The Perl script enum4linux.pl is a powerful tool able to operate recon techniques for LDAP, NBT-NS and MS-RPC. It's an alternative to a similar program named enum.exe (C++) created for Windows systems. Lately, a rewrite of enum4linux in Python has surfaced, called enum4linux-ng.py. The enum4linux scripts are mainly wrappers around the Samba tools nmblookup, net, rpcclient and smbclient.
The following techniques can be operated.
Service & port scan (for LDAP(S), SMB, NetBIOS, MS-RPC)
NetBIOS names and workgroup (via reverse lookup)
SMB dialects checks (SMBv1 only or SMBv1 and higher)
RPC sessions checks (checks if user creds supplied are valid or if null session works)
Domain information via LDAP (find out whether host is a parent or child DC)
Domain information via RPC (via SMB named pipe
\pipe\lsarpc for MS-RPC)
OS information via RPC (via SMB named pipe
\pipe\srvsvc for MS-RPC)
Users, groups, shares, policies, printers, services via RPC
Users, groups and machines via RID cycling
SMB Share names bruteforcing
All of the techniques mentioned above (except RID cycling) will be operated when running the following command.
enum4linux-ng.py -A $TARGET_IP
RID cycling can be enabled with the