Security for everyone

SMB User Group Enumeration Scanner

You can scan Windows system by using this tool.


Short Info




Single Scan

Can be used by


Estimated Time

15 sec

Scan only one

Domain, Ipv4

Parent Category

SMB User Group Enumeration Scanner Detail

Obtains a list of groups from the remote Windows system, as well as a list of the group's users. This works similarly to enum.exe with the /G switch.

The following MSRPC functions in SAMR are used to find a list of groups and the RIDs of their users. Keep in mind that MSRPC refers to groups as "Aliases".

  • Bind: bind to the SAMR service.
  • Connect4: get a connect_handle.
  • EnumDomains: get a list of the domains.
  • LookupDomain: get the RID of the domains.
  • OpenDomain: get a handle for each domain.
  • EnumDomainAliases: get the list of groups in the domain.
  • OpenAlias: get a handle to each group.
  • GetMembersInAlias: get the RIDs of the members in the groups.
  • Close: close the alias handle.
  • Close: close the domain handle.
  • Close: close the connect handle.

Once the RIDs have been termined, the

  • Bind: bind to the LSA service.
  • OpenPolicy2: get a policy handle.
  • LookupSids2: convert SIDs to usernames.

I (Ron Bowes) originally looked into the possibility of using the SAMR function LookupRids2 to convert RIDs to usernames, but the function seemed to return a fault no matter what I tried. Since enum.exe also switches to LSA to convert RIDs to usernames, I figured they had the same issue and I do the same thing.

cyber security services for everyone one. Free security tools, continuous vulnerability scanning and many more.
Try it yourself,
control security posture