Information Gatheringsambawindowsenumerationsmbrpcldapnetbios

enum4linux-ng

Next generation version of enum4linux for enumerating information from Windows and Samba systems. Features JSON/YAML export and smart enumeration targeted at security professionals and CTF players.

Description

enum4linux-ng is a rewrite of the original enum4linux.pl tool by Mark Lowe, designed for enumerating information from Windows and Samba systems. It serves as a wrapper around Samba tools including nmblookup, net, rpcclient, and smbclient, providing enhanced functionality such as YAML and JSON export for further processing with other tools.

The tool performs 'smart' enumeration by first checking SMB and LDAP accessibility on the target, dynamically skipping irrelevant checks (e.g., LDAP if not running). If SMB is accessible but no session can be established, enumeration stops. Results can be interrupted with CTRL+C, and with output options, the current state is saved to file.

Intended for security professionals and CTF players, it supports comprehensive enumeration of users, groups, shares, policies, and more via RPC and other protocols. Illegal use is explicitly prohibited.

How It Works

enum4linux-ng wraps Samba tools (nmblookup, net, rpcclient, smbclient) to enumerate Windows/Samba targets. It conducts smart enumeration by testing SMB/LDAP availability first, skipping unavailable services. SMB session setup is mandatory if accessible; failure halts enumeration. Supports authentication via password, Kerberos tickets, or NTLM hashes. Outputs structured JSON/YAML on SIGINT. Uses RPC for users/groups, NetBIOS lookups, share enumeration, policy retrieval, and other techniques.

Installation

bash

sudo apt install enum4linux-ng

Flags

-h, --helpshow this help message and exit

-ADo all simple enumeration including nmblookup (-U -G -S -P -O -N -I -L). This option is enabled if you don't provide any other option.

-AsDo all simple short enumeration without NetBIOS names lookup (-U -G -S -P -O -I -L)

-UGet users via RPC

-GGet groups via RPC

-GmGet group membership via RPC

-SGet shares

-CGet share contents (requires credentials)

-PGet password policy information

-OGet OS information

-LGet LDAP information

-w DOMAINSpecify domain

-u USERSpecify username

-p PWSpecify password

-K TICKET_FILESpecify Kerberos ticket file

-H NTHASHSpecify NT hash

--local-authUse local authentication

-oJ OUT_JSON_FILEOutput results to JSON file

-oY OUT_YAML_FILEOutput results to YAML file

-oA OUT_FILEOutput results to file

Examples

Show help message and usage information

enum4linux-ng -h

Perform all simple enumeration (-U -G -S -P -O -N -I -L) including nmblookup on target

enum4linux-ng -A target_ip

Perform all simple short enumeration without NetBIOS lookup (-U -G -S -P -O -I -L)

enum4linux-ng -As target_ip

Enumerate users via RPC

enum4linux-ng -U target_ip

Enumerate groups via RPC

enum4linux-ng -G target_ip

Enumerate shares on target

enum4linux-ng -S target_ip

Perform full enumeration with credentials

enum4linux-ng -u user -p pass -A target_ip

Run enumeration and save results to JSON file (supports CTRL+C partial save)

enum4linux-ng -oJ results.json target_ip

Updated 2026-04-16kali.org ↗