nmap

Usage of SMB-specific NSE script below. Also see nmap.

sudo nmap -vvv -p139,445 -sS --script=default,smb-os-discovery -sV -oA nmap/smb $IP

enum4linux

enum4linux-ng $IP # recommended; install with apt
enum4linux $IP

This makes use of the IPC$ share.

crackmapexec

Some crackmapexec commands for SMB enumeration (Try using -u '' -p '' for all of the following) crackmapexec smb $IP crackmapexec smb $IP --shares crackmapexec smb $IP --shares -M spider_plus (auto enum) crackmapexec smb $IP --users crackmapexec smb $IP --pass-pol (get password policies)

smbclient

smbclient -U '' -N \\\\$IP\\sharename

nbtscan

NBT stands for NetBIOS over TCP. -r uses local port 137 to scan since Win95 responds to this only.

sudo nbtscan -r $IP