In the realm of cybersecurity, “enumeration” refers to the process of extracting information or details about a target system or network. It involves systematically gathering data by probing the system for vulnerabilities, services, users, shares, or any other relevant information that could be exploited or used in an attack. Enumeration is often a critical phase in penetration testing or ethical hacking, where the goal is to identify potential entry points or weaknesses that could be exploited to gain unauthorized access.

Enumeration includes network resources, network shares, routing tables, audit settings, snmp, machine names, users and groups, applications and banners and more…

Enumeration Techniques

• Extract usernames using email ids.

• Extract information using default passwords

• Brute force Active Directory

• Extract information using DNS zone transfer

• Extract user groups from windows

• Extract usernames using snmp

Expanded list of common port numbers and their associated uses:

These ports cover a range of services used in networking, file sharing, remote access, mail transfer, and network management.

NetBIOS Enumeration

A NetBIOS name is a unique identifier for a device on a NetBIOS network. It’s a 16-character name that helps identify individual devices within a local area network (LAN). NetBIOS names are used for communication between devices, allowing them to recognize and communicate with each other using these names instead of IP addresses.

Nbtstat is a command line utility for windows netbios enumeration. Nbtstat –c is for listing nbtstat cache. This cache contains recently resolved ip addresses to their netbios names.

Netbios Emulator is a windows software for emulating netbios.

Other tools: Global network inventory, advanced ip scanner, hyena, nsauditor network security auditor and Netbios enumerator.

Global network inventory is a powerful software using which we can enumerate the whole system information remotely.

NETBIOS name resoulution is not supported by Microsoft for IPV6.

Nmap scripts for Netbios enumeration

nmap -sV -v --script nbstat.nse TargetIP

nmap -sU -p 137 --script nbstat.nse TargetIP

Other tools may also be used to perform NetBIOS enumeration on the target network such as Global Network Inventory, Advanced IP Scanner, Hyena, and Nsauditor Network Security Auditor.

Enumerating User accounts

PSTOOLS – psgetsid and psloggedon enumerates computer SIDs and user accounts.

Enumerating shared resources using Net View

Net view utility is used to get list of all shared resources of a remote host or workgroup. The net view command is used in Windows to display a list of available resources on a network. When you run net view in the Command Prompt or PowerShell, it retrieves and shows a list of computers or devices that are part of the same workgroup or domain as your local machine.

Here’s how you would use it:

Open Command Prompt or PowerShell and type:

1

net view

Press Enter, and it will display a list of computers or devices that are currently visible and accessible on the local network. However, note that the output might depend on the network configuration, permissions, and whether there are shared resources available within the network.

To view connections on remote machines, use net view command with the same name in the format: new view \\remoteComputerName.

In old windows OSes, there was a null user account with no password using which we can connect to IPC$ share on remote machines. In Windows, the IPC$ share represents the interprocess communication (IPC) resources available on a system. It’s a special network share used for communication between processes on different computers.

When you try to connect to the IPC$ share, a null session is often used. A null session means connecting without providing a username or password explicitly. This was more common in older Windows versions for certain types of access or enumeration.

However, due to security concerns related to null sessions allowing potential unauthorized access to system information, Windows systems have tightened security measures over time. In modern Windows versions, null sessions are largely restricted or disabled by default for security reasons.

Command to connect to IPC$ share: net use \\RemoteServerIP\ipc$ "" /u:"". Next you can use net view \\RemoteServerIP to view the shares on the remote machine.

Note that this is disabled in newer windows OSes.

SNMP

SNMP (Simple Network Management Protocol) is a standard protocol used to manage and monitor network devices like routers, switches, servers, printers, and more. It operates by collecting and organizing information about these devices, allowing administrators to manage their performance, identify issues, and troubleshoot problems.

How it Works

• Components: SNMP involves three main components: managed devices, agents, and network management systems (NMS). Managed devices (routers, etc.) contain agents, software that gathers data about the device and its status. NMS systems collect and analyze this data.
• GET and SET Operations: NMS systems communicate with agents on managed devices using GET (retrieve information) and SET (modify configuration) operations. They use specific variables called Object Identifiers (OIDs like 1.6.3.9.13.18.9 etc…) to reference and manipulate data.

SNMP Passwords

• Community Strings: SNMP uses “community strings” (essentially passwords) to authenticate access to devices. These strings act as both a username and password.

  • SNMP utilizes community strings for authentication purposes. These strings act as passwords, controlling access to network devices that support SNMP. The two commonly used default community strings are “public” and “private.”

