnum and NetSessionEnum APIs in the same manner as implemented with GetAcct 1.3.1, however, they will list local logon usernames and remote logon usernames respectively. On Windows 2003 Server, however, these APIs are no longer allowed access via a null session.
I had expected similar improvement would be made in Windows XP Service Pack 2 released the other day, but it was not. NetWkstaUserEnum API and NetSessionEnum are certainly denied access, but this is because \pipe\srvsvc and \pipe\wkssvc, the named pipe resources that were accessible via a null session before, are no longer accessible. With Windows XP SP2, a named pipe resource accessible from a null session still remains available: \pipe\browser . If you connect to this resource, you will also be allowed to access the lanmanserver and lanmanworkstation interfaces. Although these Win32 APIs are denied access, you can call comparable procedures such as NetrSessionEnum and NetrWkstaUserEnum by using Microsoft RPCs. With Windows XP SP2, you still can list local logon usernames and remote logon usernames.
Lastly I would like to add that usernames are not all the information you can get from \pipe\browser via a null session for your information.
1. You can connect to the named pipe only when Windows Firewall is off or File and Printer Sharing is enabled on the Exceptions tab of Windows Firewall.