⚠️ Authorised Networks Only: Enum4linux sends SMB enumeration queries to target machines. Only run it against your own lab, Metasploitable, authorised assessment targets, or TryHackMe/HackTheBox machines. Running it against any real network without written authorisation is illegal.
Enum4linux tutorial Kali Linux …. the moment you discover a Windows or Samba server on a network, this is the tool you run. Not Nmap’s SMB scripts first. Not manual rpcclient queries. Enum4linux. One command, full enumeration: every user account, every share, the password policy, the OS version, the workgroup, group memberships — all extracted through SMB’s null session mechanism before you have a single credential. By the time you type the next command, you already know what accounts exist, which shares might contain something interesting, and whether the password policy makes brute force viable. Today you are learning exactly how.
🎯 What You’ll Master in Day 15
Understand what SMB null sessions expose and why they exist
Run full enum4linux enumeration against Metasploitable and Windows targets
Extract user lists using RID cycling — finding hidden service accounts
Identify readable shares that contain sensitive data
Use enum4linux-ng for modern Windows Server targets that block the original
⏱️ 45 min read · 3 hands-on exercises
📋 What You’ll Master — Enum4linux Tutorial Kali Linux 2026
What Enum4linux Does and Why SMB Null Sessions Expose So Much
Enum4linux is a Perl wrapper that automates a series of SMB enumeration queries against Windows and Samba servers. It uses several underlying tools — smbclient for share listing, rpcclient for RPC-based queries, net for group and policy information — and combines their output into a single structured enumeration report.
The reason enum4linux extracts so much information from unauthenticated connections comes down to SMB’s null session feature. A null session is an anonymous, unauthenticated SMB connection. Older Windows configurations (pre-Server 2008) and most Samba installations allow null sessions that expose the IPC$ share — a special inter-process communication share that accepts a range of RPC queries without credentials. Through IPC$, an unauthenticated attacker can query user accounts, group memberships, and domain policy information that most administrators assume is private.
🧠 EXERCISE 1 — THINK LIKE A HACKER (8 MIN · NO TOOLS)
Plan Your SMB Enumeration Strategy for an Internal Assessment
⏱️ Time: 8 minutes · Paper or text editor
You have just completed a Netdiscover sweep of 192.168.10.0/24
and found 14 live hosts. A quick nmap -sV pass shows:
– 192.168.10.5 → ports 139, 445 open (Windows Server, SMB)
– 192.168.10.12 → ports 139, 445 open (Linux/Samba)
– 192.168.10.20 → ports 139, 445 open (Windows Server, SMB)
Before running any tool, answer these questions:
1. In what order would you enumerate these three hosts and why?
(Hint: which is likely most vulnerable to null sessions?)
2. What five specific pieces of information would you most
want to extract from each host via SMB enumeration?
3. If enum4linux returns a user named “svc_sql” on 10.5 —
what does that tell you and what would you do next?
4. If the password policy shows “Min length: 0, No lockout” —
what attack does this immediately enable against the user list?
5. If a share named “IT_Backups” appears with anonymous READ
access — what should you do before running any other tool?
✅ Answer key: (1) Linux/Samba first — most likely to allow null sessions. Modern Windows blocks them by default. (2) User list, groups, shares, password policy, OS version. (3) svc_sql = SQL Server service account — likely has local admin on the database server, try password spraying against it with common service account passwords. (4) No lockout + no minimum length = online brute force with Hydra is viable without triggering lockout. (5) Manually browse the share with smbclient before automated tools — backup shares often contain credential files, config exports, and database dumps. Reading them first before any noise is generated is the professional approach.
📸 Write your five answers and share in #day-15-enum4linux on Discord.
The Full Enumeration Scan — Every Flag You Need
ENUM4LINUX — INSTALL AND CORE FLAGS
# Verify enum4linux is installed
enum4linux –help
# Install if missing
sudo apt update && sudo apt install enum4linux -y
# THE KEY FLAGS:
-a Run ALL checks (equivalent to -U -S -G -P -r -o -n -i)
-U Enumerate users
-S Enumerate shares
-G Enumerate groups
-P Get password policy
-r Enumerate users via RID cycling
-o Get OS information
-n Do an nmblookup (similar to nbtstat)
-u Specify username (blank for null session)
-p Specify password
# FULL RUN — most common command:
enum4linux -a 192.168.56.102
# With explicit null session:
enum4linux -a -u “” -p “” 192.168.56.102
# Save output to file:
enum4linux -a 192.168.56.102 | tee enum4linux_results.txt
securityelites.com
Enum4linux Full Scan Output — Metasploitable 2
=== Users on 192.168.56.102 via RID cycling ===
user:[root] rid:[0x3e8]
user:[daemon] rid:[0x3ea]
user:[msfadmin] rid:[0x3f2]
user:[postgres] rid:[0x3f8]
user:[service] rid:[0x3fe]
…
=== Share Enumeration on 192.168.56.102 ===
Sharename Type Comment
IPC$ IPC IPC Service (metasploitable server)
tmp Disk oh noes!
