ENUM4LINUX-NG

GitHub - cddmp/enum4linux-ng: A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players.GitHub

INSTALLATION

root@oco:~$ git clone https://github.com/cddmp/enum4linux-ng.git
root@oco:~$ cd enum4linux-ng
root@oco:~$ pip3 install -r requirements.txt

USAGE

root@oco:~$ ./enum4linux-ng.py 10.129.14.128 -A
 ENUM4LINUX - next generation

  ==========================
 |    Target Information    |
  ==========================
 [*] Target ........... 10.129.14.128
 [*] Username ......... ''
 [*] Random Username .. 'juzgtcsu'
 [*] Password ......... ''
 [*] Timeout .......... 5 second(s)

  =====================================
 |    Service Scan on 10.129.14.128    |
  =====================================
 [*] Checking LDAP
 [-] Could not connect to LDAP on 389/tcp: connection refused
 [*] Checking LDAPS
 [-] Could not connect to LDAPS on 636/tcp: connection refused
 [*] Checking SMB
 [+] SMB is accessible on 445/tcp
 [*] Checking SMB over NetBIOS
 [+] SMB over NetBIOS is accessible on 139/tcp

  =====================================================
 |    NetBIOS Names and Workgroup for 10.129.14.128    |
  =====================================================
 [+] Got domain/workgroup name: DEVOPS
 [+] Full NetBIOS names information:
 - DEVSMB          <00> -         H <ACTIVE>  Workstation Service
 - DEVSMB          <03> -         H <ACTIVE>  Messenger Service
 - DEVSMB          <20> -         H <ACTIVE>  File Server Service
 - ..__MSBROWSE__. <01> - <GROUP> H <ACTIVE>  Master Browser
 - DEVOPS          <00> - <GROUP> H <ACTIVE>  Domain/Workgroup Name
 - DEVOPS          <1d> -         H <ACTIVE>  Master Browser
 - DEVOPS          <1e> - <GROUP> H <ACTIVE>  Browser Service Elections
 - MAC Address = 00-00-00-00-00-00

  ==========================================
 |    SMB Dialect Check on 10.129.14.128    |
  ==========================================
 [*] Trying on 445/tcp
 [+] Supported dialects and settings:
 SMB 1.0: false
 SMB 2.02: true
 SMB 2.1: true
 SMB 3.0: true
 SMB1 only: false
 Preferred dialect: SMB 3.0
 SMB signing required: false

  ==========================================
 |    RPC Session Check on 10.129.14.128    |
  ==========================================
 [*] Check for null session
 [+] Server allows session using username '', password ''
 [*] Check for random user session
 [+] Server allows session using username 'juzgtcsu', password ''
 [H] Rerunning enumeration with user 'juzgtcsu' might give more results

  ====================================================
 |    Domain Information via RPC for 10.129.14.128    |
  ====================================================
 [+] Domain: DEVOPS
 [+] SID: NULL SID
 [+] Host is part of a workgroup (not a domain)

  ============================================================
 |    Domain Information via SMB session for 10.129.14.128    |
  ============================================================
 [*] Enumerating via unauthenticated SMB session on 445/tcp
 [+] Found domain information via SMB
 NetBIOS computer name: DEVSMB
 NetBIOS domain name: ''
 DNS domain: ''
 FQDN: htb

  ================================================
 |    OS Information via RPC for 10.129.14.128    |
  ================================================
 [*] Enumerating via unauthenticated SMB session on 445/tcp
 [+] Found OS information via SMB
 [*] Enumerating via 'srvinfo'
 [+] Found OS information via 'srvinfo'
 [+] After merging OS information we have the following result:
 OS: Windows 7, Windows Server 2008 R2
 OS version: '6.1'
 OS release: ''
 OS build: '0'
 Native OS: not supported
 Native LAN manager: not supported
 Platform id: '500'
 Server type: '0x809a03'
 Server type string: Wk Sv PrQ Unx NT SNT DEVSM

