Nmap smb-enum-users NSE Script

This page contains detailed information about how to use the smb-enum-users NSE script. For list of all NSE scripts, visit the Nmap NSE Library.

Error Messages

Script Overview

Script source code: https://github.com/nmap/nmap/tree/master/scripts/smb-enum-users.nse
Script categories: auth, intrusive
Target service / protocol: smb, netbios, tcp, udp
Target network port(s): 137, 139, 445
List of CVEs: -

Script Description

The smb-enum-users.nse script attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.

A penetration tester who is examining servers may wish to determine the purpose of a server. By getting a list of who has access to it, the tester might get a better idea (if financial people have accounts, it probably relates to financial information). Additionally, knowing which accounts exist on a system (or on multiple systems) allows the pen-tester to build a dictionary of possible usernames for bruteforces, such as a SMB bruteforce or a Telnet bruteforce. These accounts may be helpful for other purposes, such as using the accounts in Web applications on this or other servers.

From a pen-testers perspective, retrieving the list of users on any given server creates endless possibilities.

Users are enumerated in two different ways: using SAMR enumeration or LSA bruteforcing. By default, both are used, but they have specific advantages and disadvantages. Using both is a great default, but in certain circumstances it may be best to give preference to one.

Advantages of using SAMR enumeration:

  • Stealthier (requires one packet/user account, whereas LSA uses at least 10 packets while SAMR uses half that; additionally, LSA makes a lot of noise in the Windows event log (LSA enumeration is the only script I (Ron Bowes) have been called on by the administrator of a box I was testing against).
  • More information is returned (more than just the username).
  • Every account will be found, since they're being enumerated with a function that's designed to enumerate users.

Advantages of using LSA bruteforcing:

  • More accounts are returned (system accounts, groups, and aliases are returned, not just users).
  • Requires a lower-level account to run on Windows XP and higher (a 'guest' account can be used, whereas SAMR enumeration requires a 'user' account; especially useful when only guest access is allowed, or when an account has a blank password (which effectively gives it guest access)).

SAMR enumeration is done with the QueryDisplayInfo function. If this succeeds, it will return a detailed list of users, along with descriptions, types, and full names. This can be done anonymously against Windows 2000, and with a user-level account on other Windows versions (but not with a guest-level account).

To perform this test, the following functions are used:

  • Bind: bind to the SAMR service.
  • Connect4: get a connect_handle.
  • EnumDomains: get a list of the domains.
  • QueryDomain: get the sid for the domain.
  • OpenDomain: get a handle for each domain.
  • QueryDisplayInfo: get the list of users in the domain.
  • Close: Close the domain handle.
  • Close: Close the connect handle. The advantage of this technique is that a lot of details are returned, including the full name and description; the disadvantage is that it requires a user-level account on every system except for Windows 2000. Additionally, it only pulls actual user accounts, not groups or aliases.

Regardless of whether this succeeds, a second technique is used to pull user accounts, called LSA bruteforcing. LSA bruteforcing can be done anonymously against Windows 2000, and requires a guest account or better on other systems. It has the advantage of running with less permission, and will also find more account types (i.e., groups, aliases, etc.). The disadvantages is that it returns less information, and that, because it's a brute-force guess, it's possible to miss accounts. It's also extremely noisy.

This isn't a brute-force technique in the common sense, however: it's a brute-forcing of users' RIDs. A user's RID is a value (generally 500, 501, or 1000+) that uniquely identifies a user on a domain or system. An LSA function is exposed which lets us convert the RID (say, 1000) to the username (say, "Ron"). So, the technique will essentially try converting 1000 to a name, then 1001, 1002, etc., until we think we're done.

To do this, the script breaks users into groups of RIDs based on the LSA_GROUPSIZE constant. All members of this group are checked simultaneously, and the responses recorded. When a series of empty groups are found (LSA_MINEMPTY groups, specifically), the scan ends. As long as you are getting a few groups with active accounts, the scan will continue.

Before attempting this conversion, the SID of the server has to be determined. The SID is determined by doing the reverse operation; that is, by converting a name into its RID. The name is determined by looking up any name present on the system. We try:

  • The computer name and domain name, returned in SMB_COM_NEGOTIATE;
  • An nbstat query to get the server name and the user currently logged in; and
  • Some common names: "administrator", "guest", and "test".

In theory, the computer name should be sufficient for this to always work, and it has so far has in my tests, but I included the rest of the names for good measure. It doesn't hurt to add more.

The names and details from both of these techniques are merged and displayed. If the output is verbose, then extra details are shown. The output is ordered alphabetically.

Credit goes out to the enum.exe, sid2user.exe, and user2sid.exe programs for pioneering some of the techniques used in this script.

Smb-enum-users NSE Script Arguments

This is a full list of arguments supported by the smb-enum-users.nse script:


If set, script will only enumerate using an LSA bruteforce (requires less access than samr). Only set if you know what you're doing, you'll get better results by using the default options.


If set, script will only query a list of users using a SAMR lookup. This is much quieter than LSA lookups, so enable this if you want stealth. Generally, however, you'll get better results by using the default options.


The domain to log in with. If you aren't in a domain environment, then anything will (should?) be accepted by the server.


A password hash to use when logging in. This is given as a single hex string (32 characters) or a pair of hex strings (both 32 characters, optionally separated by a single character). These hashes are the LanMan or NTLM hash of the user's password, and are stored on disk or in memory. They can be retrieved from memory using the fgdump or pwdump tools.


Use to disable usage of the 'guest' account.


The password to connect with. Be cautious with this, since some servers will lock accounts if the incorrect password is given. Although it's rare that the Administrator account can be locked out, in the off chance that it can, you could get yourself in trouble. To use a blank password, leave this parameter off altogether.


