Rappel :

Attention dans cet article l'outils est utilisé pour la recherche et l'apprentissage. Ce type d'outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).

Environnement de test :

Pour cela nous allons utiliser une VM tournant sur la distribution Kali. enum4linux est disponible par défaut sous Kali.

Utilisation

Options

 1 root@kali:~# enum4linux
 2 enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/)
 3 Copyright (C) 2011 Mark Lowe (mrl@portcullis-security.com)
 4 
 5 Simple wrapper around the tools in the samba package to provide similar 
 6 functionality to enum.exe (formerly from www.bindview.com).  Some additional 
 7 features such as RID cycling have also been added for convenience.
 8 
 9 Usage: ./enum4linux.pl [options] ip
10 
11 Options are (like "enum"):
12     -U        get userlist
13     -M        get machine list*
14     -S        get sharelist
15     -P        get password policy information
16     -G        get group and member list
17     -d        be detailed, applies to -U and -S
18     -u user   specify username to use (default "")  
19     -p pass   specify password to use (default "")   
20 
21 The following options from enum.exe aren't implemented: -L, -N, -D, -f
22 
23 Additional options:
24     -a        Do all simple enumeration (-U -S -G -P -r -o -n -i).
25               This opion is enabled if you don't provide any other options.
26     -h        Display this help message and exit
27     -r        enumerate users via RID cycling
28     -R range  RID ranges to enumerate (default: 500-550,1000-1050, implies -r)
29     -K n      Keep searching RIDs until n consective RIDs don't correspond to
30               a username.  Impies RID range ends at 999999. Useful 
31        against DCs.
32     -l        Get some (limited) info via LDAP 389/TCP (for DCs only)
33     -s file   brute force guessing for share names
34     -k user   User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none)
35               Used to get sid with "lookupsid known_username"
36            Use commas to try several users: "-k admin,user1,user2"
37     -o        Get OS information
38     -i        Get printer information
39     -w wrkg   Specify workgroup manually (usually found automatically)
40     -n        Do an nmblookup (similar to nbtstat)
41     -v        Verbose.  Shows full commands being run (net, rpcclient, etc.)
42 
43 RID cycling should extract a list of users from Windows (or Samba) hosts 
44 which have RestrictAnonymous set to 1 (Windows NT and 2000), or "Network 
45 access: Allow anonymous SID/Name translation" enabled (XP, 2003).
46 
47 NB: Samba servers often seem to have RIDs in the range 3000-3050.
48 
49 Dependancy info: You will need to have the samba package installed as this 
50 script is basically just a wrapper around rpcclient, net, nmblookup and 
51 smbclient.  Polenum from http://labs.portcullis.co.uk/application/polenum/ 
52 is required to get Password Policy info.

Enumération sans compte

 1 root@kali:~# enum4linux -U -o 192.168.5.100 
 2 WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
 3 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Mar 27 22:47:45 2016
 4 
 5  ========================== 
 6 |    Target Information    |
 7  ========================== 
 8 Target ........... 192.168.5.100
 9 RID Range ........ 500-550,1000-1050
10 Username ......... ''
11 Password ......... ''
12 Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
13 
14 
15  ===================================================== 
16 |    Enumerating Workgroup/Domain on 192.168.5.100    |
17  ===================================================== 
18 [+] Got domain/workgroup name: WORKGROUP
19 
20  ====================================== 
21 |    Session Check on 192.168.5.100    |
22  ====================================== 
23 [+] Server 192.168.5.100 allows sessions using username '', password ''
24 
25  ============================================ 
26 |    Getting domain SID for 192.168.5.100    |
27  ============================================ 
28 could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
29 could not obtain sid for domain WORKGROUP
30 error: NT_STATUS_ACCESS_DENIED
31 [+] Can't determine if host is part of domain or part of a workgroup
32 
33  ======================================= 
34 |    OS information on 192.168.5.100    |
35  ======================================= 
36 [+] Got OS info for 192.168.5.100 from smbclient: Domain=[WORKGROUP] OS=[Windows 7 Professional 7601 Service Pack 1] Server=[Windows 7 Professional 6.1]
37 [E] Can't get OS info with srvinfo: NT_STATUS_ACCESS_DENIED
38 
39  ============================== 
40 |    Users on 192.168.5.100    |
41  ============================== 
42 [E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
43 
44 [E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
45 enum4linux complete on Sun Mar 27 22:47:46 2016

