Shulou(Shulou.com)06/03 Report--

This article mainly explains "what are the advantages of Enum4linux". The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "what are the advantages of Enum4linux".

Enum4linux-ng

Enum4linux-ng is the next generation of Enum4linux (a Windows/Samba enumeration tool) for security professionals and CTF players, with additional features such as JSON/YAML export.

The enum4linux-ng.py in this project is based on Mark Lowe's enum4linux.pl rewriting. Mark Lowe previously belonged to Portcullis Lab and now works in Cisco CX Security Lab. Enum4linux.pl, on the other hand, is a tool for enumerating information from Windows and Samba systems, mainly for security professionals and CTF players. This tool is mainly a tool that encapsulates Samba tools nmblookup, net, rpcclient and smbclient.

First, Enum4linux-ng is developed for educational purposes. Second, we also developed Enum4linux-ng to solve the existing problems of enum4linux.pl. Compared with enum4linux.pl, Enum4linux-ng not only contains the original functionality of the original tool, but also adds a number of feature modifications to support parsing all the output of the Samba tool and allowing all results to be exported to YAML or JSON files.

Functional characteristics

Support for YAML and JSON output

Terminal output with rich colors

Includes native implementations of ldapsearch and polenum

Support for legacy SMBv1 connections

Automatic detection of IPC signature support

"Smart" enumeration

Support timeout

Support for IPv6

The difference.

Compared with the original version of Enum4linux, Enum4linux-ng is still quite different in some ways. Here are two of the most important differences:

The RID loop is not part of the default enumeration (- A) process, but you can use-R to enable this feature

The parameter names are significantly different, for example, the new version uses-An instead of-a

Installation dependency

First, we need to install the dependent components of the tool. The tool uses the following samba client tools:

Nmblookup

Net

Rpcclient

Smbclient

At present, almost all Linux distributions support the operation of these tools, and the package name is generally called smbclient, samba-client, or something like that.

In addition, we need the following Python packages:

Ldap3

PyYaml

Impacket

Tool installation

Researchers can use the following commands to clone the source code of the project locally:

The $git clone https://github.com/cddmp/enum4linux-ng & & cd enum4linux-ng tool runs the $. / enum4linux-ng.py-As-oY out tool using ENUM4LINUX-next generation usage: enum4linux-ng.py [- h] [- A] [- As] [- U] [- G] [- Gm] [- S] [- C] [- P] [- O] [- L] [- I] [- R] [- N] [- w WORKGROUP] [- u USER] [- p PW] [- d] [- k USERS] [- r RANGES] [- s SHARES_FILE] [- t TIMEOUT] [- v] [- oJ OUT_JSON_FILE |-oY OUT_YAML_FILE |-oA OUT_FILE] host This tool is a rewrite of Mark Lowe's enum4linux.pl A tool for enumerating information from Windows and Samba systems. It is mainly a wrapper around the Samba tools nmblookup, net,rpcclient and smbclient. Other than the original tool it allows to export enumeration results as YAML or JSON file, so that it can be further processed with other tools. The tool tries todo a 'smart' enumeration. It first checks whether SMB or LDAP is accessible on the target. Depending on the result of this check, it will dynamically skip checks (e.g. LDAP checks if LDAPis not running). If SMB is accessible, it will always check whether a session can be set up or not. If no session can be set up, the tool will stop enumeration. The enumeration process canbe interupted with CTRL+C. If the options-oJ or-oY are provided, the tool will write out the current enumeration state to the JSON or YAML file, once it receives SIGINT triggered byCTRL+C. The tool was made for security professionals and CTF players. Illegal use is prohibited. Positional arguments: host optional arguments:-h,-- help show this help message and exit-A Do all simple enumeration including nmblookup (- U-G-S-P-O-N-I-L) This option is enabled if you don't provide any other option. -As Do all simple short enumeration without NetBIOS names lookup (- U-G-S-P-O-I-L)-U Get users via RPC-G Get groups via RPC-Gm Get groups with group members via RPC-S Get shares via RPC-C Get services via RPC-P Get password policy information via RPC-O Get OS information via RPC-L Get additional domain info via LDAP/LDAPS (for DCs only)-I Get printer information via RPC-R Enumerate users via RID cycling-N Do an NetBIOS names lookup (similar to nbstat) and try to retrieve workgroup from output-w WORKGROUP Specify workgroup/domain manually (usually found automatically)-u USER Specify username to use (default "")-p PW Specify password to use (default "")-d Get detailed information for users and groups Applies to-U,-G and-R-k USERS User (s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none). Used to get sid with "lookupsid known_username"-r RANGES RID ranges to enumerate (default: 500-550 SHARES_FILE Brute force guessing for shares 1000-1050)-s SHARES_FILE Brute force guessing for shares-t TIMEOUT Sets connection timeout in seconds (default: 5s)-v Verbose, show full samba tools commands being run (net, rpcclient) Etc.)-- keep Don't delete the Samba configuration file created during tool run after enumeration (useful with-v)-oJ OUT_JSON_FILE Writes output to JSON file (extension is added automatically)-oY OUT_YAML_FILE Writes output to YAML file (extension is added automatically)-oA OUT_FILE Writes output to YAML and JSON file (extensions are added automatically) tool demo sample

In the following example, we will test the tool against Windows Server 2012 R2, using the following command:

Enum4linux-ng.py 192.168.125.131-u Tester-p 'Start123customers'- oY out

Created a user name of "Tester" with a password of "Start123!" The firewall is configured to allow access to the user account. After the enumeration is complete, since no other options are specified, the tool assumes the-A (which behaves like enum4linux) option. The-oY option exports all enumerated data to a YAML file for subsequent data processing. The tool automatically detects that LDAP is not running on the remote host at the beginning. Therefore, it will skip any further LDAP checks, which are usually part of the default enumeration.

In the second example, we will test against the Metasploitable2 host using the following command:

Enum4linux-ng.py 192.168.125.145-A-C

This time we used the-An and-C options, and although the first option behaves similar to enum4linux's-an option, the second option enables service enumeration. The tool automatically detects the SMBv1 you need to use.

Thank you for your reading, the above is the content of "what are the advantages of Enum4linux". After the study of this article, I believe you have a deeper understanding of the advantages of Enum4linux, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.