Scanning for SMB Vulnerabilities with enum4linux

This lab is part of the Cisco Ethical Hacker Course under exploiting network-based vulnerabilities. I was tasked with using enum4linux to scan for SMB vulerabilities. Enum4linux is a tool for enumerating information from Windows and Samba. Samba is an application that enables Linux and Apple clients to participate in Windows networks. It enables non-Windows clients to utilize the Server Message Block (SMB) protocol to access file and print services. Samba servers can participate in a Windows domain, both as a client and a server. In this activity, I explored the capabilities of the enum4linux tool to enumerate user and file sharing information from Samba servers and use smbclient to transfer files between systems.

Objectives

• Launch enum4linux and explore its capabilities.

• Identify computers with SMB services running.

• Use enum4linux to enumerate users and network file shares.

• Use smbclient to transfer files between systems.

Part 1: Launch enum4linux and explore its capabilities

Most enum4linux commands must be run as root, so I used the sudo su command to obtain persistent root access in my kali vm. To obtain more info about enum4linux, I used the command enum4linux -h .

The help file contains the syntax and options available to enumerate host and server information on networks that use SMB. Enum4linux requires that Samba be installed on the host system because it is dependent on the built-in Samba utilities. I verified that Samba is installed using the command whereis samba .

Question: Which Samba utilities does the help file indicate are used by the enum4linux tool?

Answer: rpcclient, net, nmblookup and smbclient. The enum4linux tool is just a wrapper around these Samba utilities.

Terms associated with SMB functions (can be found in the output of enum4linux commands)

1. Relative Identifier (RID) - final, unique variable component of a Windows Security Identifier (SID) that uniquely identifies a user, group, system, or domain. . RIDs ensure uniqueness across security principals, with common examples being 500 for Administrator and 501 for Guest.

2. Security Identifier (SID) - a unique, immutable, variable-length alphanumeric string assigned by Windows to uniquely identify security principals (users, groups, computers, or processes)within the local domain. It is globally unique so can also work between domains.

3. Domain Controller (DC) - a central server in a Microsoft Windows Active Directory (AD) environment that manages network and identity security requests. It authenticates users and determines whether (authorizes) the users are allowed to access IT resources in the domain.

4. Lightweight Directory Access Protocol (LDAP) - a directory access protocol that enables services and clients that use LDAP naming services to communicate over an IP network. It is also vendor-neutral.

5. Workgroup - a group of standalone computers that are independently administered.

Part 2: Use Nmap to Find SMB Servers

Common open ports on SMB servers are:

• TCP 135           RPC

• TCP 139           NetBIOS Session

• TCP 389           LDAP Server

• TCP 445           SMB File Service

• TCP 9389          Active Directory Web Services

• TCP/UDP 137   NetBIOS Name Service

• UDP 138           NetBIOS Datagram

One can identify potential targets for SMB enumeration by examining the open ports. 2 virtual networks are included in the Kali VM with Docker containers. I used the nmap -sN command to find the services available on hosts in the 172.17.0.0/24 virtual network.

• -sN : This is a TCP Null Scan. It is used to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with no flags in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.

• Nmap reveal 2 hosts are up on the 172.17.0.0/24 network: 172.17.0.1 and 172.17.0.2.

• On the 172.17.0.2 host, the ports open that identify running SMB services are:

  • TCP 139 netbios-ssn and TCP 445 microsoft-ds.

I also conducted a Nmap -sN scan on the 10.6.6.0/24 subnet.

• Host 10.6.6.23 is a potential target since it has ports 139 and 445 open.

Part 3: Use enum4linux to enumerate users and network file shares

In this part, I used enum4linux to discover more information about the two potential targets.

enum4linux scan on target 172.17.0.2

The most common options to use with enum4linux are:

• -U find configured users

• -S get a list of file shares

• -G get a list of the groups and their members

• -P list the password policies

• -i get a list of printers

I used enum4linux -U option to list the users configured on the target 172.17.0.2.

