enum4linux ⚙️

The Perl script enum4linux.pl is a powerful tool able to operate recon techniques for LDAP, NBT-NS and MS-RPC. It's an alternative to a similar program named enum.exe (C++) created for Windows systems. Lately, a rewrite of enum4linux in Python has surfaced, called enum4linux-ng.py. The enum4linux scripts are mainly wrappers around the Samba tools nmblookup, net, rpcclient and smbclient.

The following techniques can be operated.

• Service & port scan (for LDAP(S), SMB, NetBIOS, MS-RPC)

• NetBIOS names and workgroup (via reverse lookup)

• SMB dialects checks (SMBv1 only or SMBv1 and higher)

• RPC sessions checks (checks if the user creds supplied are valid or if null session works)

• Domain information via LDAP (find out whether host is a parent or child DC)

• Domain information via RPC (via SMB named pipe \pipe\lsarpc for MS-RPC)

• OS information via RPC (via SMB named pipe \pipe\srvsvc for MS-RPC)

• Users, groups, shares, policies, printers, services via RPC

• Users, groups and machines via RID cycling

• SMB Share names bruteforcing

All of the techniques mentioned above (except RID cycling) will be operated when running the following command.

enum4linux-ng.py -A $TARGET_IP
enum4linux $TARGET_IP -a -u '' -p ''

RID cycling can be enabled with the -R option.