Enum4linux is a powerful command-line tool designed to enumerate information from Windows and Samba systems. It's a wrapper around various Samba tools like smbclient, rpcclient, net, and nmblookup. This tool is particularly useful during penetration tests to gather information about target systems.
Overview
Enum4linux can retrieve the following information from Windows/Samba systems:
User listings
Machine listings
Share listings
Domain/workgroup names
Password policies
RID cycling (to enumerate users)
LSA (Local Security Authority) enumeration
Installation
Enum4linux comes pre-installed on Kali Linux. For other distributions:
# Debian/Ubuntuapt-getinstallenum4linux# From sourcegitclonehttps://github.com/CiscoCXSecurity/enum4linux.gitcdenum4linuxchmod+xenum4linux.pl
Basic Usage
The basic syntax for enum4linux is:
Where:
options are various flags controlling the tool's behavior
target is the IP address or hostname of the target system
Common Options
Option
Description
-a
Do all simple enumeration (-U -S -G -P -r -o -n -i)
-U
Get user list
-S
Get share list
-G
Get group and member list
-P
Get password policy information
-r
Enumerate users via RID cycling
-o
Get OS information
-n
Do an nmblookup (similar to nbtstat)
-i
Get printer information
-u user
Specify username to use (default: "")
-p pass
Specify password to use (default: "")
-d
Detailed flag (for more detailed user info)
-v
Verbose, shows full commands being run
Examples
Full Enumeration
This runs all basic enumeration options and provides comprehensive output.
User Enumeration
This extracts just the username portion from the user enumeration output.
Password Policy Retrieval
This retrieves the password policy from the target, which can be valuable for planning password attacks.
Share Enumeration
Lists all available shares on the target system.
OS Information
Retrieves information about the operating system of the target.
Using Credentials
Performs enumeration using the specified credentials.
Integration with Other Tools
Enum4linux can be effectively combined with other tools:
With CrackMapExec
Use enum4linux results to target specific systems with CrackMapExec:
With Hydra
Use enum4linux to discover users, then attempt password brute-forcing:
Troubleshooting
Common Issues
Connection refused: The target system may be blocking SMB traffic or may not be running SMB services.
Solution: Verify the target is running SMB (usually on port 445) and there are no firewall restrictions.
Authentication failure: Incorrect credentials or null sessions might be disabled.
Solution: Provide valid credentials using the -u and -p options.
Protocol negotiation failed: SMB version incompatibility.
Solution: Use the -W option to specify the workgroup manually.
RPC error: Issues with RPC service on the target.
Solution: Check if RPC services are running and accessible on the target.
Improvements
For modern environments, consider using enum4linux-ng, a rewritten version with additional features:
Best Practices
Start with anonymous enumeration: Try without credentials first
Use targeted options: If you only need specific information, use the corresponding flags
Combine with other tools: Use the output to feed other tools like CrackMapExec
Be mindful of logs: Remember that enum4linux activities may be logged on the target
Parse output effectively: Use grep and other tools to extract just the information you need
Enum4linux remains a staple tool for Windows/Samba enumeration during penetration tests, providing valuable information with minimal effort.