nmap
Usage of SMB-specific NSE script below. Also see nmap.
sudo nmap -vvv -p139,445 -sS --script=default,smb-os-discovery -sV -oA nmap/smb $IPenum4linux
enum4linux-ng $IP # recommended; install with apt
enum4linux $IPThis makes use of the IPC$ share.
crackmapexec
Some crackmapexec commands for SMB enumeration
(Try using -u '' -p '' for all of the following)
crackmapexec smb $IP
crackmapexec smb $IP --shares
crackmapexec smb $IP --shares -M spider_plus (auto enum)
crackmapexec smb $IP --users
crackmapexec smb $IP --pass-pol (get password policies)
smbclient
smbclient -U '' -N \\\\$IP\\sharenamenbtscan
NBT stands for NetBIOS over TCP.
-r uses local port 137 to scan since Win95 responds to this only.
sudo nbtscan -r $IP