    • Public: This is a default read-only community string in many SNMP-enabled devices. It allows access to SNMP data but doesn’t permit changes or modifications to the device configuration.

    • Private: Similar to “public,” “private” is another default community string, but it often grants read-write access. This means it allows not only viewing data but also modifying configurations on devices that support it.

• Versions: SNMP has different versions (v1, v2c, v3), each with varying levels of security for these community strings. v1 and v2c use clear text authentication, making them susceptible to security risks. v3 introduced stronger security measures, including encryption and user authentication.

Installation

If you’d like to test it in your environment, install snmp features in server manager. After installation is done, goto snmp service properties, under security, add “read only” community rights and create a community name as public. Next add “read-write” community rights and create community name as private. Next you can run nmap or snmpwalk commands from your parrot os.

Security Issues

• Weak Authentication: Versions prior to SNMPv3 transmit data, including community strings, in clear text, making them vulnerable to interception and unauthorized access.
• Lack of Encryption: Earlier versions lack encryption, exposing sensitive information to potential eavesdropping.
• Default Community Strings: Many devices come with default community strings, and if left unchanged, they pose a security risk as attackers can easily guess or find these defaults.

Ports Used

• SNMP typically uses UDP ports 161 (for SNMP messages) and 162 (for SNMP traps), though these can be configured differently.

Mitigation Measures

• SNMPv3: Upgrade to SNMPv3, which offers encryption, authentication, and access control features.
• Strong Community Strings: Use complex, non-default community strings to enhance security.
• Firewall Configuration: Restrict SNMP access to trusted IP addresses through firewall rules.
• Regular Updates: Keep devices updated with the latest firmware to patch known vulnerabilities.

There are several tools available for conducting SNMP scans and analysis. Here are a few commonly used ones:

1.Nmap

• Description: Nmap is a versatile network scanning tool that can perform SNMP scans among various other network reconnaissance tasks.
• Usage: nmap -sU -p 161 <target> Or using a script, nmap -p 161 -sU --script=snmp-sysdescr TargetIP.
• Features: Supports SNMP enumeration and can detect SNMP services running on specific ports.

Within nmap, we can also use:

• snmp-processes script to get the list of all running processes on the remote machine.
• snmp-win32-software script to get list of all installed softwares on the remote machine.
• snmp-interfaces script to get list of all interfaces
• snmp-sysdescr script to get system details.
• -sC parameter in nmap will run all the snmp scripts on the target. nmap -sU -p 161 -sC targetIP

2. SNMPWalk and SNMPGet (Net-SNMP)

• Description: Part of the Net-SNMP suite, these command-line tools are used to query SNMP-enabled devices for specific information.
• Usage: snmpwalk -v [version] -c [community] [target] Version could be 1 or 2c or 3. This is used to mention specific SNMP version to use. Ex: snmpwalk -v1 -c public targetip or snmpwalk -v2c -c public targetip
• Features: Allows retrieval of SNMP MIB (Management Information Base) data from devices.

3. SNMP Scanner (SolarWinds, Paessler)

• Description: Dedicated SNMP scanners provide user-friendly interfaces for scanning and managing SNMP-enabled devices.
• Features: Graphical user interface (GUI), MIB browsing, and the ability to perform bulk operations.

4. SoftPerfect Network Scanner

• SoftPerfect Network scanner is another tool for retrieving system information using SNMP.

5. SNMP-Check

• We have snmp-check (or snmpcheck) software for linux to enumerate snmp on remote machines. Syntax: snmp-check TargetIP. Before using this tool, first scan the target using nmap to make sure that snmp is enabled: nmap -sU -v TargetIP -p 161

snmp-check Targetip (or snmpcheck targetip) - It gives all information about the system. Once snmp is open, it runs open ports, services, storage, file system, device information etc from within the system.

We can also enumerate SNMP using metasploit and there are customized python scripts to enumerate SNMP.

You can also use other SNMP enumeration tools such as Network Performance Monitor, OpUtils, PRTG Network Monitor, and Engineer’s Toolset to perform SNMP enumeration on the target network.

LDAP Enumeration

LDAP (Lightweight Directory Access Protocol) is an Internet protocol for accessing distributed directory services over a network. LDAP uses DNS (Domain Name System) for quick lookups and fast resolution of queries. A client starts an LDAP session by connecting to a DSA (Directory System Agent), typically on TCP port 389, and sends an operation request to the DSA, which then responds. BER (Basic Encoding Rules) is used to transmit information between the client and the server. One can anonymously query the LDAP service for sensitive information such as usernames, addresses, departmental details, and server names.

