enum4linux

References

Windows Samba enumeration tool.

enum4linux is a perl wrapper around smbclient, rpcclient, net and nmblookup.

Example of execution

Enum all with -a option.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
$ enum4linux -a 10.0.0.1
...
================================================== 
|    Enumerating Workgroup/Domain on 10.0.0.1    |
================================================== 
[+] Got domain/workgroup name: MYGROUP

========================================== 
|    Nbtstat Information for 10.0.0.1    |
========================================== 
Looking up status of 10.0.0.1
        HOSTNAME           <00> -         B <ACTIVE>  Workstation Service
        HOSTNAME           <03> -         B <ACTIVE>  Messenger Service
        HOSTNAME           <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        MYGROUP         <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        MYGROUP         <1d> -         B <ACTIVE>  Master Browser
        MYGROUP         <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

=================================== 
|    Session Check on 10.0.0.1    |
=================================== 
[+] Server 10.0.0.1 allows sessions using username '', password ''

========================================= 
|    Getting domain SID for 10.0.0.1    |
========================================= 
Unable to initialize messaging context
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

==================================== 
|    OS information on 10.0.0.1    |
==================================== 
Use of uninitialized value $os_info in concatenation (.) or string at /usr/bin/enum4linux line 464.
[+] Got OS info for 10.0.0.1 from smbclient: 
[+] Got OS info for 10.0.0.1 from srvinfo:
Unable to initialize messaging context
        HOSTNAME          Wk Sv PrQ Unx NT SNT Samba Server
        platform_id     :       500
        os version      :       4.5
        server type     :       0x9a03

...

======================================= 
|    Share Enumeration on 10.0.0.1    |
======================================= 
Unable to initialize messaging context

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba Server)
        ADMIN$          IPC       IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------
        HOSTNAME                Samba Server
        HOST2               Samba Server

        Workgroup            Master
        ---------            -------
        ACME                 HOST7
        MSHOME               HOST3
        MYGROUP              HOSTNAME
        DOMAIN                HOST4
        DOMAIN.LOCAL          HOST5
        WORKGROUP            HOST6

[+] Attempting to map shares on 10.0.0.1
//10.0.0.1/IPC$       [E] Can't understand response:
Unable to initialize messaging context
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//10.0.0.1/ADMIN$     [E] Can't understand response:
Unable to initialize messaging context
tree connect failed: NT_STATUS_WRONG_PASSWORD

============================ 
|    Groups on 10.0.0.1    |
============================ 

[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Power Users] rid:[0x223]
group:[Account Operators] rid:[0x224]
group:[System Operators] rid:[0x225]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]

[+] Getting builtin group memberships:
Group 'Guests' (RID: 546) has member: Couldn't find group Guests
Group 'Replicator' (RID: 552) has member: Couldn't find group Replicator
Group 'Backup Operators' (RID: 551) has member: Couldn't find group Backup Operators
Group 'Power Users' (RID: 547) has member: Couldn't find group Power Users
Group 'System Operators' (RID: 549) has member: Couldn't find group System Operators
Group 'Administrators' (RID: 544) has member: Couldn't find group Administrators
Group 'Print Operators' (RID: 550) has member: Couldn't find group Print Operators
Group 'Account Operators' (RID: 548) has member: Couldn't find group Account Operators
Group 'Users' (RID: 545) has member: Couldn't find group Users

[+] Getting local groups:
group:[sys] rid:[0x3ef]
group:[tty] rid:[0x3f3]
group:[disk] rid:[0x3f5]
group:[mem] rid:[0x3f9]
group:[kmem] rid:[0x3fb]
group:[wheel] rid:[0x3fd]
group:[man] rid:[0x407]
group:[dip] rid:[0x439]
group:[lock] rid:[0x455]
group:[users] rid:[0x4b1]
group:[slocate] rid:[0x413]
group:[floppy] rid:[0x40f]
group:[utmp] rid:[0x415]

