Skip to content

Enum4linux

enum4linux is a command-line tool used for enumerating information from Windows and Samba systems. It is essentially a wrapper around various Samba tools like smbclient, rpclient, net, and nmblookup to extract data from a target system over the SMB/CIFS protocol. It is a popular tool in penetration testing and security auditing for discovering potential vulnerabilities related to misconfigurations in Windows and Samba services.

What It Does

Enum4linux can be used to gather a wide range of information from a target system, including:

  • Usernames: A list of all users on the remote system.

  • Share Information: A list of available network shares.

  • Group Information: A list of groups and their members.

  • Password Policy: Details about the password complexity, length, and history requirements.

  • OS Information: The operating system version and server information.

  • Printer Information: A list of available printers.

  • RID Cycling: A technique to discover usernames by iterating through Relative Identifiers (RIDs).

Installation

On Debian-based systems like Kali Linux or Ubuntu, you can install it using the package manager:

Bash

sudo apt update && sudo apt install enum4linux

Basic Usage

The general syntax for using enum4linux is:

Bash

enum4linux [options] <ip_address>

Common Options

Option Description
-a Perform all simple enumeration options (-U -S -G -P -r -o -n -i).
-U Get the list of users.
-S Get the list of shares.
-G Get the list of groups and members.
-P Get password policy information.
-o Get OS information.
-r Enumerate users via RID cycling.

Examples

Full Basic Enumeration

This is the most common command. The -a flag runs all simple enumeration checks against the target IP address.

Bash

enum4linux -a 192.168.1.10

Enumerate Specific Information

If you only want to retrieve a list of users from the target system, you can use the -U flag.

Bash

enum4linux -U 192.168.1.10

Enumerate Users with RID Cycling

To discover users by cycling through RIDs (which can sometimes find users missed by other methods), use the -r flag. This can be time-consuming.

Bash

enum4linux -r 192.168.1.10

Saving Output to a File

It is good practice to save the output of your scans for later analysis. You can redirect the output to a text file.

Bash

enum4linux -a 192.168.1.10 > enum_results.txt

Disclaimer

This tool should only be used for legitimate security auditing and penetration testing purposes on systems for which you have received explicit, written permission. Unauthorized scanning of networks and systems is illegal.