Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
enum4linux-ng
A next generation version of enum4linux
enum4linux-ng.py is a rewrite of Mark Lowe's (former Portcullis Labs now CiscoCXSecurityLabs) enum4linux.pl, a tool for enumerating information from Windows and Samba systems, aimed for security professionals and CTF players. The tool is mainly a wrapper around the Samba tools nmblookup, net, rpcclient and smbclient.
I made it for educational purposes for myself and to overcome issues with enum4linux.pl. It has the same functionality as the original tool. Other than the original tool it parses all output of the Samba tools and allows to export all findings as YAML or JSON file. The idea behind this is to allow other tools to import the findings and further process them. It is planned to add new features in the future.
Features
- support for YAML and JSON output
- colored console output
- ldapsearch und polenum are natively implemented
- support for legacy SMBv1 connections
- auto detection of IPC signing support
- 'smart' enumeration will automatically disable tests which would otherwise fail
- IPv6 support (experimental)
Credits
I'd like to give credit to Mark Lowe for creating the original enum4linux.pl. In addition, I'd like to thank and give credit to Wh1t3Fox for creating polenum. It was lots of fun reading your code. :)
Legal note
If you use the tool: Don't use it for illegal purposes.
Run
- Install dependencies (various options)
$ git clone https://github.com/cddmp/enum4linux-ng && cd enum4linux-ng- Run, e.g.
$ ./enum4linux-ng.py -As 10.10.10.182 -oY enum.yaml
If you prefer a Docker based installation, an example run can be found below.
Demo
This demonstrates a run against Windows Server 2012 R2 standard installation. A user 'Tester' with password 'Start123!' was created. Firewall access was allowed. Once the enumeration is finished, I scroll up so that the results become more clear. Since no other enumeration option is specified, the tool will assume -A which behaves similar to enum4linux -a option. User and password are passed in. The -oY option will export all enumerated data as YAML file for further processing in enum.yaml. The tool automatically detects at the beginning that LDAP is not running on the remote host. It will therefore skip any further LDAP checks which would normally be part of the default enumeration.
The second demo shows a run against Metasploitable2. This time the -A and -C option are used. While the first one behaves similar to enum4linux -a option, the second one will enable enumeration of services. This time no credentials were provided. The tool automatically detects that it needs to use SMBv1. No YAML or JSON file is being written. Again I scroll up so that the results become more clear.
Installing dependencies
The tool uses the samba clients tools, namely:
- nmblookup
- net
- rpcclient
- smbclient
These should be available for nearly all Linux distributions. The package is typically called smbclient, samba-client or something similar.
In addition, you will need the following Python packages:
- ldap3
- PyYaml
- impacket
Some examples for specific Linux distributions installations are listed below. Alternatively, distribution-agnostic ways (python pip, python virtual env and Docker) are possible.
Linux distribution specific
ArchLinux
# pacman -S smbclient python-ldap3 python-yaml impacketFedora/CentOS/RHEL
(tested on Fedora Workstation 31)
# dnf install samba-common-tools samba-client python3-ldap3 python3-pyyaml python3-impacketKali Linux/Debian/Ubuntu
(tested on Kali Linux 2020.1, recent Debian versions like Buster should work)
# apt install smbclient python3-ldap3 python3-yaml python3-impacketLinux distribution-agnostic
Python pip
Depending on the Linux distribution either pip3 or pip is needed:
$ pip install pyyaml ldap3 impacketAlternative:
$ pip install -r requirements.txtRemember you need to still install the samba tools as mentioned above.
Python virtual environment
$ git clone https://github.com/cddmp/enum4linux-ng
$ cd enum4linux-ng
$ python3 -m venv venv
$ source venv/bin/activate
$ pip install -r requirements.txtRemember you need to still install the samba tools as mentioned above.
Docker
$ git clone https://github.com/cddmp/enum4linux-ng
$ docker build enum4linux-ng --tag enum4linux-ngOnce finished an example run could look like this:
$ docker run -t enum4linux-ng -As 1.2.3.4 
