The Perl script enum4linux.pl is a powerful tool able to operate recon techniques for LDAP, NBT-NS and MS-RPC. It's an alternative to a similar program named enum.exe (C++) created for Windows systems. Lately, a rewrite of enum4linux in Python has surfaced, called enum4linux-ng.py. The enum4linux scripts are mainly wrappers around the Samba tools nmblookup, net, rpcclient and smbclient.
The following techniques can be operated.
- Service & port scan (for LDAP(S), SMB, NetBIOS, MS-RPC)
- SMB dialects checks (SMBv1 only or SMBv1 and higher)
- Domain information via LDAP (find out whether host is a parent or child DC)
- Users, groups, shares, policies, printers, services via RPC
- SMB Share names bruteforcing
All of the techniques mentioned above (except RID cycling) will be operated when running the following command.
enum4linux-ng.py -A $TARGET_IP
RID cycling can be enabled with the