…
=== Password Policy on 192.168.56.102 ===
Minimum password length: 0
Account lockout threshold: None
📸 Enum4linux full scan against Metasploitable 2 — user list via RID cycling, accessible shares including tmp, and a password policy showing no minimum length and no lockout — every attacker’s ideal target.
RID Cycling — Finding Every User Account Including Hidden Ones
RID cycling is the most valuable enum4linux technique for professional assessments. Standard user enumeration queries only return users in visible groups. RID cycling bypasses this by iterating through Windows Security Identifier RID values — every account has one, and by querying sequentially from RID 500 (always Administrator) through 1200+, you find every account that exists regardless of group visibility.
⚡ EXERCISE 2 — KALI TERMINAL (20 MIN)
Run Enum4linux Against Metasploitable and Extract the Full User and Share List
⏱️ Time: 20 minutes · Kali VM + Metasploitable 2 on Host-Only network
FULL ENUM4LINUX LAB — METASPLOITABLE
# Step 1: Confirm Metasploitable is reachable on SMB
nmap -p 139,445 192.168.56.102
139/tcp open netbios-ssn | 445/tcp open microsoft-ds
# Step 2: Full enum4linux scan
enum4linux -a 192.168.56.102 | tee /tmp/enum_results.txt
grep -A 10 “Password Policy” /tmp/enum_results.txt
# Step 7: RID cycling with extended range
enum4linux -r -R 500-700 192.168.56.102
# Compare full list vs standard -U enumeration
✅ What you just learned: The users.txt file you created in Step 3 is the foundation for the next phase — password spraying and brute force. Every username in that file is a potential credential target. The share browsing in Step 5 is critical — the /tmp share on Metasploitable is readable and sometimes contains interesting files. The password policy in Step 6 (min length 0, no lockout) means Hydra can brute force those usernames without ever triggering an account lockout. In a real assessment, this sequence — find users, find shares, read policy, plan attacks — is the complete SMB enumeration workflow.
📸 Screenshot enum4linux output showing the user list and password policy and share in #day-15-enum4linux on Discord. Tag #enum4linux2026
Share Enumeration and Password Policy Extraction
The two most actionable outputs from enum4linux are the share list and the password policy. Shares with READ access that are not explicitly protected are the first place experienced penetration testers look for immediate findings — IT backup shares, configuration exports, and database dumps accessed anonymously are consistently Critical-severity findings in real assessments.
SHARE ACCESS AND SMBCLIENT BROWSING
# List shares anonymously
enum4linux -S 192.168.56.102
# Manual smbclient share browsing — null session
smbclient -L //192.168.56.102 -N
# Connect to a specific share
smbclient //192.168.56.102/ShareName -N
# List all files recursively once connected
smb: \> recurse on
smb: \> ls
# Download all files from the share
smb: \> mget *
# CrackMapExec alternative — faster for large networks
Enum4linux-ng — The Modern Replacement for Windows Server 2016+
The original enum4linux fails against modern Windows Server 2016, 2019, and 2022 targets because Microsoft progressively restricted null session access starting with Windows Vista and completing that restriction in Server 2016. Enum4linux-ng is a Python3 rewrite that supports authenticated enumeration more robustly, handles SMBv2/v3, and produces JSON output that integrates cleanly into automated recon pipelines.
⚡ EXERCISE 3 — KALI TERMINAL (15 MIN)
Compare Enum4linux vs Enum4linux-ng Output Against Metasploitable
⏱️ Time: 15 minutes · Kali terminal
ENUM4LINUX-NG — INSTALL AND COMPARISON
# Install enum4linux-ng
sudo apt install enum4linux-ng -y
# Or via pip:
pip install enum4linux-ng –break-system-packages
# Run full scan against Metasploitable
enum4linux-ng -A 192.168.56.102
# Output in JSON format (for automation)
enum4linux-ng -A 192.168.56.102 -oJ results.json
# Output in YAML format
enum4linux-ng -A 192.168.56.102 -oY results.yaml
# Authenticated enumeration (Windows Server 2016+)
enum4linux-ng -A 192.168.10.5 -u administrator -p Password123
✅ What you just learned: Enum4linux-ng’s JSON output is the key differentiator for professional work — it allows you to pipe the results directly into Python scripts, reporting frameworks, or databases. The authenticated enumeration flag is what makes it functional against hardened modern Windows targets where the original enum4linux returns nothing. In real assessments, you run enum4linux first for speed, then enum4linux-ng if the original fails or returns incomplete data. Knowing both tools ensures you never miss SMB enumeration results simply because the target runs a modern OS.