[+] Getting local group memberships:
Group 'slocate' (RID: 1043) has member: Couldn't list alias members
Group 'floppy' (RID: 1039) has member: Couldn't list alias members
Group 'kmem' (RID: 1019) has member: Couldn't list alias members
Group 'disk' (RID: 1013) has member: Couldn't list alias members
Group 'dip' (RID: 1081) has member: Couldn't list alias members
Group 'man' (RID: 1031) has member: Couldn't list alias members
Group 'utmp' (RID: 1045) has member: Couldn't list alias members
Group 'lock' (RID: 1109) has member: Couldn't list alias members
Group 'sys' (RID: 1007) has member: Couldn't list alias members
Group 'wheel' (RID: 1021) has member: Couldn't list alias members
Group 'mem' (RID: 1017) has member: Couldn't list alias members
Group 'tty' (RID: 1011) has member: Couldn't list alias members
Group 'users' (RID: 1201) has member: Couldn't list alias members

[+] Getting domain groups:
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]

[+] Getting domain group memberships:
Group 'Domain Users' (RID: 513) has member: Couldn't find group Domain Users
Group 'Domain Admins' (RID: 512) has member: Couldn't find group Domain Admins

 ===================================================================== 
|    Users on 10.0.0.1 via RID cycling (RIDS: 500-550,1000-1050)    |
 ===================================================================== 
[I] Found new SID: S-1-5-21-2974263341-3895402545-469881541
[+] Enumerating users using SID S-1-5-21-2974263341-3895402545-469881541 and logon username '', password ''
S-1-5-21-2974263341-3895402545-469881541-500 HOSTNAME\Administrator (Local User)
S-1-5-21-2974263341-3895402545-469881541-501 HOSTNAME\(ý ┐ (Local User)
S-1-5-21-2974263341-3895402545-469881541-502 HOSTNAME\unix_group.2147483399 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-503 HOSTNAME\unix_group.2147483399 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-504 HOSTNAME\unix_group.2147483400 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-505 HOSTNAME\unix_group.2147483400 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-506 HOSTNAME\unix_group.2147483401 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-507 HOSTNAME\unix_group.2147483401 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-508 HOSTNAME\unix_group.2147483402 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-509 HOSTNAME\unix_group.2147483402 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-510 HOSTNAME\unix_group.2147483403 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-511 HOSTNAME\unix_group.2147483403 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-512 HOSTNAME\unix_group.2147483404 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-513 HOSTNAME\unix_group.2147483404 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-514 HOSTNAME\unix_group.2147483405 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-515 HOSTNAME\unix_group.2147483405 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-516 HOSTNAME\unix_group.2147483406 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-517 HOSTNAME\unix_group.2147483406 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-518 HOSTNAME\unix_group.2147483407 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-519 HOSTNAME\unix_group.2147483407 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-520 HOSTNAME\unix_group.2147483408 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-521 HOSTNAME\unix_group.2147483408 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-522 HOSTNAME\unix_group.2147483409 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-523 HOSTNAME\unix_group.2147483409 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-524 HOSTNAME\unix_group.2147483410 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-525 HOSTNAME\unix_group.2147483410 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-526 HOSTNAME\unix_group.2147483411 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-527 HOSTNAME\unix_group.2147483411 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-528 HOSTNAME\unix_group.2147483412 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-529 HOSTNAME\unix_group.2147483412 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-530 HOSTNAME\unix_group.2147483413 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-531 HOSTNAME\unix_group.2147483413 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-532 HOSTNAME\unix_group.2147483414 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-533 HOSTNAME\unix_group.2147483414 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-534 HOSTNAME\unix_group.2147483415 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-535 HOSTNAME\unix_group.2147483415 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-536 HOSTNAME\unix_group.2147483416 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-537 HOSTNAME\unix_group.2147483416 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-538 