Windows and Samba Host Enumeration with enum4linux

enum4linux

enum4linux by Portcullis Labs is a Linux alternative to enum.exe for enumerating data from Windows and Samba hosts (“Portcullis Labs,” n.d.). enum4linux is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup:

  • smbclient (See ftp-like client to access SMB/CIFS resources on servers)
  • rpcclient (See https://www.samba.org/samba/docs/man/manpages-3/rpcclient.1.html)
  • net (See https://www.samba.org/samba/docs/man/manpages-3/net.8.html)
  • nmblookup (See https://www.samba.org/samba/docs/man/manpages-3/nmblookup.1.html)

Key features (“Portcullis Labs,” n.d.):

  • Enumerating workgroup or domain
  • Nbtstat information (See https://technet.microsoft.com/en-us/library/cc940106.aspx?f=255&MSPPError=-2147217396)
  • get domain SID
  • Os Information
  • Share enumeration and mapping
  • Password policy information
  • Groups and members
  • Users via RID cycling
  • Printer information

Below, I demonstrate the use of enum4linux against Metasploitable 2:

The basic syntax is “enum4linux,” which will do all simple enumeration get userlist, get shares, get group and member list, get password policy information, enumerate users via RID cycling, get OS information, do an nmblookup (similar to nbtstat), and get printer information if you do not provide any other options (Note: If you add the -v option (verbose mode) enum4linux will show you all the tools that were executed):

For instance, let us suppose that you are interested in user names, using all the tools available, you would issue the “enum4linux” with the “-U” option. This will give you a list of all users:

Default users that exits on remote system:

Enumerates users via RID cycling:

I also get information about the Samba shares and the user(s) has access to which shares, using the -S option:

Using the basic syntax is “enum4linux, I also find:

About the Author

David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in a variety of roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado. Regis University’s School of Computer & Information Sciences, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.

Resources

2016 Verizon data breach investigations report.  (2016).  Retrieved October 24, 2017 from http://www.verizonenterprise.com/
resources/reports/rp_DBIR_2016_Report_en_xg.pdf

File smtp-enum-users.  (n.d).  Retrieved October 24, 2017 from https://nmap.org/nsedoc/scripts/smtp-enum-users.html

Portcullis Labs.  (n.d.).  Retrieved October 27, 2017 from https://labs.portcullis.co.uk/tools/enum4linux/

User enumeration.  (n.d.).  Retrieved October 24, 2017 from http://pentestmonkey.net/category/tools/user-enumeration

Scanner SMTP auxiliary modules.  (n.d.).  Retrieved October 24, 2017 from https://www.offensive-security.com/metasploit-unleashed/scanner-smtp-auxiliary-modules/

smtp-user-enum.  (n.d.).  Retrieved October 24, 2017 http://pentestmonkey.net/tools/user-enumeration/smtp-user-enum

Leave a Reply

Your email address will not be published. Required fields are marked *