📸 Screenshot the enum4linux-ng JSON output and share in #day-15-enum4linux on Discord.
The Complete SMB Enumeration Workflow for Internal Assessments
COMPLETE SMB ENUMERATION WORKFLOW
# Phase 1: Identify SMB hosts from Netdiscover/Nmap results
Enum4linux returns 12 usernames from a target. The password policy shows minimum password length 0 and account lockout threshold “None”. You notice a username “svc_mssql” in the list. What is the most important next action?
📋 Commands Used Today — Day 15 Reference Card
enum4linux -a TARGET_IPFull enumeration — users, shares, groups, policy, OS info
enum4linux -r -R 500-700 TARGETRID cycling — finds hidden accounts not in standard group queries
enum4linux -S TARGET_IPShare enumeration only — faster when just checking shares
enum4linux -P TARGET_IPPassword policy — check lockout before running brute force
enum4linux-ng -A TARGET_IPModern replacement — works on Windows Server 2016+ targets
crackmapexec smb SUBNET –sharesFast share enumeration across entire subnet
🏆 Mark Day 15 as Complete
You can now perform complete SMB enumeration against Windows and Samba targets — extracting users via RID cycling, identifying accessible shares, and reading password policies to determine attack viability. This is a foundational internal network assessment skill used on every engagement.
❓ Frequently Asked Questions
What is Enum4linux and what does it enumerate?
Enum4linux enumerates Windows and Samba SMB servers — extracting user accounts via RID cycling and null sessions, shared folder names and permissions, domain password policy, OS information, workgroup/domain name, and group memberships. It wraps smbclient, rpcclient, net, and nmblookup into a single automated run.
What is the difference between enum4linux and enum4linux-ng?
Enum4linux is the original Perl tool. Enum4linux-ng is a Python3 rewrite with better Windows Server 2016+ support, improved error handling, and JSON/YAML output. Use enum4linux for older Windows/Samba; use enum4linux-ng for modern targets and automation pipelines.
Does enum4linux require credentials?
No — it uses null sessions (unauthenticated SMB connections) by default. Authenticated enumeration with -u username -p password returns more data and works on systems blocking null sessions (default on Windows Server 2008+).
What is RID cycling in SMB enumeration?
RID cycling iterates through Windows Security Identifier RID values to find all accounts, including hidden service accounts not visible through standard group queries. Every Windows account has a unique RID — querying RIDs 500 through 1200+ typically reveals all domain accounts.
What comes after Enum4linux in the Kali Linux course?
Day 16 covers Dirbuster — GUI-based web directory brute forcing. After SMB enumeration reveals network-level intelligence, web directory discovery targets the web services found open on discovered hosts.
← Previous
Day 14: Netdiscover Tutorial 2026
Next →
Day 16: Dirbuster Tutorial 2026
📚 Further Reading
Netdiscover Tutorial Kali Linux 2026— Day 14 covers ARP-based host discovery that finds every live host on a local segment — the step before enum4linux in the internal network assessment workflow.
180-Day Kali Linux Mastery Course— The complete course hub — Day 15 enum4linux sits within the network enumeration phase covering Days 12–20, building from host discovery to full service enumeration.
Enum4linux-ng GitHub Repository— The official enum4linux-ng source and documentation covering all flags, JSON output format, and Windows Server 2019+ compatibility notes.
Samba Official Documentation— Understanding Samba’s SMB implementation helps explain why Linux/Samba servers often expose more via null sessions than modern Windows Server configurations.
ME
Mr Elite
Owner, SecurityElites.com
The most valuable enum4linux finding I have ever had on a professional engagement was a share called “HR_Backups” on a Linux Samba server at a mid-sized manufacturing company. The share was completely anonymous READ accessible — no credentials required. Inside was a two-year-old SQL backup of the HR database containing every employee’s salary, performance review, and in many cases personal tax identifiers. The IT team had no idea it was accessible. The Samba configuration had been copied from a template years earlier with anonymous read enabled on all shares, and nobody had audited it since. The fix took ten minutes after we reported it. The fact that it had been sitting there — exposed to every device on the network — for at least two years is a number we put in the executive report. Enum4linux, second tool run after Nmap. Found in under 30 seconds.
Leave a Reply