Softwares

• One of the freeware software used for checking AD is AD explorer from sysinternals.

• We also have nmap scripts for enumerating LDAP: First verify if port is open by running nmap -sU -p 389 TargetIP and then run, nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=CEH,dc=com"' TargetIP for LDAP enumeration.

  • -p: specifies the port to be scanned, ldap-brute: to perform brute-force LDAP authentication. ldap.base: if set, the script will use it as a base for the password guessing attempts.    

• We can also enumerate LDAP using plain python scripts without using any softwares like nmap.

• You can also use other LDAP enumeration tools such as Softerra LDAP Administrator, LDAP Admin Tool, LDAP Account Manager, and LDAP Search to perform LDAP enumeration on the target.

Ldap Search Linux tool

ldapsearch -h TargetIP -x -s base namingcontexts - retrieves AD naming contexts from active directory. -x: specifies simple authentication, -h: specifies the host, and -s: specifies the scope. ldapsearch -h [Target IP Address] -x -b “DC=domain,DC=com” - to obtain more information about the primary domain. -x: specifies simple authentication, -h: specifies the host, and -b: specifies the base DN for search.

NTP Enumeration

NTP (Network Time Protocol) enumeration involves gathering information about NTP servers, their configurations, and potentially identifying vulnerabilities or weaknesses in the NTP implementation. This process helps in understanding how NTP is configured within a network and can aid in security assessments and troubleshooting. It uses UDP 123 port for communication with other servers.

Techniques for NTP Enumeration:

1. NTP Queries (ntpq): The ntpq command-line tool can be used to query and interact with NTP servers. Some common commands include:

   • ntpq -p: Displays a list of the NTP servers the client is connected to, along with their synchronization status.
   • ntpq -c rv: Provides runtime variables and statistics for the NTP daemon.
   • ntpq -c peers: Shows a list of peers the NTP server is synchronized with.

2. Nmap NTP Scans:

   • nmap -sU -p 123 --script=ntp-info <target>: Conducts an Nmap script scan to gather information about NTP servers running on port 123 (the default NTP port).
   • nmap -sU -p 123 --script=ntp-monlist <target>: Specifically targets the NTP MONLIST command, which, if vulnerable, can be exploited for amplification attacks.

3. Other tools:

   • ntptrace, ntpdc, ntpq are some of the tools for NTP.

Information Gathered via NTP Enumeration

1. NTP Server Information:

   • Server IP addresses
   • Server version and software information
   • Server’s stratum level (hierarchical level indicating its distance from a reference clock)
   • Peer synchronization status

2. Vulnerability Assessment:

   • Identification of vulnerable NTP server configurations, such as allowing queries from unauthenticated or unauthorized sources.
   • Detection of NTP servers susceptible to amplification attacks, especially if the MONLIST command is available and improperly configured.

Security Concerns and Mitigation Measures:

1. Amplification Attacks: Misconfigured NTP servers that respond to MONLIST queries from any source can be used for amplification attacks. Mitigation involves:

   • Disabling the MONLIST command or limiting its usage to authorized IPs only.
   • Implementing access control lists (ACLs) to restrict NTP queries to trusted sources.

2. Version and Software Information Exposure: Disclosing detailed version information about the NTP server might aid attackers in exploiting known vulnerabilities. Mitigation involves:

   • Limiting the exposure of version information in responses to queries.
   • Keeping NTP servers updated with the latest security patches and versions.

NFS Enumeration

NFS (Network File System) enumeration involves gathering information about NFS shares, their configurations, permissions, and potential vulnerabilities within a network. This process helps in understanding the NFS setup and assists in security assessments, access control, and troubleshooting. Uses 2049 port for communication.

Techniques for NFS Enumeration

1. Showmount Command:

   • showmount -e <target>: Lists the NFS shares exported by the specified NFS server. It displays the directories and their associated permissions that remote clients can mount.

2. Nmap NFS Scans:

   • Verify if NFS port is open: nmap -p 2049 TargetIP. Next run nmap -p 111 --script=nfs-ls,nfs-showmount <target>: Conducts an Nmap script scan to enumerate NFS shares and retrieve information about the exported file systems.

3. Manual Mount Attempts:

   • Attempting to manually mount NFS shares using the mount command can provide insight into accessible directories and permissions if the server allows anonymous or authorized access.

