Enum4Linux Network Enumeration

Enum4linux Network Enumeration

Enum4linux is a powerful command-line tool designed to enumerate information from Windows and Samba systems. It's a wrapper around various Samba tools like smbclient, rpcclient, net, and nmblookup. This tool is particularly useful during penetration tests to gather information about target systems.

Overview

Enum4linux can retrieve the following information from Windows/Samba systems:

  • User listings

  • Machine listings

  • Share listings

  • Domain/workgroup names

  • Password policies

  • RID cycling (to enumerate users)

  • LSA (Local Security Authority) enumeration

Installation

Enum4linux comes pre-installed on Kali Linux. For other distributions:

# Debian/Ubuntu
apt-get install enum4linux

# From source
git clone https://github.com/CiscoCXSecurity/enum4linux.git
cd enum4linux
chmod +x enum4linux.pl

Basic Usage

The basic syntax for enum4linux is:

enum4linux [options] target

Where:

  • options are various flags controlling the tool's behavior

  • target is the IP address or hostname of the target system

Common Options

Option
Description

-a

Do all simple enumeration (-U -S -G -P -r -o -n -i)

-U

Get user list

-S

Get share list

-G

Get group and member list

-P

Get password policy information

-r

Enumerate users via RID cycling

-o

Get OS information

-n

Do an nmblookup (similar to nbtstat)

-i

Get printer information

-u user

Specify username to use (default: "")

-p pass

Specify password to use (default: "")

-d

Detailed flag (for more detailed user info)

-v

Verbose, shows full commands being run

Examples

Full Enumeration

enum4linux -a 192.168.1.100

This runs all basic enumeration options and provides comprehensive output.

User Enumeration

enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

This extracts just the username portion from the user enumeration output.

Password Policy Retrieval

enum4linux -P 172.16.5.5

This retrieves the password policy from the target, which can be valuable for planning password attacks.

Share Enumeration

enum4linux -S 192.168.1.100

Lists all available shares on the target system.

OS Information

enum4linux -o 192.168.1.100

Retrieves information about the operating system of the target.

Using Credentials

enum4linux -u "username" -p "password" 192.168.1.100

Performs enumeration using the specified credentials.

Integration with Other Tools

Enum4linux can be effectively combined with other tools:

With CrackMapExec

Use enum4linux results to target specific systems with CrackMapExec:

# First identify users with enum4linux
enum4linux -U 172.16.5.5 > users.txt

# Extract usernames and use with CrackMapExec
cat users.txt | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]" > userlist.txt
crackmapexec smb 172.16.5.5 -u userlist.txt -p common_passwords.txt

With Hydra

Use enum4linux to discover users, then attempt password brute-forcing:

# Get usernames
enum4linux -U 192.168.1.100 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]" > users.txt

# Use Hydra for brute-forcing
hydra -L users.txt -P passwords.txt smb://192.168.1.100

Troubleshooting

Common Issues

  1. Connection refused: The target system may be blocking SMB traffic or may not be running SMB services.

    ERROR: Connection refused

    Solution: Verify the target is running SMB (usually on port 445) and there are no firewall restrictions.

  2. Authentication failure: Incorrect credentials or null sessions might be disabled.

    ERROR: Authentication error

    Solution: Provide valid credentials using the -u and -p options.

  3. Protocol negotiation failed: SMB version incompatibility.

    Protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE

    Solution: Use the -W option to specify the workgroup manually.

  4. RPC error: Issues with RPC service on the target.

    Cannot connect to server. Error was NT_STATUS_UNSUCCESSFUL

    Solution: Check if RPC services are running and accessible on the target.

Improvements

For modern environments, consider using enum4linux-ng, a rewritten version with additional features:

git clone https://github.com/cddmp/enum4linux-ng.git
cd enum4linux-ng
pip3 install -r requirements.txt
python3 enum4linux-ng.py 192.168.1.100

Best Practices

  1. Start with anonymous enumeration: Try without credentials first

  2. Use targeted options: If you only need specific information, use the corresponding flags

  3. Combine with other tools: Use the output to feed other tools like CrackMapExec

  4. Be mindful of logs: Remember that enum4linux activities may be logged on the target

  5. Parse output effectively: Use grep and other tools to extract just the information you need

Enum4linux remains a staple tool for Windows/Samba enumeration during penetration tests, providing valuable information with minimal effort.

PreviousFFUFNextPerformance Optimization

Last updated