Enum4Linux/Enum4Linux-ng
Enum4linux es una herramienta escrita en Perl diseñada para automatizar la recolección de información de sistemas Windows mediante el protocolo SMB (Server Message Block). Opera principalmente sobre los puertos 139 y 445, y permite interactuar con servicios compartidos, sesiones activas, usuarios del sistema y configuraciones de seguridad, utilizando una combinación de comandos de rpcclient, net y otros binarios de Samba. Su propósito es facilitar la enumeración de información útil sin necesidad de autenticación previa, aunque también puede funcionar con credenciales válidas si se proporcionan.
La herramienta es especialmente útil en fases de reconocimiento y post-explotación dentro de entornos Active Directory, ya que permite extraer una amplia variedad de datos de los sistemas objetivos. Algunas de sus funcionalidades más destacadas incluyen la enumeración de usuarios, grupos, políticas de contraseñas, sesiones activas, recursos compartidos, y listas de control de acceso (ACLs). También implementa el llamado RID cycling, una técnica de fuerza bruta sobre identificadores relativos (RID) que permite descubrir usuarios válidos del dominio, incluso cuando el acceso anónimo está restringido a ciertas funciones.
Enum4linux resulta particularmente eficaz cuando el objetivo permite conexiones anónimas a su servicio SMB o no implementa restricciones avanzadas de seguridad. Aunque ya no se encuentra en desarrollo activo, sigue siendo una herramienta valiosa en escenarios de pentesting contra servidores Windows mal configurados o legados. Para auditorías más modernas y robustas, se suele complementar con herramientas como CrackMapExec, rpcclient o smbmap, que ofrecen mayor control sobre sesiones autenticadas y explotación de servicios SMB.
Funcionalidades principales de enum4linux:
enum4linux:Enumeración de usuarios:
Lista los usuarios locales y de dominio en el servidor objetivo.
Enumeración de grupos:
Identifica los grupos locales y de dominio, y muestra los miembros de estos grupos.
Listar recursos compartidos:
Muestra los recursos compartidos (shares) en el servidor, tanto públicos como privados.
Políticas de contraseña:
Extrae información sobre las políticas de contraseña del dominio, como la longitud mínima de las contraseñas y la frecuencia con la que deben cambiarse.
Información de NetBIOS:
Recoge información sobre los nombres NetBIOS y otros datos relacionados con la red.
Enumeración de sistemas operativos:
Detecta la versión del sistema operativo que está ejecutando el servidor objetivo.
Extracción de información de la lista de control de acceso (ACL):
Obtiene información sobre las listas de control de acceso para diferentes recursos.
Recolección de información de dominio:
Recopila información sobre el dominio al que pertenece el servidor, incluyendo el controlador de dominio y la estructura del Active Directory.
Comandos basico:
enum4linux [opciones] <IP_del_objetivo>Algunas opciones comunes incluyen:
-U: Enumera los usuarios.-G: Enumera los grupos.-S: Enumera los recursos compartidos.-a: Realiza todas las enumeraciones posibles
Ver maquinas: Forest (HTB), Support (HTB)
enum4linux-ng es una reimplementación moderna de la herramienta original, escrita en Python. “ng” significa “next generation”. Esta versión fue creada para ser más robusta, modular y mantenible. Algunas diferencias clave:
Lenguaje y estructura: está escrita en Python en vez de Perl, lo cual facilita su mantenimiento y ampliación.
Mejor manejo de errores y excepciones.
Soporte más claro de autenticación y formato de salida.
Mayor modularidad y documentación en su código.
Output más organizado, útil para análisis posteriores o automatización.
Ejemplo de enumeración con credenciales
┌──(root㉿kali)-[/home/kali]
└─# enum4linux-ng -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' 10.10.11.174
ENUM4LINUX - next generation (v1.3.4)
==========================
| Target Information |
==========================
[*] Target ........... 10.10.11.174
[*] Username ......... 'ldap'
[*] Random Username .. 'jpvkejxq'
[*] Password ......... 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
[*] Timeout .......... 5 second(s)
=====================================
| Listener Scan on 10.10.11.174 |
=====================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
====================================================
| Domain Information via LDAP for 10.10.11.174 |
====================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: support.htb
===========================================================
| NetBIOS Names and Workgroup/Domain for 10.10.11.174 |
===========================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out
=========================================
| SMB Dialect Check on 10.10.11.174 |
=========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: false
SMB 2.02: true
SMB 2.1: true
SMB 3.0: true
SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: true
===========================================================
| Domain Information via SMB session for 10.10.11.174 |
===========================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: DC
NetBIOS domain name: SUPPORT
DNS domain: support.htb
FQDN: dc.support.htb
Derived membership: domain member
Derived domain: SUPPORT
=========================================
| RPC Session Check on 10.10.11.174 |
=========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for user session
[+] Server allows session using username 'ldap', password 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
[*] Check for random user
[+] Server allows session using username 'jpvkejxq', password 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
[H] Rerunning enumeration with user 'jpvkejxq' might give more results
===================================================
| Domain Information via RPC for 10.10.11.174 |
===================================================
[+] Domain: SUPPORT
[+] Domain SID: S-1-5-21-1677581083-3380853377-188903654
[+] Membership: domain member
===============================================
| OS Information via RPC for 10.10.11.174 |
