Crackmapexec – https://github.com/Porchetta-Industries/CrackMapExec
## Enumerate with crackmapexec - hostname / domain name might be leaked
crackmapexec smb 10.10.10.123
## Enumerate using crackmapexec - enumerate password policy from the domain
crackmapexec smb 10.10.10.123 --pass-pol
## Enumerate using crackmapexec - enumerate shares
crackmapexec smb 10.10.10.123 --sharesSMBClient – built into Kali
## Enumerate using smbclient - List shares using a null session
smbclient -L //10.10.10.123
## Use credentials to access the share and list all shares
smbclient -L //10.10.10.123 -U 'administrator' -P 'password'SMBMap –
## Enumerate using smbmap - enumerate shares
smbmap -H 10.10.10.123
## Enumerate using smbmap- enumerate shares using a user that doesn't exist, sometimes specifying no user doesn't give you the same result.
smbmap -u administrator -p password -d workgroup -H 10.10.10.123
## Connecting using a ntlm hash
smbmap -u administrator -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 10.10.10.123
## Connecting with credentials and executing a command
smbmap -u 'administrator' -p 'password' -d domain.local -H 10.10.10.123 -x 'net group "Domain Admins" /domain'Enum4Linux –
## Do all simple enumeration (-U -S -G -P -r -o -n -i). This option is enabled if you don't provide any other options.
enum4linux -a 10.10.10.123
## Get userlist (use -d for detailed output)
enum4linux -U 10.10.10.123
## Get machinelist
enum4linux -M 10.10.10.123
## Get sharelist (use -d for detailed output)
enum4linux -S 10.10.10.123
## Get password policy
enum4linux -P 10.10.10.123
## Get group and memberlist
enum4linux -G 10.10.10.123
## Use credentials with E4L using no credentials is -u "" and -p ""
enum4linux -u administrator -p passwrod 10.10.10.123
