Enum4Linux
Details
Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.
It is written in PERL and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. The samba package is therefore a dependency.
-- https://www.kali.org/tools/enum4linux/
When to Use
You'll know when you've found a domain controller, because it will have several ports open that clearly distinguish it:
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Given that enum4linux
is a SMB client, you could run it against other hosts where SMB is enabled an enumerate your access levels on hosts other than the domain controller.
Example Usage
Help Message
enum4linux -h
Dump Information from a Domain Controller
enum4linux -u username -p password -a dc-ip-address
Via Proxy Host Using Proxychains
proxychains -q enum4linux -u username -p password -a dc-ip-address