LinuxCommandLibrary

enum4linux

Enumerate information from Windows and Samba systems

TLDR

Try to enumerate using all methods

$ enum4linux -a [remote_host]
copy

Enumerate using given login credentials
$ enum4linux -u [user_name] -p [password] [remote_host]
copy

List usernames from a given host
$ enum4linux -U [remote_host]
copy

List shares
$ enum4linux -S [remote_host]
copy

Get OS information
$ enum4linux -o [remote_host]
copy

SYNOPSIS

enum4linux [options] <target>
enum4linux [-h|-?|--help] [-P] [-o] [-O] [-u <user>] [-p <pass>] [-P <passfile>] [-U <userfile>] [-q] [-w <workgroup>] [-t <port>] [-T] [-A] [-C] [-N] [-S] [-L] [-V] [-i] [-r <ridrange>] [-d <debuglevel>] [-D <domain>] <host>

PARAMETERS

-h, -?, --help
    Show help message and exit

-P
    Perform SNMP queries (port 161)

-o
    NetBIOS over TCP (port 139)

-O
    Attempt OS/module info collection

-u <user>
    Specify username for authentication

-p <pass>
    Specify password

-P <passfile>
    File containing passwords, one per line

-U <userfile>
    File containing usernames, one per line

-q
    Quiet mode, minimal output

-w <workgroup>
    Specify workgroup/domain

-t <port>
    TCP port for SMB (default: 445)

-T
    Use RPC TCP port 135

-A
    Do all available enumeration (alias for -PaoCOUNS)

-C
    Count number of users/groups

-N
    Retrieve NetBIOS names

-S
    List shares

-L
    Get password policy info

-V
    RID cycling/vuln checks

-i
    IPC$ connections

-r <ridrange>
    RID range for enumeration (e.g., 500-550)

-d <debuglevel>
    Samba debug level (0-10)

-D <domain>
    Domain to use

DESCRIPTION

enum4linux is a Perl-based utility designed for enumerating information from Windows/Samba SMB servers. It serves as a Linux equivalent to the classic Windows tool enum.exe, enabling reconnaissance of network shares, users, groups, policies, machine accounts, and trusted domains. The tool leverages underlying Samba binaries like smbclient, rpcclient, and nmblookup to query NetBIOS, RPC, and other services.

It supports anonymous enumeration as well as authenticated sessions using usernames, passwords, or lists. Key features include share listing, user enumeration via RID cycling, password policy retrieval, SNMP queries (if enabled), and basic vulnerability checks. Ideal for penetration testing, it's effective against older Windows systems but may face limitations on modern hardened targets due to SMB signing and firewalls.

Output is structured and verbose by default, with options for quiet mode or specific modules. Always run with caution in authorized environments to avoid triggering alerts.

CAVEATS

Requires Samba tools (smbclient, rpcclient, nmblookup); fails on SMB3+ with signing enforced; noisy and detectable; ineffective against patched modern Windows; use -q for stealth.

EXAMPLE USAGE

Anonymous scan: enum4linux 192.168.1.100
Authenticated: enum4linux -u admin -p pass123 192.168.1.100
Users & shares: enum4linux -U -S target

DEPENDENCIES

Needs samba-client package; Perl required for script execution.

HISTORY

Developed by Mark Lowe circa 2003-2007 as a cross-platform replacement for Windows enum.exe. Integrated into Samba toolchains and pentesting distros like Kali Linux. Maintained on GitHub with enum4linux-ng fork for modern improvements.

SEE ALSO

smbclient(1), rpcclient(1), nmblookup(1), nmap(1)

Copied to clipboard