Enum4linux

From aldeid
Jump to navigation Jump to search

Description

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum formerly available from www.bindview.com.

It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.

Key features

  • RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)
  • User listing (When RestrictAnonymous is set to 0 on Windows 2000)
  • Listing of group membership information
  • Share enumeration
  • Detecting if host is in a workgroup or a domain
  • Identifying the remote operating system
  • Password policy retrieval (using polenum)

Installation

Prerequisite

$ sudo apt install smbclient

enum4linux

$ wget https://labs.portcullis.co.uk/download/enum4linux-0.8.9.tar.gz
$ tar xzvf enum4linux-0.8.9.tar.gz

Usage

Syntax

./enum4linux.pl [options] ip

Options

-U
get userlist
-M
get machine list*
-S
get sharelist
-P
get password policy information
-G
get group and member list
-d
be detailed, applies to -U and -S
-u user
specify username to use (default "")
-p pass
specify password to use (default "")
-a
Do all simple enumeration (-U -S -G -P -r -o -n -i).
This opion is enabled if you don't provide any other options.
-h
Display this help message and exit
-r
enumerate users via RID cycling
-R range
RID ranges to enumerate (default: 500-550,1000-1050, implies -r)
-K n
Keep searching RIDs until n consective RIDs don't correspond to a username. Impies RID range ends at 999999. Useful against DCs.
-l
Get some (limited) info via LDAP 389/TCP (for DCs only)
-s file
brute force guessing for share names
-k user
User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none)
Used to get sid with "lookupsid known_username"
Use commas to try several users: "-k admin,user1,user2"
-o
Get OS information
-i
Get printer information
-w wrkg
Specify workgroup manually (usually found automatically)
-n
Do an nmblookup (similar to nbtstat)
-v
Verbose. Shows full commands being run (net, rpcclient, etc.)

Example

$ ./enum4linux.pl -a 10.10.226.157
WARNING: polenum.py is not in your path.  Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Apr 30 09:21:01 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.226.157
RID Range ........ 500-550,1000-1050
Username ......... 
Password ......... 
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 10.10.226.157    |
 ===================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================= 
|    Nbtstat Information for 10.10.226.157    |
 ============================================= 
Looking up status of 10.10.226.157
	BASIC2          <00> -         B <ACTIVE>  Workstation Service
	BASIC2          <03> -         B <ACTIVE>  Messenger Service
	BASIC2          <20> -         B <ACTIVE>  File Server Service
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

	MAC Address = 00-00-00-00-00-00

 ====================================== 
|    Session Check on 10.10.226.157    |
 ====================================== 
[+] Server 10.10.226.157 allows sessions using username , password 

 ============================================ 
|    Getting domain SID for 10.10.226.157    |
 ============================================ 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================= 
|    OS information on 10.10.226.157    |
 ======================================= 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.226.157 from smbclient: 
[+] Got OS info for 10.10.226.157 from srvinfo:
	BASIC2         Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu
	platform_id     :	500
	os version      :	6.1
	server type     :	0x809a03

 ============================== 
|    Users on 10.10.226.157    |
 ============================== 
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 ========================================== 
|    Share Enumeration on 10.10.226.157    |
 ========================================== 

	Sharename       Type      Comment
	---------       ----      -------
	Anonymous       Disk      
	IPC$            IPC       IPC Service (Samba Server 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.226.157
//10.10.226.157/Anonymous	Mapping: OK, Listing: OK
//10.10.226.157/IPC$	[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ===================================================== 
|    Password Policy Information for 10.10.226.157    |
 ===================================================== 
[E] Dependent program "polenum.py" not present.  Skipping this check.  Download polenum from http://labs.portcullis.co.uk/application/polenum/


 =============================== 
|    Groups on 10.10.226.157    |
 =============================== 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================== 
|    Users on 10.10.226.157 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2853212168-2008227510-3551253869
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username , password 
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username , password 
S-1-5-21-2853212168-2008227510-3551253869-500 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User)
S-1-5-21-2853212168-2008227510-3551253869-502 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-503 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-504 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-505 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-506 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-507 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-508 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-509 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-510 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-511 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-512 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-513 BASIC2\None (Domain Group)
S-1-5-21-2853212168-2008227510-3551253869-514 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-515 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-516 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-517 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-518 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-519 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-520 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-521 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-522 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-523 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-524 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-525 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-526 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-527 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-528 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-529 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-530 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-531 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-532 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-533 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-534 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-535 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-536 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-537 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-538 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-539 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-540 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-541 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-542 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-543 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-544 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-545 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-546 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-547 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-548 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-549 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-550 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1000 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1001 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1002 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1003 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1004 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1005 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1006 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1007 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1008 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1009 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1010 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1011 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1012 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1013 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1014 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1015 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1016 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1017 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1018 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1019 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1020 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1021 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1022 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1023 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1024 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1025 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1026 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1027 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1028 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1029 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1030 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1031 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1032 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1033 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1034 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1035 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1036 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1037 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1038 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1039 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1040 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1041 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1042 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1043 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1044 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1045 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1046 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1047 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1048 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1049 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-32 and logon username , password 
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)

 ============================================== 
|    Getting printer info for 10.10.226.157    |
 ============================================== 
No printers returned.


enum4linux complete on Thu Apr 30 09:25:55 2020
Retrieved from "https://www.aldeid.com/w/index.php?title=Enum4linux&oldid=36927"