enum4linux

Enum4linux is a Perl wrapper around Samba tools such as smbclient, rpcclient, net, and nmblookup for enumerating info from Windows and Samba systems. It replicates enum.exe functionality from www.bindview.com and includes extras like RID cycling for hosts with RestrictAnonymous set to 1 on Windows NT/2000 or equivalent settings on XP/2003. Key features include user listing when RestrictAnonymous is 0 on Windows 2000, group membership info, share enumeration, workgroup/domain detection, OS identification, and password policy retrieval via polenum.

Use cases involve reconnaissance against target Windows/Samba hosts to gather user lists, shares, groups, machines, printers, OS details, and password policies. It's particularly useful for RID cycling to extract users from restrictive anonymous access configurations, common in domain controllers or Samba servers. Known usernames like administrator, guest, krbtgt aid SID lookups.

The tool requires the samba package and polenum dependency. Samba servers may have RIDs in 3000-3050 range.

Enum4linux operates as a Perl script wrapping Samba client tools: smbclient for shares, rpcclient for RPC queries, net for network info, nmblookup for NetBIOS. It performs RID cycling by enumerating SID RIDs in ranges like 500-550,1000-1050 until consecutive failures. LDAP queries on 389/TCP provide limited DC info. Password policies use polenum. It detects workgroups/domains via NetBIOS, lists users/groups via RPC when anonymous access allows, and brute-forces shares if specified.