Skip to content


Enum4linux is a tool for enumerating information from Windows and Samba systems. It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.

Key features:

  • RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)
  • User listing (When RestrictAnonymous is set to 0 on Windows 2000)
  • Listing of group membership information
  • Share enumeration
  • Detecting if host is in a workgroup or a domain
  • Identifying the remote operating system
  • Password policy retrieval

Usage: ./ [options] ip


enum4linux -v target-ip

(Shows full commands being run (net, rpcclient, etc.))

enum4linux -a target-ip

(Do Everything, runs all options apart from dictionary based share name guessing)

enum4linux -U target-ip

(Lists usernames, if the server allows it -)

enum4linux -u administrator -p password -U target-ip

(If you’ve managed to obtain credentials, you can pull a full list of users)

enum4linux -r target-ip

(Pulls usernames from the default RID range (500-550,1000-1050))

enum4linux -R 600-660 target-ip

(Pull usernames using a custom RID range)

enum4linux -G target-ip

(Lists groups. if the server allows it, you can also specify username -u and password -p)

enum4linux -S target-ip

(List Windows shares, again you can also specify username -u and password -p)

enum4linux -s shares.txt target-ip

(Perform a dictionary attack, if the server doesn’t let you retrieve a share list)

enum4linux -o target-ip

(Pulls OS information using smbclient, this can pull the service pack version on some versions of Windows)

Complete Options:

    -U        get userlist

    -M        get machine list*

    -S        get sharelist

    -P        get password policy information

    -G        get group and member list

    -d        be detailed, applies to -U and -S

    -u user   specify username to use (default “”)

    -p pass   specify password to use (default “”)

    -a        Do all simple enumeration (-U -S -G -P -r -o -n -i).

              This opion is enabled if you don’t provide any other options.

    -h        Display this help message and exit

    -r        enumerate users via RID cycling

    -R range  RID ranges to enumerate (default: 500-550,1000-1050, implies -r)

    -K n      Keep searching RIDs until n consective RIDs don’t correspond to

              a username.  Impies RID range ends at 999999. Useful

          against DCs.

    -l        Get some (limited) info via LDAP 389/TCP (for DCs only)

    -s file   brute force guessing for share names

    -k user   User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none)

              Used to get sid with “lookupsid known_username”

              Use commas to try several users: “-k admin,user1,user2”

    -o        Get OS information

    -i        Get printer information

    -w wrkg   Specify workgroup manually (usually found automatically)

    -n        Do an nmblookup (similar to nbtstat)

    -v        Verbose.  Shows full commands being run (net, rpcclient, etc.)