HOSTNAME\unix_group.2147483417 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-539 HOSTNAME\unix_group.2147483417 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-540 HOSTNAME\unix_group.2147483418 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-541 HOSTNAME\unix_group.2147483418 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-542 HOSTNAME\unix_group.2147483419 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-543 HOSTNAME\unix_group.2147483419 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-544 HOSTNAME\unix_group.2147483420 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-545 HOSTNAME\unix_group.2147483420 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-546 HOSTNAME\unix_group.2147483421 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-547 HOSTNAME\unix_group.2147483421 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-548 HOSTNAME\unix_group.2147483422 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-549 HOSTNAME\unix_group.2147483422 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-550 HOSTNAME\unix_group.2147483423 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1000 HOSTNAME\root (Local User)
S-1-5-21-2974263341-3895402545-469881541-1001 HOSTNAME\root (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1002 HOSTNAME\bin (Local User)
S-1-5-21-2974263341-3895402545-469881541-1003 HOSTNAME\bin (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1004 HOSTNAME\daemon (Local User)
S-1-5-21-2974263341-3895402545-469881541-1005 HOSTNAME\daemon (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1006 HOSTNAME\adm (Local User)
S-1-5-21-2974263341-3895402545-469881541-1007 HOSTNAME\sys (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1008 HOSTNAME\lp (Local User)
S-1-5-21-2974263341-3895402545-469881541-1009 HOSTNAME\adm (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1010 HOSTNAME\sync (Local User)
S-1-5-21-2974263341-3895402545-469881541-1011 HOSTNAME\tty (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1012 HOSTNAME\shutdown (Local User)
S-1-5-21-2974263341-3895402545-469881541-1013 HOSTNAME\disk (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1014 HOSTNAME\halt (Local User)
S-1-5-21-2974263341-3895402545-469881541-1015 HOSTNAME\lp (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1016 HOSTNAME\mail (Local User)
S-1-5-21-2974263341-3895402545-469881541-1017 HOSTNAME\mem (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1018 HOSTNAME\news (Local User)
S-1-5-21-2974263341-3895402545-469881541-1019 HOSTNAME\kmem (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1020 HOSTNAME\uucp (Local User)
S-1-5-21-2974263341-3895402545-469881541-1021 HOSTNAME\wheel (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1022 HOSTNAME\operator (Local User)
S-1-5-21-2974263341-3895402545-469881541-1023 HOSTNAME\unix_group.11 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1024 HOSTNAME\games (Local User)
S-1-5-21-2974263341-3895402545-469881541-1025 HOSTNAME\mail (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1026 HOSTNAME\gopher (Local User)
S-1-5-21-2974263341-3895402545-469881541-1027 HOSTNAME\news (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1028 HOSTNAME\ftp (Local User)
S-1-5-21-2974263341-3895402545-469881541-1029 HOSTNAME\uucp (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1030 HOSTNAME\unix_user.15 (Local User)
S-1-5-21-2974263341-3895402545-469881541-1031 HOSTNAME\man (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1032 HOSTNAME\unix_user.16 (Local User)
S-1-5-21-2974263341-3895402545-469881541-1033 HOSTNAME\unix_group.16 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1034 HOSTNAME\unix_user.17 (Local User)
S-1-5-21-2974263341-3895402545-469881541-1035 HOSTNAME\unix_group.17 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1036 HOSTNAME\unix_user.18 (Local User)
S-1-5-21-2974263341-3895402545-469881541-1037 HOSTNAME\unix_group.18 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1038 HOSTNAME\unix_user.19 (Local User)
S-1-5-21-2974263341-3895402545-469881541-1039 HOSTNAME\floppy (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1040 HOSTNAME\unix_user.20 (Local User)
S-1-5-21-2974263341-3895402545-469881541-1041 HOSTNAME\games (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1042 HOSTNAME\unix_user.21 (Local User)
S-1-5-21-2974263341-3895402545-469881541-1043 HOSTNAME\slocate (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1044 HOSTNAME\unix_user.22 (Local User)
S-1-5-21-2974263341-3895402545-469881541-1045 HOSTNAME\utmp (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1046 HOSTNAME\squid (Local User)
S-1-5-21-2974263341-3895402545-469881541-1047 HOSTNAME\squid (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1048 HOSTNAME\unix_user.24 (Local User)
S-1-5-21-2974263341-3895402545-469881541-1049 HOSTNAME\unix_group.24 (Local Group)
S-1-5-21-2974263341-3895402545-469881541-1050 HOSTNAME\unix_user.25 (Local User)
...