Ethical Hacking #enum4linux#SMB enumeration#Samba

enum4linux: SMB and Samba Enumeration Guide

Learn how to use enum4linux and enum4linux-ng to enumerate SMB shares, users, groups, and policies on Windows and Linux targets.

6 min read

SMB (Server Message Block) is one of the most information-rich protocols on a Windows network. When misconfigured, it leaks usernames, group memberships, password policies, and share listings to unauthenticated attackers. enum4linux is a Linux-based tool that automates this enumeration by wrapping several Samba client utilities into a single script. This guide covers both the original enum4linux and the modern enum4linux-ng rewrite.

Why Enumerate SMB?

Before attempting any exploitation, thorough reconnaissance is essential. SMB enumeration can reveal:

  • Valid usernames — useful for password spraying and Kerberoasting
  • Password policies — tells you the lockout threshold before spraying
  • Share listings — may expose sensitive files or writable shares
  • Group memberships — reveals admin accounts and service accounts
  • OS and domain information — helps fingerprint the environment

Installing enum4linux

enum4linux is pre-installed on Kali Linux. If you need to install it manually:

sudo apt install enum4linux

For the modern enum4linux-ng (Python rewrite with LDAP support and better output):

pip3 install enum4linux-ng
# or
git clone https://github.com/cddmp/enum4linux-ng
cd enum4linux-ng
pip3 install -r requirements.txt

Basic Full Enumeration

Run a complete enumeration against a target with the -a flag:

enum4linux -a 192.168.1.10

This runs all checks: OS detection, share listing, user enumeration, group enumeration, and password policy retrieval. The output can be lengthy — pipe it to a file for review:

enum4linux -a 192.168.1.10 | tee enum4linux-output.txt

Key Flags and What They Do

FlagFunction
-UEnumerate users via RPC
-GEnumerate groups
-SList shares
-PGet password policy
-oGet OS information
-rEnumerate users via RID cycling
-u USER -p PASSAuthenticate as a specific user
-aRun all of the above

Share Enumeration

enum4linux -S 192.168.1.10

Example output:

Sharename    Type    Comment
---------    ----    -------
ADMIN$       Disk    Remote Admin
C$           Disk    Default share
IPC$         IPC     Remote IPC
NETLOGON     Disk    Logon server share
SYSVOL       Disk    Logon server share
Data         Disk    Company Data

Non-default shares like Data warrant further investigation. Use smbclient to browse them:

smbclient //192.168.1.10/Data -N

The -N flag attempts a null session (no password). If it connects, you have anonymous read access.

User Enumeration via RID Cycling

Windows assigns each account a Relative Identifier (RID). By requesting SID lookups in sequence, you can brute-force account names:

enum4linux -r -u "" -p "" 192.168.1.10

This null-session RID cycling often works against misconfigured Windows systems and reveals all local and domain accounts. A typical output looks like:

[+] Getting local groups with try: 500-550, 1000-1050
[+] S-1-5-21-...-500 *unknown*\*unknown* (8)
[+] S-1-5-21-...-501 NT AUTHORITY\nobody (8)
[+] S-1-5-21-...-1000 CORP\Domain Admins
[+] S-1-5-21-...-1001 CORP\jsmith

Password Policy Retrieval

Knowing the account lockout policy is critical before password spraying:

enum4linux -P 192.168.1.10

Output includes:

Minimum password length: 7
Password history length: None
Maximum password age: 42 days
Account lockout threshold: 5
Account lockout duration: 30 mins

With a lockout threshold of 5, you can spray 4 passwords before risk of lockout. If threshold is 0 (disabled), spraying is unrestricted.

Using enum4linux-ng

The newer enum4linux-ng has better LDAP support and produces structured output:

enum4linux-ng -A 192.168.1.10

Export results as YAML or JSON:

enum4linux-ng -A 192.168.1.10 -oY results.yaml
enum4linux-ng -A 192.168.1.10 -oJ results.json

The LDAP enumeration mode is particularly powerful against domain controllers:

enum4linux-ng -A -u jsmith -p Password123 192.168.1.1

This leverages authenticated LDAP queries to pull extensive AD information that anonymous sessions cannot access.

Authenticated Enumeration

If you have credentials, provide them for much richer results:

enum4linux -u jsmith -p Password123 -a 192.168.1.10

Authenticated sessions can access more shares, enumerate domain users, and retrieve domain group policies that anonymous queries cannot reach.

Alternative: CrackMapExec

For faster, parallel SMB enumeration across subnets, CrackMapExec (CME) is often preferred:

# Enumerate shares across a subnet
crackmapexec smb 192.168.1.0/24 --shares

# Enumerate users
crackmapexec smb 192.168.1.10 --users

# Check password policy
crackmapexec smb 192.168.1.10 --pass-pol

CME integrates well into automated workflows and produces clean output with color-coded results.

What to Do With the Results

After enumeration, prioritize your findings:

  1. Writable shares — check for credential files, scripts, or writable paths you can place malicious files in (e.g., SCF files for hash capture)
  2. Username list — compile all discovered users for Kerberoasting, AS-REP roasting, or password spraying
  3. Weak password policy — plan a targeted spray campaign with likely passwords
  4. Admin accounts — prioritize lateral movement paths toward these accounts
  5. SYSVOL/NETLOGON — check for Group Policy Preferences XML files containing cpassword fields (GPP password vulnerability)

SMB enumeration is typically one of the first steps after initial network discovery. The data it reveals shapes the entire direction of a Windows penetration test.

#reconnaissance #network pentesting #Samba #SMB enumeration #enum4linux

// related articles

ethical-hacking Web Application Reconnaissance Methodology 7 min read ethical-hacking SpiderFoot OSINT Automation: Complete Guide for 2026 7 min read ethical-hacking Masscan Tutorial: Fast Network Scanning for Pentesters 7 min read