1. INTRODUCTION
enum4linux is a Linux tool for enumerating information from Windows/Samba systems.
Useful for:
bash
SMB share discovery
bash
User listing
bash
Group listing
bash
Password policy info
bash
RID cycling
bash
OS and domain info
2. BASIC ENUMERATION
Simple scan:
bash
enum4linux
Example:
bash
enum4linux 10.10.10.5
3. FULL VERBOSE ENUMERATION
Most used command:
bash
enum4linux -a
The -a flag performs:
bash
User enumeration
bash
Group enumeration
bash
Share listing
bash
Password policy discovery
bash
RID cycling
bash
OS info
4. NULL SESSION ENUMERATION
Try anonymous login first:
bash
enum4linux -a -u "" -p ""
Useful for:
bash
Guest or anonymous SMB access
bash
Legacy Windows systems
5. USER ENUMERATION
List users:
bash
enum4linux -U
RID cycling:
bash
enum4linux -r -u "" -p ""
6. GROUP ENUMERATION
List groups:
bash
enum4linux -G
7. SHARE ENUMERATION
List SMB shares:
bash
enum4linux -S
8. PASSWORD POLICY
Check password rules:
bash
enum4linux -P
Information discovered:
bash
Minimum password length
bash
Password history length
bash
Account lockout policy
bash
Max password age
9. OS & DOMAIN INFO
Check OS version:
bash
enum4linux -o
Get domain/workgroup:
bash
enum4linux -n
10. SPECIFIC USER INFO
Query specific user:
bash
enum4linux -u -i
11. COMBINING WITH SMBMAP / SMBCLIENT
Example workflow:
1. Enumerate with enum4linux:
bash
enum4linux -a 10.10.10.5
2. Check shares with smbmap:
bash
smbmap -H 10.10.10.5
3. Connect with smbclient:
bash
smbclient //10.10.10.5/SHARE -U username
12. CTF / PENTEST WORKFLOW
1. Null session test:
bash
enum4linux -a -u "" -p "" 10.10.10.5
2. Check users:
bash
enum4linux -U 10.10.10.5
3. Check shares:
bash
enum4linux -S 10.10.10.5
4. Check password policy:
bash
enum4linux -P 10.10.10.5
5. Run RID cycling for hidden users:
bash
enum4linux -r -u "" -p "" 10.10.10.5
6. Use SMBMap for deeper enumeration:
bash
smbmap -H 10.10.10.5
7. Try brute-forcing with Hydra (only if authorized):
bash
hydra -l user -P rockyou.txt smb://10.10.10.5
← Back to tutorial