enum4linux包装说明

一个Linux的替代enum.exe程序用于枚举从Windows和Samba主机的数据。

概述:

Enum4linux用于枚举从Windows和Samba系统信息的工具。它试图提供类似的功能,以enum.exe程序以前可从www.bindview.com。

它是用Perl编写的基本上是围绕着桑巴工具的smbclient,rpclient,net和nmblookup的包装。

该工具的使用情况,可以发现以下后跟实施例中,工具的先前版本可以在页面的底部。

主要特征:

  • RID循环(当RestrictAnonymous的设置为1时在Windows 2000上)
  • 用户列表(当RestrictAnonymous的设定为0的Windows 2000)
  • 组成员身份信息的列表
  • 分享枚举
  • 如果检测主机处于一个工作组或域
  • 识别远程操作系统
  • 密码策略检索(使用polenum)

资料来源:https://labs.portcullis.co.uk/tool​​s/enum4linux/
enum4linux首页 | 卡利enum4linux回购

  • 作者:马克·罗威
  • 许可:GPL第二版

包含在enum4linux软件包工具

enum4linux
[email protected]:~# enum4linux -h
enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/)
Copyright (C) 2011 Mark Lowe ([email protected])

Simple wrapper around the tools in the samba package to provide similar
functionality to enum.exe (formerly from www.bindview.com).  Some additional
features such as RID cycling have also been added for convenience.

Usage: ./enum4linux.pl [options] ip

Options are (like "enum"):
    -U        get userlist
    -M        get machine list*
    -S        get sharelist
    -P        get password policy information
    -G        get group and member list
    -d        be detailed, applies to -U and -S
    -u user   specify username to use (default "")
    -p pass   specify password to use (default "")

The following options from enum.exe aren't implemented: -L, -N, -D, -f

Additional options:
    -a        Do all simple enumeration (-U -S -G -P -r -o -n -i).
              This opion is enabled if you don't provide any other options.
    -h        Display this help message and exit
    -r        enumerate users via RID cycling
    -R range  RID ranges to enumerate (default: 500-550,1000-1050, implies -r)
    -K n      Keep searching RIDs until n consective RIDs don't correspond to
              a username.  Impies RID range ends at 999999. Useful
          against DCs.
    -l        Get some (limited) info via LDAP 389/TCP (for DCs only)
    -s file   brute force guessing for share names
    -k user   User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none)
              Used to get sid with "lookupsid known_username"
              Use commas to try several users: "-k admin,user1,user2"
    -o        Get OS information
    -i        Get printer information
    -w wrkg   Specify workgroup manually (usually found automatically)
    -n        Do an nmblookup (similar to nbtstat)
    -v        Verbose.  Shows full commands being run (net, rpcclient, etc.)

RID cycling should extract a list of users from Windows (or Samba) hosts
which have RestrictAnonymous set to 1 (Windows NT and 2000), or "Network
access: Allow anonymous SID/Name translation" enabled (XP, 2003).

NB: Samba servers often seem to have RIDs in the range 3000-3050.

Dependancy info: You will need to have the samba package installed as this
script is basically just a wrapper around rpcclient, net, nmblookup and
smbclient.  Polenum from http://labs.portcullis.co.uk/application/polenum/
is required to get Password Policy info.

enum4linux用法示例

尝试获取目标(192.168.1.200)的用户列表(-U)和操作系统信息(-o):

[email protected]:~# enum4linux -U -o 192.168.1.200
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Aug 17 12:17:32 2014

 ==========================
|    Target Information    |
 ==========================
Target ........... 192.168.1.200
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ======================================================
|    Enumerating Workgroup/Domain on 192.168.1.200   |
 ======================================================
[+] Got domain/workgroup name: KALI