4. Other tools: rpc-scan.py and superenum are some of the tools for NFS enumeration.

   For superenum update all your target servers names/ips into a text file and run superenum in your linux machine. When prompted enter the name of the text file. It will scan the machine for NFS and other services. It takes min 15-20 min to complete the scan.

   For rpc-scan run the command, python3 rpc-scan.py TargetIP --rpc to list all rpc services on the target.

Information Gathered via NFS Enumeration

1. Exported Shares Information:

   • Shared directories and their paths.
   • Permissions (read, write, execute) for each exported share.
   • Allowed client IP addresses or network ranges that can access these shares.

2. User and Group Mapping:

   • Information about how users and groups are mapped between NFS servers and clients.
   • Access control settings for users/groups on NFS shares.

3. NFS Version and Configuration:

   • NFS server version and configuration details.
   • Security settings, such as authentication mechanisms and allowed protocols.

Security Concerns and Mitigation Measures

1. Insecure Configurations: Misconfigured NFS shares might expose sensitive data or allow unauthorized access. Mitigation involves:

   • Restricting access to NFS shares using proper access control lists (ACLs) and only allowing access to authorized clients.
   • Implementing strong authentication mechanisms like Kerberos for secure NFS access.

2. Sensitive Data Exposure: Unintended exposure of sensitive information through NFS shares could lead to data leaks. Mitigation includes:

   • Regularly auditing and reviewing NFS configurations and permissions to ensure that only necessary data is shared.
   • Encrypting NFS traffic to prevent eavesdropping on data transfers.

SMTP Enumeration

SMTP enumeration is a technique used to gather information about an SMTP (Simple Mail Transfer Protocol) server. It involves probing the server to collect details like valid user accounts, email addresses, and system configurations. This information can be utilized for various purposes, including reconnaissance for potential attacks or to verify the existence of certain accounts. Uses port 25.

Some common methods and commands used in SMTP enumeration include:

1. Manual Telnet Commands: Telnet can be used to connect to the SMTP server and manually interact with it using specific commands. For instance:

   • Connecting to the server: telnet mail.example.com 25
   • Once connected, typical SMTP commands can be used (HELO, EHLO, MAIL FROM, RCPT TO, etc.) to gather information about the server and its users.

2. VRFY Command: As mentioned earlier, VRFY is an SMTP command that asks the server to verify whether a particular username or email address exists on the system. For example:

   1	VRFY username

3. EXPN Command: The EXPN command requests the server to reveal the actual email address belonging to an alias or mailing list. For example:

   1	EXPN listname

4. RCPT TO Command: As part of the email sending process, the RCPT TO command specifies the recipient. During enumeration, it can be used to check the validity of an email address. For example:

   1	RCPT TO: <email_address>

5. Dictionary Attacks: Enumerators might use a dictionary of common usernames or email addresses and cycle through them with VRFY or RCPT TO commands to identify valid accounts.

Nmap Scripts

nmap -p 25 --script=smtp-enum-users TargetIP

nmap -p 25 --script=smtp-open-relay TargetIP

nmap -p 25 --script=smtp-commands TargetIP

DNS Enumeration Using Zone Transfer

DNS enumeration involves gathering information about a domain’s DNS records, such as hostnames, IP addresses, mail servers, and more. One technique used for DNS enumeration is called “zone transfer.”

Zone transfer is a DNS query method used to replicate DNS databases (zones) across multiple DNS servers. It allows a secondary DNS server to update its information from a primary DNS server. However, misconfigured DNS servers might allow unauthorized zone transfers, providing a potential attacker with a wealth of information.

Here’s how zone transfer works:

1. Identifying Authoritative Name Servers: Determine the authoritative name servers for the target domain (usually listed in the domain’s WHOIS record or using DNS lookup tools).

2. Performing Zone Transfer: Use tools like nslookup or dig to attempt a zone transfer against these authoritative name servers. For example:

   • Using nslookup: open command prompt and type nslookup. In the nslookup prompt enter set querytype=soa. Next enter a domain name and hit enter. This will list the primary name server. Next run the command, ls -d PrimaryNameServerName

     1 2 3 4 5

     nslookup set querytype=soa (Run this command in nslookup interactive mode) google.com (After it shows the results, enter any domain name. For ex: google.com) ls-d "primary name server from above command" (from above command use the primary name server in `ls -d` command) ls -d ns1.google.com

   • Using dig:

     1 2 3 4

     # Run `dig ns DomainName` command first. Ex: dig ns google.com # This will return the name server for that website. Next run below command replacing the authoritative_ns with the name server you received from above command. dig axfr @authoritative_ns domain_name Ex: dig axfr ns1.google.com google.com

3. Dnsrecon

   dnsrecon -d www.domain.com -z - used to enumerate dns zones

   You can also use other DNSSEC zone enumerators such as LDNS, nsec3map, nsec3walker, and DNSwalk to perform DNS enumeration on the target domain.

