A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players.
License: GNU General Public License v3.0
Hi, I have an issue when I use this tool for test on TryHackMe "Basic Pentesting".
run:
python3 enum4linux-ng.py -R IpAddress
the output:
====================================
| Domain Information via RPC for IpAddress |
====================================
[-] Could not get domain information via 'lsaquery': timed out
Traceback (most recent call last):
File "/myhome/enum4linux-ng.py", line 2708, in <module>
main()
File "/myhome/enum4linux-ng.py", line 2693, in main
enum.run()
File "/myhome/enum4linux-ng.py", line 2183, in run
self.run_modules(modules)
File "/myhome/enum4linux-ng.py", line 2314, in run_modules
self.cycle_params.set_enumerated_input(self.output.as_dict())
File "/myhome/enum4linux-ng.py", line 1498, in set_enumerated_input
if "domain_sid" in enum_input and "NULL SID" not in enum_input["domain_sid"]:
TypeError: argument of type 'NoneType' is not iterable
The setup.py file says that's version 1.0.0. Could you please tag a release?
This would allow one to download the source as tarball from GitHub. For the packaging I can work with with a commit but it's preferred to work with a actual release.
Thanks
docker run -t enum4linux-ng -As <IP> gives no output. I suspect it just runs the command inside the container, outputs it there and stops the container when done.
So I tried docker run -it enum4linux-ng -As IP which works correctly but expectedly doesn't work with -oY, -oA, etc.
Are these issues known? Is there any workaround to get yaml output via docker run command?
I got the following error when enumerating shares:
[*] Testing share IPC$
[V] Attempting to map share //192.168.122.209/IPC$, running command: smbclient -t 5 -W WORKGROUP -U user%password '//192.168.122.209/IPC$' -c dir -s /tmp/tmphs0m27w2
[-] Could not parse result of smbclient command, please open a GitHub issue
Since it tells me to open an issue, here I am...
I guess the output that could not be parsed is of interest. So I ran the smbclient command manually:
> smbclient -t 5 -W WORKGROUP -U user%password '//192.168.122.209/IPC$' -c dir -s /tmp/tmphs0m27w2
NT_STATUS_NO_SUCH_FILE listing \*
Hi.
That's what I get running on Archlinux. All requirements installed. Running python 3.8.2-2
``[root@Archlinux enum4linux-ng]# python enum4linux-ng.py 127.0.0.1
ENUM4LINUX-NG
[] Target ........... 127.0.0.1
[] Username ......... ''
[] Random Username .. 'pfrqocuh'
[] Password ......... ''
[] RID Range(s) ..... 500-550,1000-1050
[] Known Usernames .. 'administrator,guest,krbtgt,domain admins,root,bin,none'
[*] Trying LDAP
Traceback (most recent call last):
File "enum4linux-ng.py", line 435, in get_namingcontexts
ldap_con = Connection(server, auto_bind=True)
File "/usr/lib/python3.8/site-packages/ldap3/core/connection.py", line 355, in init
self.do_auto_bind()
File "/usr/lib/python3.8/site-packages/ldap3/core/connection.py", line 370, in do_auto_bind
self.open(read_server_info=False)
File "/usr/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 56, in open
BaseStrategy.open(self, reset_usage, read_server_info)
File "/usr/lib/python3.8/site-packages/ldap3/strategy/base.py", line 139, in open
raise exception_history[0][0]
ldap3.core.exceptions.LDAPSocketOpenError: socket connection error while opening: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "enum4linux-ng.py", line 1885, in
main()
File "enum4linux-ng.py", line 1817, in main
result = run_module_ldapsearch(target)
File "enum4linux-ng.py", line 1275, in run_module_ldapsearch
namingcontexts = get_namingcontexts(target)
File "enum4linux-ng.py", line 438, in get_namingcontexts
error = str(e.args[1][0][0])
IndexError: tuple index out of range
Great tool.
Some samba servers return their software version just upon connection. I made a standalone script that gets just that. Would it be possible to integrate it in enum4linux-ng?
from impacket import smb
s = smb.SMB('*SMBSERVER',sys.argv[1], sess_port=139)
s.login('','')
print("Server version:", s._SMB__server_lanman)
Returns (example):
Server version: Samba 2.2.7a
Cheers.