On a juste récupérer l'OS : Windows 7 Professional 7601 Service Pack 1

Enumératon avec un compte

 1 root@kali:~# enum4linux -U -u admin -p password -o 192.168.5.100
 2 WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
 3 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Mar 27 22:50:00 2016
 4 
 5  ========================== 
 6 |    Target Information    |
 7  ========================== 
 8 Target ........... 192.168.5.100
 9 RID Range ........ 500-550,1000-1050
10 Username ......... 'admin'
11 Password ......... 'password'
12 Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
13 
14 
15  ===================================================== 
16 |    Enumerating Workgroup/Domain on 192.168.5.100    |
17  ===================================================== 
18 [+] Got domain/workgroup name: WORKGROUP
19 
20  ====================================== 
21 |    Session Check on 192.168.5.100    |
22  ====================================== 
23 [+] Server 192.168.5.100 allows sessions using username 'admin', password 'password'
24 
25  ============================================ 
26 |    Getting domain SID for 192.168.5.100    |
27  ============================================ 
28 Domain Name: WORKGROUP
29 Domain Sid: (NULL SID)
30 [+] Can't determine if host is part of domain or part of a workgroup
31 
32  ======================================= 
33 |    OS information on 192.168.5.100    |
34  ======================================= 
35 [+] Got OS info for 192.168.5.100 from smbclient: Domain=[DESKTOP] OS=[Windows 7 Professional 7601 Service Pack 1] Server=[Windows 7 Professional 6.1]
36 [+] Got OS info for 192.168.5.100 from srvinfo:
37  192.168.5.100  Wk Sv PrQ NT PtB LMB 
38  platform_id     : 500
39  os version      :  6.1
40  server type     :  0x51203
41 
42  ============================== 
43 |    Users on 192.168.5.100    |
44  ============================== 
45 index: 0x1 RID: 0x3e8 acb: 0x00000214 Account: admin  Name: (null)    Desc: (null)
46 index: 0x2 RID: 0x1f4 acb: 0x00000211 Account: Administrateur    Name: (null)    Desc: Compte dutilisateur dadministration
47 index: 0x3 RID: 0x3ea acb: 0x00000210 Account: HomeGroupUser$   Name: HomeGroupUser$    Desc: Compte intégré pour un accès Groupe résidentiel à lordinateur
48 index: 0x4 RID: 0x1f5 acb: 0x00000215 Account: Invité  Name: (null)    Desc: Compte dutilisateur invité
49 index: 0x5 RID: 0x3ee acb: 0x00000210 Account: System    Name: System Account Desc: Compte utilisé par System
50 index: 0x6 RID: 0x3eb acb: 0x00000210 Account: totouser   Name: totouser    Desc: (null)
51 index: 0x7 RID: 0x3ec acb: 0x00000210 Account: titiuser   Name: titiuser    Desc: (null)
52 
53 user:[admin] rid:[0x3e8]
54 user:[Administrateur] rid:[0x1f4]
55 user:[HomeGroupUser$] rid:[0x3ea]
56 user:[Invité] rid:[0x1f5]
57 user:[System] rid:[0x3ee]
58 user:[totouser] rid:[0x3eb]
59 user:[titiuser] rid:[0x3ec]
60 enum4linux complete on Sun Mar 27 22:50:01 2016

On arrive à énumérer les différents comptes de la machine.