===============================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[+] Found OS information via 'srvinfo'
[+] After merging OS information we have the following result:
OS: Windows 10, Windows Server 2019, Windows Server 2016
OS version: '10.0'
OS release: ''
OS build: '20348'
Native OS: not supported
Native LAN manager: not supported
Platform id: '500'
Server type: '0x80102b'
Server type string: Wk Sv PDC Tim NT
=====================================
| Users via RPC on 10.10.11.174 |
=====================================
[*] Enumerating users via 'querydispinfo'
[+] Found 20 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 20 user(s) via 'enumdomusers'
[+] After merging user results we have 20 user(s) total:
'1104':
username: ldap
name: (null)
acb: '0x00000210'
description: (null)
'1105':
username: support
name: (null)
acb: '0x00000210'
description: (null)
'1106':
username: smith.rosario
name: (null)
acb: '0x00000210'
description: (null)
'1107':
username: hernandez.stanley
name: (null)
acb: '0x00000210'
description: (null)
'1108':
username: wilson.shelby
name: (null)
acb: '0x00000210'
description: (null)
'500':
username: Administrator
name: (null)
acb: '0x00000010'
description: Built-in account for administering the computer/domain
'501':
username: Guest
name: (null)
acb: '0x00000214'
description: Built-in account for guest access to the computer/domain
'502':
username: krbtgt
name: (null)
acb: '0x00000011'
description: Key Distribution Center Service Account
======================================
| Groups via RPC on 10.10.11.174 |
======================================
[*] Enumerating local groups
[+] Found 5 group(s) via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 28 group(s) via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 16 group(s) via 'enumdomgroups'
[+] After merging groups results we have 49 group(s) total:
'1101':
groupname: DnsAdmins
type: local
'1102':
groupname: DnsUpdateProxy
type: domain
'1103':
groupname: Shared Support Accounts
type: domain
'498':
groupname: Enterprise Read-only Domain Controllers
type: domain
'512':
groupname: Domain Admins
type: domain
'513':
groupname: Domain Users
type: domain
'514':
groupname: Domain Guests
type: domain
'515':
groupname: Domain Computers
type: domain
'516':
groupname: Domain Controllers
type: domain
'517':
groupname: Cert Publishers
type: local
'518':
groupname: Schema Admins
type: domain
'519':
groupname: Enterprise Admins
type: domain
'520':
groupname: Group Policy Creator Owners
type: domain
'521':
groupname: Read-only Domain Controllers
type: domain
'522':
groupname: Cloneable Domain Controllers
type: domain
'525':
groupname: Protected Users
type: domain
'526':
groupname: Key Admins
type: domain
'527':
groupname: Enterprise Key Admins
type: domain
'544':
groupname: Administrators
type: builtin
'545':
groupname: Users
type: builtin
'546':
groupname: Guests
type: builtin
'548':
groupname: Account Operators
type: builtin
'549':
groupname: Server Operators
type: builtin
'550':
groupname: Print Operators
type: builtin
'551':
groupname: Backup Operators
type: builtin
'552':
groupname: Replicator
type: builtin
'553':
groupname: RAS and IAS Servers
type: local
'554':
groupname: Pre-Windows 2000 Compatible Access
type: builtin
'555':
groupname: Remote Desktop Users
type: builtin
'556':
groupname: Network Configuration Operators
type: builtin
'557':
groupname: Incoming Forest Trust Builders
type: builtin
'558':
groupname: Performance Monitor Users
type: builtin
'559':
groupname: Performance Log Users
type: builtin
'560':
groupname: Windows Authorization Access Group
type: builtin
'561':
groupname: Terminal Server License Servers
type: builtin
'562':
groupname: Distributed COM Users
type: builtin
'568':
groupname: IIS_IUSRS
type: builtin
'569':
groupname: Cryptographic Operators
type: builtin
'571':
groupname: Allowed RODC Password Replication Group
type: local
'572':
groupname: Denied RODC Password Replication Group
type: local
'573':
groupname: Event Log Readers
type: builtin
'574':
groupname: Certificate Service DCOM Access
type: builtin
'575':
groupname: RDS Remote Access Servers
type: builtin
'576':
groupname: RDS Endpoint Servers
type: builtin
'577':
groupname: RDS Management Servers
type: builtin
'578':
groupname: Hyper-V Administrators
type: builtin
'579':
groupname: Access Control Assistance Operators
type: builtin
'580':
groupname: Remote Management Users
type: builtin
'582':
groupname: Storage Replica Administrators
type: builtin
======================================
| Shares via RPC on 10.10.11.174 |
======================================
[*] Enumerating shares
[+] Found 6 share(s):
ADMIN$:
comment: Remote Admin
type: Disk
C$:
comment: Default share
type: Disk
IPC$:
comment: Remote IPC
type: IPC
NETLOGON:
comment: Logon server share
type: Disk
SYSVOL:
comment: Logon server share
type: Disk
support-tools:
comment: support staff tools
type: Disk
[*] Testing share ADMIN$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share C$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share IPC$
[+] Mapping: OK, Listing: NOT SUPPORTED
[*] Testing share NETLOGON
[+] Mapping: OK, Listing: OK
[*] Testing share SYSVOL
[+] Mapping: OK, Listing: OK
[*] Testing share support-tools
[+] Mapping: OK, Listing: OK
=========================================
| Policies via RPC for 10.10.11.174 |
=========================================
[*] Trying port 445/tcp
[+] Found policy:
Domain password information:
Password history length: 24
Minimum password length: 7
Maximum password age: not set
Password properties:
- DOMAIN_PASSWORD_COMPLEX: true
- DOMAIN_PASSWORD_NO_ANON_CHANGE: false
- DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
- DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
- DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
- DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
Domain lockout information:
Lockout observation window: 30 minutes
Lockout duration: 30 minutes
Lockout threshold: None
Domain logoff information:
Force logoff time: not set
=========================================
| Printers via RPC for 10.10.11.174 |
=========================================
[+] No printers available
Completed after 68.23 secondsLast updated