4. DNS enumeration using nmap

   nmap --script=broadcast-dns-service-discovery TargetDomain - Results show all the dns services on target along with open ports

   nmap -T4 -p 53 --script dns-brute TargetDomain - lists all subdomains associated with target host.

   nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='TargetDomain'" - lists all common service records for given domain name.

If the DNS server is misconfigured and allows zone transfers to unauthorized parties, this command may return a list of DNS records (known as the zone file) for that domain. This information can be quite valuable for attackers to understand the network infrastructure and potentially identify points of vulnerability.

However, most properly configured DNS servers don’t allow zone transfers to arbitrary requesters. System administrators typically secure their DNS servers by allowing zone transfers only to authorized secondary servers.

DNS Cache Snooping

DNS cache spoofing, also known as DNS cache poisoning, is a malicious attack that manipulates the DNS (Domain Name System) cache of a DNS server to redirect traffic from legitimate websites to fraudulent ones. It’s a type of DNS spoofing where false information is inserted into the DNS cache.

Here’s how DNS cache spoofing typically works:

1. Vulnerability Identification: An attacker looks for DNS servers that are vulnerable to cache poisoning. This vulnerability might arise due to poorly configured or outdated DNS software.

2. Injection of False Data: The attacker sends forged DNS requests to the vulnerable DNS server, aiming to insert incorrect mappings into the server’s cache. For instance, they might attempt to associate a legitimate domain name with a malicious IP address.

3. Exploiting Trust: Once the false information is cached, any user or system querying that DNS server for the affected domain will be directed to the IP address specified by the attacker.

4. Redirecting Traffic: Users attempting to access a legitimate website might be redirected to a malicious site controlled by the attacker. This could lead to various threats like phishing attacks, malware distribution, or interception of sensitive data.

To prevent DNS cache spoofing, several countermeasures are commonly employed:

• DNSSEC (Domain Name System Security Extensions): DNSSEC provides a way to digitally sign DNS records, ensuring data integrity and authentication. It helps prevent cache poisoning attacks by validating the authenticity of DNS responses.

• Source Port Randomization: Randomizing the source port of DNS queries makes it harder for attackers to predict and spoof responses.

• Implementing Proper Firewall Rules: Restricting access to DNS servers and allowing DNS queries only from trusted sources can mitigate the risk of cache poisoning.

• Regular Security Updates and Patches: Keeping DNS software and systems updated helps in fixing vulnerabilities that attackers might exploit.

DNS cache spoofing is a serious threat that can lead to significant security breaches. Therefore, it’s crucial for organizations to implement security best practices and regularly monitor and update their DNS configurations to prevent such attacks.

Dig tool can be used for dns cache snooping.

DNSSEC Zone Walking

DNSSEC (Domain Name System Security Extensions) is a set of extensions to the DNS protocol that helps protect against domain name spoofing and other types of DNS attacks. It does this by adding digital signatures to DNS data, which allows users to verify the authenticity of the data and ensure that it has not been tampered with or altered during transmission.

In short, DNSSEC:

• Adds digital signatures to DNS data
• Verifies the authenticity of DNS data
• Prevents DNS spoofing and other types of attacks
• Provides a way to ensure the integrity of DNS data

This helps to ensure that users can trust the information they receive from the DNS, and that they are not being directed to malicious or fraudulent websites.

One of the threats DNSSEC addresses is zone walking, which was a vulnerability in traditional DNS systems that allowed an attacker to enumerate all the records within a DNS zone.

Zone walking involves traversing a DNS zone to extract information about all the records it contains, essentially listing all the domain names within a zone. This information could potentially be exploited by attackers for reconnaissance or other malicious purposes.

Using the tool dnsrecon we can enumerate dns details for a website. Syntax: dnsrecon.py -d www.google.com -z

DNSSEC introduces cryptographic signing of DNS data, preventing zone walking and enhancing security by:

1. Signing Zone Data: DNSSEC digitally signs the DNS records within a zone using cryptographic keys. This signing ensures data integrity and authenticity.