I also listed the file shares available on 172.17.0.2 using the enum4linux -S command and used the verbose option (-v) to see the Samba tools that are used to obtain the information.

• Note the [V] at the beginning of some of the lines of output. The verbose mode provides a narrative of how the results were obtained. For example, in the Enumerating Workgroup/Domain section of the output, enum4linux attempted to get the domain name using the command: nmblookup -A 172.17.0.2.

• It could also be seen that smbclient was used to map the file shares which are 5 in number. The $ at the end of some share names indicates they are hidden shares.

I also tried to uncover a known username/password combination to further this exploit. It is a benefit to know the password policies in place on the target system to structure a brute-force password attack to obtain necessary credentials. Hence, I used enum4linux -P command to list the password policies.

• The minimum password length set for accounts on this server is 5 characters. The account lockout threshold setting is set to None.

• The security of the password policy set for this domain is Low.

  • Why: The minimum password length is too short. In addition, the password complexity flag is 000000. Microsoft documents this value as meaning no password complexity policy is set. Also, no minimum password age is configured.

Perform a simple enumeration scan on target 10.6.6.23

Enum4linux has an option that combines the -U, -S, -G, -P, -r, -o, -n, -i options into one command. This requires using the -a argument. This option quickly performs multiple SMB enumeration operations in one scan. Therefore, I performed enum4linux -a on the 10.6.6.23 host.

• There are 3 local users and 7 local groups on the target.

• The shares located on the target are are homes, workfiles, and print\(. Note that the IPC\) share is for the server process itself. It is created by default.

Part 4: Use smbclient to transfer files between systems

Smbclient is a component of Samba that can store and retrieve files, similar to an FTP client. I used smbclient to transfer a file to the target system at 172.17.0.2. This simulates exploiting a network host with malware through an SMB vulnerability.

1. I created a text file called badfile.txt with some text inside using the cat command.

1. I also checked out some options to use with smbclient using smbclient -h

2. I used smbclient -L command to list the shares on the target host. This command produces a similar output to what the enum4linx command did in Part 3. When asked for a password, I pressed enter. The double / character before the IP address and the / following it are necessary if the target is a Windows computer e.g //172.17.0.2/.

1. I connected to the tmp share using the smbclient command by specifying the share name and IP address i.e. smbclient //172.17.0.2/tmp

1. I entered dir at the smb:> to view the contents of the share.

1. I uploaded the badfile.txt to the target server using the put command. The syntax for the command is: put local-file-name remote-file-name . I also verified its upload by using dir .

Reflection

You are conducting a penetration test of a client network. You have gained access to an internal network by social engineering the username and password of an ad hoc webserver that is not behind the firewall. You can remotely access the network from a Kali VM configured with the enum4linux tool.

What steps would you follow to send a dummy malware file to hosts on the network as part of the penetration test?

Answer:

1. Scan the network with Nmap to identify hosts that are running SMB.

2. Scan the target host or host subnet using enum4linux to enumerate workgroups, password policies and shares.

3. Run smbclient and use the put command to copy the dummy file to a vulnerable host or hosts.

Mitigation Strategies for SMB vulnerabilties

From a defensive perspective, findings from these tools should be treated seriously:

1. limit SMB exposure to trusted networks,

2. disable legacy protocols (SMBv1).

3. apply patches

4. enforce strong authentication and least-privilege access to shares

5. monitor SMB traffic for suspicious activity.

Conclusion

This lab demonstrated how enum4linux and smbclient can be used to discover and interact with SMB/Samba services. Using enum4linux (run with appropriate privileges) you can enumerate host and domain information, user accounts, and shared resources; smbclient provides a simple, scriptable way to connect to shares and transfer files. Together they reveal how exposed SMB services can leak useful reconnaissance data and, if misconfigured, enable unauthorized access or data transfer.

Next steps include deeper, authenticated enumeration (to discover additional permissions and writable shares), automated scanning with complementary tools (e.g., smbmap, targeted Nmap SMB scripts), and using the gathered information to validate or remediate misconfigurations in a controlled, ethical testing environment.