Enumerating Windows Machines For Fun And Legal Profit Part 1

This should probably go without saying, but this should only be used on machines you have authorization to test. Doing this against stuff you don’t have permission to is likely illegal. I mean, I’m not a lawyer, but I’m not responsible if you do something life-altering. Don’t be stupid.

Whether you’re conducting penetration testing or participating in Capture The Flag (CTF) competitions, one of the most critical phases is enumeration. Think of enumeration as digital reconnaissance—you’re gathering intelligence about your target to understand its structure, services, and potential vulnerabilities before attempting any exploitation. In Windows environments, this process becomes particularly nuanced due to the complex ecosystem of Active Directory, SMB shares, LDAP services, and various authentication mechanisms. If you’re anything like me, I ended up doing most of my command-line work in Linux, and only using Windows for gaming and things that absolutely needed Windows. For me, the first time I popped a shell on a CTF box running Windows, it was like… “Ok, now what?”

Windows enumeration is a completely different beast than *nix enumeration. Each tool we’ll explore serves as a different lens through which we can examine the target, revealing unique aspects of the Windows infrastructure that might otherwise remain hidden.

Please note that this article assumes a basic level of understanding of common penetration testing techniques, as well as a basic understanding of Active Directory. If you don’t have that, learn about that first, and come back.

This is part one of a two part series on Windows enumeration; this focuses mostly on understanding a box from the outside, while the follow-up will focus on Active Directory deep dives.

Understanding the Windows Attack Surface

Before diving into specific tools, it’s essential to understand what makes Windows environments different. Windows networks often revolve around Active Directory (AD), which serves as the central authentication and authorization service, as well as enabling control for network administrators. This creates a rich ecosystem of interconnected services that communicate through various protocols, each offering different avenues for information gathering. Windows machines also can share files through the SMB (Server Message Block) protocol. While Linux machines can do these things as well, it’s atypical for them to be configured that way.

The protocols we’ll focus on include SMB for file sharing, LDAP (Lightweight Directory Access Protocol) for directory services, and various Windows-specific services that expose valuable information about users, groups, shares, and system configurations. Each protocol has its own characteristics and information disclosure patterns, which is why we need different tools to effectively enumerate each one.

Also, despite Windows as the target here, all of these tools are either Linux-first tools or at least have a Linux version. While we won’t dive particularly deeply on any one too, the focus here is on at least highlighting what is available.

NetExec: The Swiss Army Knife of Network Enumeration

NetExec represents the evolution of several network enumeration tools, building upon the foundation laid by tools like CrackMapExec.

What makes NetExec particularly powerful is its ability to perform multiple enumeration tasks through a single interface. It combines credential testing, service enumeration, and basic exploitation capabilities into one cohesive tool. This integration allows you to move seamlessly from discovery to initial access attempts without switching between multiple tools.

# Basic host discovery and service enumeration
netexec smb 192.168.1.0/24

# This command scans the entire subnet for SMB services, revealing:
# - Active hosts running SMB
# - SMB version information
# - Domain information
# - Basic system details

Once you identify active hosts, you can enumerate shares, test for common vulnerabilities, or attempt credential spraying attacks.

# Enumerate shares on discovered hosts using the Guest account (if enabled)
netexec smb 192.168.1.100 -u Guest -p '' --shares

# Test for common vulnerabilities using an authenticated user
netexec smb 192.168.1.100 -u bobthebuilder -p 'canwefixityeswecan' -M spider_plus

The tool’s ability to handle authentication gracefully makes it particularly valuable. It can work with anonymous connections, known credentials, or even attempt to leverage existing authentication tokens, adapting to whatever access level you currently possess.

The netexec usage output:

usage: netexec [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug]
               [--no-progress] [--log LOG] [-6] [--dns-server DNS_SERVER] [--dns-tcp] [--dns-timeout DNS_TIMEOUT]
               {ldap,ssh,mssql,nfs,winrm,rdp,vnc,smb,ftp,wmi} ...

     .   .
    .|   |.     _   _          _     _____
    ||   ||    | \ | |   ___  | |_  | ____| __  __   ___    ___
    \\( )//    |  \| |  / _ \ | __| |  _|   \ \/ /  / _ \  / __|
    .=[ ]=.    | |\  | |  __/ | |_  | |___   >  <  |  __/ | (__
   / /˙-˙\ \   |_| \_|  \___|  \__| |_____| /_/\_\  \___|  \___|
   ˙ \   / ˙
     ˙   ˙

    The network execution tool
    Maintained as an open source project by @NeffIsBack, @MJHallenbeck, @_zblurx

    For documentation and usage examples, visit: https://www.netexec.wiki/

    Version : 1.4.0
    Codename: SmoothOperator
    Commit  : Kali Linux


options:
  -h, --help            show this help message and exit

Generic:
  Generic options for nxc across protocols

  --version             Display nxc version
  -t, --threads THREADS
                        set how many concurrent threads to use
  --timeout TIMEOUT     max timeout in seconds of each thread
  --jitter INTERVAL     sets a random delay between each authentication

Output:
  Options to set verbosity levels and control output

  --verbose             enable verbose output
  --debug               enable debug level information
  --no-progress         do not displaying progress bar during scan
  --log LOG             export result into a custom file

DNS:
  -6                    Enable force IPv6
  --dns-server DNS_SERVER
                        Specify DNS server (default: Use hosts file & System DNS)
  --dns-tcp             Use TCP instead of UDP for DNS queries
  --dns-timeout DNS_TIMEOUT
                        DNS query timeout in seconds

Available Protocols:
  {ldap,ssh,mssql,nfs,winrm,rdp,vnc,smb,ftp,wmi}
    ldap                own stuff using LDAP
    ssh                 own stuff using SSH
    mssql               own stuff using MSSQL
    nfs                 own stuff using NFS
    winrm               own stuff using WINRM
    rdp                 own stuff using RDP
    vnc                 own stuff using VNC
    smb                 own stuff using SMB
    ftp                 own stuff using FTP
    wmi                 own stuff using WMI

Additional help is available with netexec [protocol] -h to get help or usage for a specific protocol.

