enum4linux

Try to enumerate using all methods

$ enum4linux -a [remote_host]

$ enum4linux -u [user_name] -p [password] [remote_host]

$ enum4linux -U [remote_host]

$ enum4linux -S [remote_host]

$ enum4linux -o [remote_host]

enum4linux [options]

-U
    Enumerate user list from the target.

-M
    Enumerate machine list from the target.

-P
    Enumerate password policy details for the target.

-G
    Enumerate local group and member lists from the target.

-S
    Enumerate shared resources (shares) on the target.

-i
    Perform all simple enumerations (users, groups, shares, password policy).

-a
    Perform all enumerations, including more aggressive RPC client brute-forcing.

-r
    Enumerate RID (Relative Identifier) cycling for users and groups.

-N
    Do not query for names; useful for faster enumeration.

-v
    Enable verbose output, showing more details during enumeration.

-h
    Display the help message and exit.


    The IP address or hostname of the target Windows/Samba machine.

enum4linux is a powerful tool for gathering information from Windows and Samba hosts. It leverages the NetBIOS/SMB/RPC protocols to enumerate various details, including user accounts, group memberships, shared resources, password policies, and machine information. This makes it an invaluable utility for penetration testers, security auditors, and system administrators looking to identify potential vulnerabilities or understand the configuration of network hosts. It often acts as a wrapper for underlying Samba suite tools like smbclient, rpcclient, net, and nmblookup, automating the enumeration process to streamline information gathering.

enum4linux can be quite noisy on the network, generating a significant amount of traffic which may trigger Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). Its effectiveness depends on the target's security configuration; modern, well-patched, and hardened Windows systems or Samba servers may limit the amount of information it can successfully enumerate. It requires the target to have SMB services accessible (typically TCP ports 139 and 445 open).

enum4linux is widely used in the initial reconnaissance phase of penetration tests. The information it gathers, such as valid usernames, share names, and password policies, can be crucial for subsequent attacks like brute-forcing credentials, exploiting misconfigured shares, or identifying weak password practices within an organization.

To run enum4linux successfully, you typically need the Samba client utilities installed on your Linux system. These tools provide the underlying functionality that enum4linux orchestrates to communicate with Windows/Samba hosts.

enum4linux was primarily developed by Mark Baggett (mrb) and has been a staple in the penetration testing community for many years. It was designed to consolidate and automate various manual enumeration steps that would typically be performed using a combination of standalone Samba client tools. Its inclusion in popular security distributions like BackTrack and Kali Linux solidified its role as a go-to tool for Windows/Samba enumeration during security assessments.

smbclient(1), rpcclient(1), net(8), nmblookup(1), nmap(1)