The Perl script enum4linux.pl is a powerful tool able to operate recon techniques for LDAP, NBT-NS and MS-RPC. It's an alternative to a similar program named enum.exe (C++) created for Windows systems. Lately, a rewrite of enum4linux in Python has surfaced, called enum4linux-ng.py. The enum4linux scripts are mainly wrappers around the Samba tools nmblookup, net, rpcclient and smbclient.

The following techniques can be operated.

  • Service & port scan (for LDAP(S), SMB, NetBIOS, MS-RPC)

  • NetBIOS names and workgroup (via reverse lookup)

  • SMB dialects checks (SMBv1 only or SMBv1 and higher)

  • RPC sessions checks (checks if user creds supplied are valid or if null session works)

  • Domain information via LDAP (find out whether host is a parent or child DC)

  • Domain information via RPC (via SMB named pipe \pipe\lsarpc for MS-RPC)

  • OS information via RPC (via SMB named pipe \pipe\srvsvc for MS-RPC)

  • Users, groups, shares, policies, printers, services via RPC

  • Users, groups and machines via RID cycling​

  • SMB Share names bruteforcing

All of the techniques mentioned above (except RID cycling) will be operated when running the following command.

enum4linux-ng.py -A $TARGET_IP

RID cycling can be enabled with the -R option.