If you start with credentials or if the Guest account is enabled, a favorite usage of mine for this tool is discovering users by rid bruteforcing with netexec smb [target] -u [username] -p [password] --rid-brute.

smbmap and smbclient: File Share Reconnaissance

File shares often represent one of the most direct pathways to sensitive information in Windows environments. smbmap and smbclient serve as your primary tools for discovering and exploring these shared resources. Think of these tools as your digital filing cabinet explorers—they help you understand what files and folders are available and what level of access you have to them.

smbmap excels at providing a quick overview of share permissions and accessibility across multiple hosts. It’s designed to answer the question: “What can I access on this file share server?”

# Discover and map shares across multiple hosts
smbmap -H 192.168.1.100 -u anonymous -p ''

# Recursively explore share contents
smbmap -H 192.168.1.100 -u username -p password -R

# Search for specific file types or patterns
smbmap -H 192.168.1.100 -u username -p password -r --depth 3 -q

The recursive exploration capability is particularly valuable because it reveals the actual structure and contents of shares beyond just their names. This often uncovers sensitive files, configuration documents, or other valuable information that might not be obvious from share names alone.

smbclient provides more interactive capabilities, allowing you to browse shares via the commandline. This interactive approach is valuable when you need to carefully examine file contents or when you’re looking for specific types of information.

# Interactive share browsing (double slashes for escaping)
smbclient -U username \\\\192.168.1.100\\

# Once connected, you can use familiar commands:
# ls - list directory contents
# get filename - download files
# put filename - upload files (if you have write access)
# cd directory - change directories

smbclient can also perform share listing:

# Share listing
smbclient -U username -L \\\\192.168.1.100\\

enum4linux: Enumerate everything

Though we’ve explored deep-dive tools focused on specific purposes, enum4linux takes more of a “shotgun” approach. Think of enum4linux as the friendly neighborhood guide who introduces you to a new city—it may not know every intimate detail about every building, but it can show you the major landmarks, tell you which neighborhoods are worth exploring, and give you a solid foundation for planning your deeper investigations.

enum4linux represents the evolution of classic UNIX enumeration philosophy applied to Windows targets. The tool embodies the principle that sometimes the best approach to understanding a complex system is to ask it many simple questions and synthesize the answers into a coherent picture. Rather than requiring deep protocol knowledge or complex syntax, enum4linux provides a straightforward interface that handles much of the technical complexity behind the scenes.

What makes enum4linux particularly valuable for learning and initial reconnaissance is its comprehensive reporting approach. Instead of requiring you to run multiple separate commands and correlate their outputs manually, enum4linux performs a systematic sweep of common enumeration targets and presents the results in an organized, human-readable format. This approach helps you understand what information is typically available through SMB and related protocols without getting lost in the technical details of each individual query.

The tool’s design philosophy centers around accessibility and completeness. When you point enum4linux at a target, it systematically probes for user accounts, shares, password policies, group memberships, and system information using a variety of techniques. This breadth of coverage makes it particularly useful when you’re first approaching an unknown Windows environment and need to quickly understand the scope and structure of what you’re dealing with.

# Basic comprehensive enumeration of a target system
enum4linux -a 192.168.1.100

# The -a flag triggers "all" enumeration modes, which includes:
# - Attempting to identify the target OS and SMB dialect
# - Enumerating available shares and their permissions
# - Listing user accounts and their properties
# - Discovering group information and memberships
# - Extracting password policy details
# - Attempting to identify the domain/workgroup structure

Understanding enum4linux’s systematic approach can also increase your own enumeration knowledge. Verbose mode helps you understand how enum4linux gets its data, which can help you understand Windows machines better as a whole:

# Verbose enumeration to see the underlying queries
enum4linux -v -a 192.168.1.100

# This reveals the actual SMB commands being executed, such as:
# - NetShareEnum to discover available shares
# - NetUserEnum to list user accounts
# - NetGroupEnum to identify groups
# - Various policy queries to understand domain settings

enum4linux also demonstrates important concepts about null sessions and anonymous access that remain relevant across many Windows enumeration scenarios. The tool automatically attempts various authentication approaches, from completely anonymous connections to null session establishment, helping you understand what information might be available even without valid credentials. This capability makes it particularly valuable in the early stages of penetration testing when you may not yet have obtained valid authentication material.

# Attempt enumeration with specific credentials when available
enum4linux -u username -p password -a 192.168.1.100

# Compare results with anonymous enumeration to understand
# what additional information becomes available with authentication
enum4linux -a 192.168.1.100

The tool’s approach to error handling and graceful degradation provides another important lesson for enumeration methodology. When enum4linux encounters access restrictions or protocol limitations, it continues with other enumeration attempts rather than failing completely, which can be very annoying during a test.

Stay Tuned for More

Part 2 is out here and focuses on diving into Active Directory.