enum4linux ⚙️
The Perl script enum4linux.pl is a powerful tool able to operate recon techniques for LDAP, NBT-NS and MS-RPC. It's an alternative to a similar program named enum.exe (C++) created for Windows systems. Lately, a rewrite of enum4linux in Python has surfaced, called enum4linux-ng.py. The enum4linux scripts are mainly wrappers around the Samba tools nmblookup, net, rpcclient and smbclient.
The following techniques can be operated.
- Service & port scan (for LDAP(S), SMB, NetBIOS, MS-RPC)
- NetBIOS names and workgroup (via reverse lookup)
- SMB dialects checks (SMBv1 only or SMBv1 and higher)
- RPC sessions checks (checks if the user creds supplied are valid or if null session works)
- Domain information via LDAP (find out whether host is a parent or child DC)
- Domain information via RPC (via SMB named pipe
\pipe\lsarpcfor MS-RPC) - OS information via RPC (via SMB named pipe
\pipe\srvsvcfor MS-RPC) - Users, groups, shares, policies, printers, services via RPC
- Users, groups and machines via RID cycling
- SMB Share names bruteforcing
All of the techniques mentioned above (except RID cycling) will be operated when running the following command.
bash
enum4linux-ng.py -A $TARGET_IPRID cycling can be enabled with the -R option.