The type of SMB authentication to use. These are the possible options:

  • v1: Sends LMv1 and NTLMv1.
  • LMv1: Sends LMv1 only.
  • NTLMv1: Sends NTLMv1 only (default).
  • v2: Sends LMv2 and NTLMv2.
  • LMv2: Sends LMv2 only.
  • NTLMv2: Doesn't exist; the protocol doesn't support NTLMv2 alone. The default, NTLMv1, is a pretty decent compromise between security and compatibility. If you are paranoid, you might want to use v2 or lmv2 for this. (Actually, if you're paranoid, you should be avoiding this protocol altogether!). If you're using an extremely old system, you might need to set this to v1 or lm, which are less secure but more compatible. For information, see smbauth.lua.


The SMB username to log in with. The forms "DOMAIN\username" and "username@DOMAIN" are not understood. To set a domain, use the smbdomain argument.


Set to a value to change the filenames/service names that are randomly generated.


Forces the authentication to use basic security, as opposed to "extended security". Against most modern systems, extended security should work, but there may be cases where you want to force basic. There's a chance that you'll get better results for enumerating users if you turn on basic authentication.


Override the default port choice. If smbport is open, it's used. It's assumed to be the same protocol as port 445, not port 139. Since it probably isn't possible to change Windows' ports normally, this is mostly useful if you're bouncing through a relay or something.


Controls whether or not server signatures are checked in SMB packets. By default, on Windows, server signatures aren't enabled or required. By default, this library will always sign packets if it knows how, and will check signatures if the server says to. Possible values are:

  • force: Always check server signatures, even if server says it doesn't support them (will Probably fail, but is technically more secure).
  • negotiate: [default] Use signatures if server supports them.
  • ignore: Never check server signatures. Not recommended.
  • disable: Don't send signatures, at all, and don't check the server's. not recommended. More information on signatures can be found in smbauth.lua.

- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:

nmap --script=smb-enum-users --script-args lsaonly=value,samronly=value <target>

Smb-enum-users NSE Script Example Usage

Here's an example of how to use the smb-enum-users.nse script:

nmap --script smb-enum-users.nse -p445 <host>

sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>

Smb-enum-users NSE Script Example Output

Here's a sample output from the smb-enum-users.nse script:

Host script results:
|  smb-enum-users:
|_ |_ Domain: RON-WIN2K-TEST; Users: Administrator, Guest, IUSR_RON-WIN2K-TEST, IWAM_RON-WIN2K-TEST, test1234, TsInternetUser

Host script results:
|  smb-enum-users:
|  |  RON-WIN2K-TEST\Administrator (RID: 500)
|  |  |  Description: Built-in account for administering the computer/domain
|  |  |_ Flags:       Password does not expire, Normal user account
|  |  RON-WIN2K-TEST\Guest (RID: 501)
|  |  |  Description: Built-in account for guest access to the computer/domain
|  |  |_ Flags:       Password not required, Password does not expire, Normal user account
|  |  |  Full name:   Internet Guest Account
|  |  |  Description: Built-in account for anonymous access to Internet Information Services
|  |  |_ Flags:       Password not required, Password does not expire, Normal user account
|  |  |  Full name:   Launch IIS Process Account
|  |  |  Description: Built-in account for Internet Information Services to start out of process applications
|  |  |_ Flags:       Password not required, Password does not expire, Normal user account
|  |  RON-WIN2K-TEST\test1234 (RID: 1005)
|  |  |_ Flags:       Normal user account
|  |  RON-WIN2K-TEST\TsInternetUser (RID: 1000)
|  |  |  Full name:   TsInternetUser
|  |  |  Description: This user account is used by Terminal Services.
|_ |_ |_ Flags:       Password not required, Password does not expire, Normal user account

Smb-enum-users NSE Script Example XML Output

There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.


  • Ron Bowes


See Also

Related NSE scripts to the smb-enum-users.nse script:

Visit Nmap NSE Library for more scripts.

The smb-enum-users.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.

Access denied while trying to enumerate users; except against Windows 2000, Guest or better is typically required

Here is a relevant code snippet related to the "Access denied while trying to enumerate users; except against Windows 2000, Guest or better is typically required" error message:

200:	  end
202:	  -- Check if both failed
203:	  if(samr_status == false and lsa_status == false) then
204:	    if(string.find(lsa_result, 'ACCESS_DENIED')) then
205:	      return stdnse.format_output(false, "Access denied while trying to enumerate users; except against Windows 2000, Guest or better is typically required")
206:	    end
208:	    return stdnse.format_output(false, {"Couldn't enumerate users", "SAMR returned " .. samr_result, "LSA returned " .. lsa_result})
209:	  end

Couldn't enumerate users", "SAMR returned " .. samr_result, "LSA returned

Here is a relevant code snippet related to the "Couldn't enumerate users", "SAMR returned " .. samr_result, "LSA returned " error message:

203:	  if(samr_status == false and lsa_status == false) then
204:	    if(string.find(lsa_result, 'ACCESS_DENIED')) then
205:	      return stdnse.format_output(false, "Access denied while trying to enumerate users; except against Windows 2000, Guest or better is typically required")
206:	    end
208:	    return stdnse.format_output(false, {"Couldn't enumerate users", "SAMR returned " .. samr_result, "LSA returned " .. lsa_result})
209:	  end
211:	  -- Sort them
212:	  table.sort(names, function (a, b) return string.lower(a.name) < string.lower(b.name) end)


This page has been created based on Nmap version 7.92.

Go back to menu.