enum4linux-ng Cheat Sheet
Modern SMB/LDAP/RPC enumerator for Windows and Samba hosts—users, groups, shares, and policies.
Overview
enum4linux-ng is a rewrite of enum4linux that enumerates Windows/Samba services: users, groups, password policies, shares, and OS information via SMB, LDAP, and RPC. Standard on internal assessments when port 445/139 is open.
Authorized testing only. Null-session and LDAP anonymous binds may be disabled; failed auth can lock accounts if password guessing is added—stay within RoE.
Install
sudo apt install -y enum4linux-ngor
pip install enum4linux-ngenum4linux-ng --versionEssential commands
Full auto enumeration
enum4linux-ng 10.10.10.5JSON output
enum4linux-ng 10.10.10.5 -oJ out.jsonAuthenticated
enum4linux-ng 10.10.10.5 -u 'DOMAIN\user' -p 'Password123' -ACommon workflows
Quick SMB share and user list —
enum4linux-ng 10.10.10.5 -S -ULDAP / domain context —
enum4linux-ng dc01.corp.local -u 'corp\user' -p 'pass' -LPolicy and RID brute (when allowed) —
enum4linux-ng 10.10.10.5 -P -RExport for reporting —
enum4linux-ng 10.10.10.5 -oA enum_reportFlags reference
-A | All simple enumeration |
|---|---|
-U | Users via SAM/LDAP |
-G | Groups |
-S | Shares |
-P | Password policy |
-L | LDAP |
-R | RID cycling |
-u / -p | Username / password |
-oJ / -oY | JSON / YAML output |
-oA | All output formats basename |
-w | Wordlist for user enumeration |
-t | Timeout |
Tips
- Prefer over legacy enum4linux for maintained parsers and cleaner output.
- Pair with nmap --script smb-*, crackmapexec, and ldapsearch.
- Document whether null session or guest access was possible—material for reports.
- Use credentials from spray (only if RoE permits) with -u/-p for deeper LDAP.