Enum4linux

Enum4linux is a Perl script that enumerates SMB shares, users, groups, and other information from Windows and Samba systems. Wrapper around rpcclient, smbclient, and nmblookup.

Installation

# Kali Linux (pre-installed)
which enum4linux

# Manual installation
git clone https://github.com/cddmp/enum4linux-ng
cd enum4linux-ng
pip3 install -r requirements.txt
chmod +x enum4linux-ng.py

# Or original enum4linux
apt install enum4linux

Basic Enumeration

Command	Description
enum4linux target	Full enumeration
enum4linux -a target	All simple enumeration
enum4linux -h target	Print help information
enum4linux -v target	Verbose output
enum4linux -d target	Detailed output

User Enumeration

# Enumerate users
enum4linux -U target

# Enumerate users with SID
enum4linux -U -S target

# Get user list with RID brute force
enum4linux -u '' -U target

Share Enumeration

# Enumerate shares
enum4linux -S target

# Enumerate shares with comments
enum4linux -S -v target

# Check null session shares
enum4linux -S -u '' target

Group Enumeration

# Enumerate groups
enum4linux -G target

# Enumerate groups and members
enum4linux -G -r target

# Get group membership
enum4linux -G -m target

OS and Version Detection

# OS detection
enum4linux -o target

# Operating system details
enum4linux -o -S target

# SMB version enumeration
enum4linux -o -v target

Complete Enumeration Options

# All enumerations
enum4linux -a target

# All + RID cycling
enum4linux -a -r target

# All + SID lookup
enum4linux -a -S target

# All + user and group enumeration
enum4linux -a -U -G target

# Verbose mode with all options
enum4linux -a -v target

Advanced Options

# Specify username
enum4linux -u admin target

# Specify password
enum4linux -u admin -p password target

# Null session (no auth)
enum4linux -u '' -p '' target

# Domain specification
enum4linux -u 'DOMAIN\user' -p pass target

# RID cycling (brute force RIDs)
enum4linux -r target

# RID range specification
enum4linux -r -K 500:510 target

# Get SID for username
enum4linux -u admin S target

Option Combinations

Options	Purpose
-U	Enumerate users
-G	Enumerate groups
-r	Enumerate groups with RID cycling
-m	Get group members
-S	Enumerate shares
-o	Operating system detection
-N	List users on system
-P	Get password policy
-B	Get printer information
-a	All simple options
-d	Display detailed information
-v	Verbose output

Null Session Testing

# Test for null sessions
enum4linux -u '' target

# Full enumeration via null session
enum4linux -u '' -a target

# Check if null sessions enabled
enum4linux -u '' -U target

# Get shares via null session
enum4linux -u '' -S target

Common Workflow

# 1. Detect OS
enum4linux -o target

# 2. Check for null sessions
enum4linux -u '' -a target

# 3. If null session fails, try known credentials
enum4linux -u admin -p password -a target

# 4. Brute force RIDs for additional users
enum4linux -u admin -p password -r target

# 5. Get detailed info with verbose flag
enum4linux -u admin -p password -a -v target

# 6. Export results
enum4linux -u admin -p password -a target > enum_results.txt

Output Examples

User Enumeration Output

User: Administrator (RID: 500)
User: Guest (RID: 501)
User: TestUser (RID: 1000)

Share Enumeration Output

Share: \\target\C$
Comment: Default share
Share: \\target\IPC$
Comment: Remote IPC
Share: \\target\ADMIN$
Comment: Remote administration

Group Output

Group: Domain Admins
RID: 512
Members: Administrator

Group: Users
RID: 513
Members: TestUser

Troubleshooting

# Connection timeout increase
enum4linux -t 30 target

# Debug mode
enum4linux -d target

# Verbose with all options
enum4linux -a -v target

# Null auth
enum4linux -u '' -p '' target

Related Tools

• rpcclient: Direct RPC enumeration
• smbclient: Share access and file operations
• nmblookup: NetBIOS name resolution
• nmap: Service detection with nse scripts

---

Last updated: March 2026