Another interesting property enum4linux-ng could show is the status of SMB signing. Whether it is enabled/disabled and optional/required.
This is good to know because without required SMB signing, NTLM relaying attacks could be possible.
Nmap contains a script that can check that: smb2-security-mode.nse
Hi,
Could you provide a setup.py
https://packaging.python.org/tutorials/packaging-projects/#creating-setup-py
I'm using this on Metasploitable 2 but still I'm getting following errors:
[] Check for null session
[-] Server doesn't allow session using username '', password ''
[] Check for random user session
[-] Server doesn't allow session using username 'sqjtyjhk', password ''
[-] Sessions failed. Aborting remainder of tests.
Trying to enumerate the "Relevant" machine on TryHackMe results in the following crash:
====================================================
| NetBIOS Names and Workgroup for 10.10.114.91 |
====================================================
[+] Got domain/workgroup name: WORKGROUP
Traceback (most recent call last):
File "enum4linux-ng.py", line 2998, in <module>
main()
File "enum4linux-ng.py", line 2983, in main
enum.run()
File "enum4linux-ng.py", line 2441, in run
self.run_modules(modules)
File "enum4linux-ng.py", line 2511, in run_modules
result = EnumNetbios(self.target).run()
File "enum4linux-ng.py", line 586, in run
result = self.nmblookup_to_human(nmblookup.retval)
File "enum4linux-ng.py", line 651, in nmblookup_to_human
return Result(output, f"Full NetBIOS names information:\n{yamlize(output)}")
File "enum4linux-ng.py", line 2843, in yamlize
result = yaml.dump(msg, default_flow_style=False, sort_keys=sort, width=160, Dumper=Dumper)
File "/usr/lib/python3/dist-packages/yaml/__init__.py", line 200, in dump
return dump_all([data], stream, Dumper=Dumper, **kwds)
TypeError: dump_all() got an unexpected keyword argument 'sort_keys'
The original enum4linux aborts while attempting to determine the domain SID, so I'd assume that it is related to the machine not being domain-joined.
Hi,
thanks for creating this ng version !
It would be nice to be able to have add kerberos support:
I took a very quick look and it seems feasible, but I have not time right now to implement it.
Thanks for your work on this great tool!
Currently all ports are hardcoded via the SERVICES dictionary. It would great to set the ports via command line arguments.
SERVICES = {
SERVICE_LDAP: 389,
SERVICE_LDAPS: 636,
SERVICE_SMB: 445,
SERVICE_SMB_NETBIOS: 139
}I would propose the following flags to set the ports.
--ldap-port 389
--ldaps-port 636
--smb-port 445
I'd be happy to contribute a PR to this.
This is great. A modern implementation for folks that don't like Perl (thanks!) - I'll let Mark know, he mostly writes Python these days too!
BTW, polenum was originally written by Portcullis Labs
Hi, I was recently working on a parser for the json output that feeds into a Pandas dataframe. As I parsed it, I noticed there is a flaw with the way some user attributes are handled. You can see a sanitized example below:
"remote dial": "",
"[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . .. .",
"[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . .": "",
"[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . .": "",
"[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . .": "",
"[0040] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . .": "",
"[0050] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . .": "",
"[0060] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . .": "",
"[0070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . .": "",
"[0080] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . .": "",
"[0090] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . .": "",
"[00a0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . .": "",
"[00b0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . .": "",
"comment": "<root created=\"REDACTED 15:56:28:054\" updated=\"REDACTED 15:56:28:054\">",
...
" </profiles>": "",
" </settings>": "",
" <settings group=\"general\" />": "",
" </public>": "",
" <protected>REDACTED</protected>": "",
" </data>": "",
" </qpm>": "",
"</root>": "",
As you can see, these attributes are multi-line but the parser is not aware and thus assigns them as keys with no value. The value of comment and remote dial should be an array of string values instead.
These are the two examples I observed but there may be other attributes that exhibit this issue since custom attributes are supported.
I see this is also an issue with the yaml output so it is not specific to the json export. I haven't delved too deeply into your code yet so not sure the best place to insert a fix. Happy to test if you have any ideas though.
Hi, writing this issue to address a syntax error regarding the lastest patch on handling null SID.
The output, however, is not affected despite the syntax error.
commit 0eccc28
Hi,
This seems like a really nice tool - thank you for creating it!