2. Authentication of Responses: When a DNS resolver requests information from a DNSSEC-enabled zone, the response includes cryptographic signatures. The resolver can validate these signatures using the zone’s public keys, ensuring the authenticity of the received data.

3. Non-existence of Signed Data: With DNSSEC, if a DNS record doesn’t exist for a particular query, it’s signed as non-existent, preventing an attacker from using zone walking to enumerate all possible domain names within a zone.

By signing both the existence and non-existence of records, DNSSEC mitigates the risks associated with traditional DNS zone walking attacks. It protects the DNS infrastructure from unauthorized enumeration and manipulation of DNS records.

However, it’s essential to note that DNSSEC deployment requires careful management of keys, proper configuration, and support from both DNS servers and clients. Additionally, while DNSSEC addresses certain security concerns, it doesn’t solve all DNS-related vulnerabilities, and it’s crucial to continue implementing best practices for overall DNS security.

DNS Enumeration Using Nmap

Nmap has a script called broadcast-dns-service-discovery using which we can enumerate DNS records details. Usage:

nmap --script=broadcast-dns-service-discovery google.com

Other nmap scripts:

nmap -T4 -p 53 --script dns-brute TargetIP

nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='[TargetDomain]'"

Perform Enumeration using Various Enumeration Tools

Global Network Inventory

GUI windows tool which collects complete information about remote servers and shows in a single scan result.

Global Network Inventory is a powerful and flexible software and hardware inventory system. It can be used as an audit scanner in agent-free and zero deployment environments. If used as an audit scanner, it only requires full administrator rights to the remote computers you wish to scan.

One such software Global Network Inventory – Magneto Software.

Advanced IP Scanner

Advanced IP Scanner - Download Free Network Scanner is a free, reliable, and easy-to-use network scanner. It’s designed to scan your local network for connected systems and services³. Here are some key features.

• Scan a network in seconds: It can quickly detect all network computers and obtain access to them.
• Easy access to network shares: It provides access to shared folders.
• Remote control via RDP and Radmin: It offers remote control of computers.
• MAC addresses detection: It can detect MAC addresses.
• Switching on/off computers remotely: You can turn a remote PC on and off with a single click.
• Export scan results to CSV: It allows you to export scan results.
• No installation required: It runs as a portable edition.

It’s compatible with Windows 11, 10, 8, 7. The software comes integrated with Radmin and is designed to find both wired and wireless devices. It’s trusted by 60 million users. You can download it for free.

Enum4linux

Enum4linux is a tool for enumerating information from Windows and Samba systems. It is used for share enumeration, password policy retrieval, identification of remote OSes, detecting if hosts are in a workgroup or a domain, user listing on hosts, listing group membership information, etc.

Syntax: enum4linux -u UserName -p Password -n TargetIP -u is for username, and -p is for password and -n is for nmblookup (similar to nbtstat)

enum4linux -u UserName -p Password -U TargetIP - Retrieving userlist on remote machine. Enum4linux starts enumerating and displays data such as Target Information, Workgroup/Domain, domain SID (security identifier), and the list of users, along with their respective RIDs (relative identifier)

enum4linux -u UserName -p Password -o TargetIP -O is for retrieving OS information.

enum4linux -u UserName -p Password -P TargetIP -P is retrieves password policy information.

enum4linux -u UserName -p Password -G TargetIP -G retrieves groups and members list.

enum4linux -u UserName -p Password -S TargetIP -S retrieves shares list.

As -u and -p are already used for username and password, you should use capital letters when you use password policy and userlist.

SMB and RPC Enumeration

Using NetScan Tools Pro: In netscan tools pro software, under manual tools option, we have options for SMB Scanner and *nix RPC Info. Using these two options we can view RPC and shares information on remote machines.

We can also perform smb and rpc enumeration using Nmap.

nmap -T4 -A TargetIP In this command, -T4: specifies the timing template (the number can be 0-5) and -A: specifies aggressive scan. The aggressive scan option supports OS detection (-O), version scanning (-sV), script scanning (-sC), and traceroute (–traceroute).

If the remote machine is windows, you will see nfs and 2049 as open in the output.

nmap -p 445 -A TargetIP and nmap -p 21 -A TargetIP

Along with the above mentioned enumerations we also have IPSec Enumeration, VOIP Enumeration, RPC Enumeration, Telnet and SMB Enumeration Tools.