  ======================================
 |    Users via RPC on 10.129.14.128    |
  ======================================
 [*] Enumerating users via 'querydispinfo'
 [+] Found 2 users via 'querydispinfo'
 [*] Enumerating users via 'enumdomusers'
 [+] Found 2 users via 'enumdomusers'
 [+] After merging user results we have 2 users total:
 '1000':
   username: mrb3n
   name: ''
   acb: '0x00000010'
   description: ''
 '1001':
   username: cry0l1t3
   name: cry0l1t3
   acb: '0x00000014'
   description: ''

  =======================================
 |    Groups via RPC on 10.129.14.128    |
  =======================================
 [*] Enumerating local groups
 [+] Found 0 group(s) via 'enumalsgroups domain'
 [*] Enumerating builtin groups
 [+] Found 0 group(s) via 'enumalsgroups builtin'
 [*] Enumerating domain groups
 [+] Found 0 group(s) via 'enumdomgroups'

  =======================================
 |    Shares via RPC on 10.129.14.128    |
  =======================================
 [*] Enumerating shares
 [+] Found 5 share(s):
 IPC$:
   comment: IPC Service (DEVSM)
   type: IPC
 dev:
   comment: DEVenv
   type: Disk
 home:
   comment: INFREIGHT Samba
   type: Disk
 notes:
   comment: CheckIT
   type: Disk
 print$:
   comment: Printer Drivers
   type: Disk
 [*] Testing share IPC$
 [-] Could not check share: STATUS_OBJECT_NAME_NOT_FOUND
 [*] Testing share dev
 [-] Share doesn't exist
 [*] Testing share home
 [+] Mapping: OK, Listing: OK
 [*] Testing share notes
 [+] Mapping: OK, Listing: OK
 [*] Testing share print$
 [+] Mapping: DENIED, Listing: N/A

  ==========================================
 |    Policies via RPC for 10.129.14.128    |
  ==========================================
 [*] Trying port 445/tcp
 [+] Found policy:
 domain_password_information:
   pw_history_length: None
   min_pw_length: 5
   min_pw_age: none
   max_pw_age: 49710 days 6 hours 21 minutes
   pw_properties:
   - DOMAIN_PASSWORD_COMPLEX: false
   - DOMAIN_PASSWORD_NO_ANON_CHANGE: false
   - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
   - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
   - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
   - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
 domain_lockout_information:
   lockout_observation_window: 30 minutes
   lockout_duration: 30 minutes
   lockout_threshold: None
 domain_logoff_information:
   force_logoff_time: 49710 days 6 hours 21 minutes

  ==========================================
 |    Printers via RPC for 10.129.14.128    |
  ==========================================
 [+] No printers returned (this is not an error)