I have some problem running it on Ubuntu 18.04. When I try to run the command:
python3 enum4linux-ng.py -As <target IP> -v
I keep getting this error:
========================================
| Shares via RPC on <target IP> |
========================================
[V] Attempting to get share list using authentication, running command: smbclient -W WORKGROUP -U % -L //<target IP> -s /tmp/tmp1gbmbml4
Traceback (most recent call last):
File "enum4linux-ng.py", line 2642, in <module>
main()
File "enum4linux-ng.py", line 2627, in main
enum.run()
File "enum4linux-ng.py", line 2131, in run
self.run_modules(modules)
File "enum4linux-ng.py", line 2247, in run_modules
result = EnumShares(self.target, self.creds).run()
File "enum4linux-ng.py", line 1636, in run
enum = self.enum()
File "enum4linux-ng.py", line 1680, in enum
return Result(shares, f"Found {len(shares.keys())} share(s):\n{yamlize(shares, sort=True)}")
File "enum4linux-ng.py", line 2493, in yamlize
result = yaml.dump(msg, default_flow_style=False, sort_keys=sort, Dumper=Dumper)
File "/usr/lib/python3/dist-packages/yaml/__init__.py", line 200, in dump
return dump_all([data], stream, Dumper=Dumper, **kwds)
TypeError: dump_all() got an unexpected keyword argument 'sort_keys'
Is this a version problem with PyAml? I am using this version:
srv:~/tools/enum4linux-ng# pip3 show pyyaml
Name: PyYAML
Version: 3.12
Summary: YAML parser and emitter for Python
Home-page: http://pyyaml.org/wiki/PyYAML
Author: Kirill Simonov
Author-email: [email protected]
License: MIT
Location: /usr/lib/python3/dist-packages
Requires:
Any help would be kindly appreciated.
It seems like the parsing of rpcclient's enumprinters command fails sometimes. See #3
I am using a linux mint 21.1 installation. I have python 3.10.6 with pip installed on the machine. I also installed all the required packages, namely smbclient, ldap3, yaml and impacket. My question is, do i run the enum4linux-ng.py file directly, or is there a way to get the command to be part of system commands such as apt-get or openvpn, that i can use from the command line without executing a file? I noticed a setup.py file, but have no idea how to use it, or if it is of any use.
Okay, this could simply be because I, being a noob, am unable to use it properly but it appears that enum4linux-ng seems to be unable to enumirate users using RID recycling, even with the -R flag used.
Im following tryhackme room titled "Basic Penetration Testing" with walkthrough from John Hammond who used the original enum4linux perl script. It worked for him and found a user through RID recycling. I tried it with enum4linux-ng and it didn't work. I found that it doesn't use RID recycling by default so tried again with --R flag. Still didn't find any users.
Then I ran the original perl script (enum4linux.pl) and it found it. Am I doing something wrong or is the RID recycling module of the ng version malfunctioning?
Steps to reproduce:
Without -C, the output .json or .yaml will contain information about which TCP listeners were found, such as:
services:
SMB:
port: 445
accessible: true
SMB over NetBIOS:
port: 139
accessible: true
However when -C is enabled and RPC services are enumerated, the list of TCP port listeners is clobbered, the only services: are the ones from RPC enumeration.
It is tested for either way - runtime STDOUT will contain something like:
=====================================
| Listener Scan on 10.20.30.40 |
=====================================
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
...And the discovered listeners will be used to shape further tests (skip LDAP despite -L if no listener found, etc.).
But that information will be missing from the output file.
when running against a ricoh printer I get:
[V] Attempting to map share //192.168.35.20/IPC$, running command: smbclient -t 5 -W KM-NETPRINTERS -U % '//192.168.35.20/IPC$' -c dir -s /tmp/tmpf1n8l_bn
[-] Could not parse result of smbclient command, please open a GitHub issue
running smbclient command mannually gives:
smbclient -t 5 -W KM-NETPRINTERS -U % '//192.168.35.20/IPC$' -c dir -s /tmp/tmp Wed 02 Jun 2021 11:46:10 AM CEST
NT_STATUS_NOT_A_DIRECTORY listing \*
Obviously proxychains is an option, but I see lost of packet loss/screwed up communications through it. What are the changes we can get native proxy support?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.