News - Main Page
Whitepapers
Tools and Download
Presentations
Related
:enum4linux

Usage

Also check out the Examples page.

$ enum4linux.pl -h
enum4linux v0.8.2 (http://labs.portcullis.co.uk/application/enum4linux/)
Copyright (C) 2006 Mark Lowe (mrl@portcullis-security.com)

Simple wrapper around the tools in the samba package to provide similar functionality
to enum (http://www.bindview.com/Services/RAZOR/Utilities/Windows/enum_readme.cfm).
Some additional features such as RID cycling have also been added for convenience.

This is an ALPHA release only.  Some of the options supported by the original "enum"
aren't implemented in this release.

Usage: /usr/local/bin/enum4linux.pl [options] ip

Options are (like "enum"):
        -U             get userlist
        -M             get machine list*
        -N             get namelist dump (different from -U|-M)*
        -S             get sharelist
        -P             get password policy information*
        -G             get group and member list
        -L             get LSA policy information*
        -D             dictionary crack, needs -u and -f*
        -d             be detailed, applies to -U and -S
        -u username    specify username to use (default "")
        -p password    specify password to use (default "")
        -f filename    specify dictfile to use (wants -D)*

* = Not implemented in this release.

Additional options:
        -a             Do all simple enumeration (-U -S -G -r -o -n)
        -h             Display this help message and exit
        -r             enumerate users via RID cycling
        -R range       RID ranges to enumerate (default: 500-550,1000-1050, implies -r)
        -s filename    brute force guessing for share names
        -k username    User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none)
                       Used to get sid with "lookupsid known_username"
                       Use commas to try several users: "-k admin,user1,user2"
        -o             Get OS information
        -i             Get printer information
        -w workgroup   Specify workgroup manually (usually found automatically)
        -n             Do an nmblookup (similar to nbtstat)
        -v             Verbose.  Shows full commands being run (net, rpcclient, etc.)

RID cycling should extract a list of users from Windows (or Samba) hosts which have
RestrictAnonymous set to 1 (Windows NT and 2000), or "Network access: Allow
anonymous SID/Name translation" enabled (XP, 2003).

If no usernames are known, good names to try against Windows systems are:
- administrator
- guest
- none
- helpassistant
- aspnet

The following might work against samba systems:
- root
- nobody
- sys

NB: Samba servers often seem to have RIDs in the range 3000-3050.

Dependancy info:
You will need to have the samba package installed as this script is basically
just a wrapper around rpcclient, net, nmblookup and smbclient.

Last Updated : 28/03/2008 13:42:49