 Completed after 0.61 seconds

PreviousDNSENUM NextFIND

Last updated 3 months ago

root@oco:~$ ./enum4linux-ng.py 10.129.14.128 -A ENUM4LINUX - next generation ========================== | Target Information | ========================== [*] Target ........... 10.129.14.128 [*] Username ......... '' [*] Random Username .. 'juzgtcsu' [*] Password ......... '' [*] Timeout .......... 5 second(s) ===================================== | Service Scan on 10.129.14.128 | ===================================== [*] Checking LDAP [-] Could not connect to LDAP on 389/tcp: connection refused [*] Checking LDAPS [-] Could not connect to LDAPS on 636/tcp: connection refused [*] Checking SMB [+] SMB is accessible on 445/tcp [*] Checking SMB over NetBIOS [+] SMB over NetBIOS is accessible on 139/tcp ===================================================== | NetBIOS Names and Workgroup for 10.129.14.128 | ===================================================== [+] Got domain/workgroup name: DEVOPS [+] Full NetBIOS names information: - DEVSMB <00> - H <ACTIVE> Workstation Service - DEVSMB <03> - H <ACTIVE> Messenger Service - DEVSMB <20> - H <ACTIVE> File Server Service - ..__MSBROWSE__. <01> - <GROUP> H <ACTIVE> Master Browser - DEVOPS <00> - <GROUP> H <ACTIVE> Domain/Workgroup Name - DEVOPS <1d> - H <ACTIVE> Master Browser - DEVOPS <1e> - <GROUP> H <ACTIVE> Browser Service Elections - MAC Address = 00-00-00-00-00-00 ========================================== | SMB Dialect Check on 10.129.14.128 | ========================================== [*] Trying on 445/tcp [+] Supported dialects and settings: SMB 1.0: false SMB 2.02: true SMB 2.1: true SMB 3.0: true SMB1 only: false Preferred dialect: SMB 3.0 SMB signing required: false ========================================== | RPC Session Check on 10.129.14.128 | ========================================== [*] Check for null session [+] Server allows session using username '', password '' [*] Check for random user session [+] Server allows session using username 'juzgtcsu', password '' [H] Rerunning enumeration with user 'juzgtcsu' might give more results ==================================================== | Domain Information via RPC for 10.129.14.128 | ==================================================== [+] Domain: DEVOPS [+] SID: NULL SID [+] Host is part of a workgroup (not a domain) ============================================================ | Domain Information via SMB session for 10.129.14.128 | ============================================================ [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found domain information via SMB NetBIOS computer name: DEVSMB NetBIOS domain name: '' DNS domain: '' FQDN: htb ================================================ | OS Information via RPC for 10.129.14.128 | ================================================ [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found OS information via SMB [*] Enumerating via 'srvinfo' [+] Found OS information via 'srvinfo' [+] After merging OS information we have the following result: OS: Windows 7, Windows Server 2008 R2 OS version: '6.1' OS release: '' OS build: '0' Native OS: not supported Native LAN manager: not supported Platform id: '500' Server type: '0x809a03' Server type string: Wk Sv PrQ Unx NT SNT DEVSM ====================================== | Users via RPC on 10.129.14.128 | ====================================== [*] Enumerating users via 'querydispinfo' [+] Found 2 users via 'querydispinfo' [*] Enumerating users via 'enumdomusers' [+] Found 2 users via 'enumdomusers' [+] After merging user results we have 2 users total: '1000': username: mrb3n name: '' acb: '0x00000010' description: '' '1001': username: cry0l1t3 name: cry0l1t3 acb: '0x00000014' description: '' ======================================= | Groups via RPC on 10.129.14.128 | ======================================= [*] Enumerating local groups [+] Found 0 group(s) via 'enumalsgroups domain' [*] Enumerating builtin groups [+] Found 0 group(s) via 'enumalsgroups builtin' [*] Enumerating domain groups [+] Found 0 group(s) via 'enumdomgroups' ======================================= | Shares via RPC on 10.129.14.128 | ======================================= [*] Enumerating shares [+] Found 5 share(s): IPC$: comment: IPC Service (DEVSM) type: IPC dev: comment: DEVenv type: Disk home: comment: INFREIGHT Samba type: Disk notes: comment: CheckIT type: Disk print$: comment: Printer Drivers type: Disk [*] Testing share IPC$ [-] Could not check share: STATUS_OBJECT_NAME_NOT_FOUND [*] Testing share dev [-] Share doesn't exist [*] Testing share home [+] Mapping: OK, Listing: OK [*] Testing share notes [+] Mapping: OK, Listing: OK [*] Testing share print$ [+] Mapping: DENIED, Listing: N/A ========================================== | Policies via RPC for 10.129.14.128 | ========================================== [*] Trying port 445/tcp [+] Found policy: domain_password_information: pw_history_length: None min_pw_length: 5 min_pw_age: none max_pw_age: 49710 days 6 hours 21 minutes pw_properties: - DOMAIN_PASSWORD_COMPLEX: false - DOMAIN_PASSWORD_NO_ANON_CHANGE: false - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false domain_lockout_information: lockout_observation_window: 30 minutes lockout_duration: 30 minutes lockout_threshold: None domain_logoff_information: force_logoff_time: 49710 days 6 hours 21 minutes ========================================== | Printers via RPC for 10.129.14.128 | ========================================== [+] No printers returned (this is not an error) Completed after 0.61 seconds