rpcclient

rpcclient is used to connect to netbios port (139).

Active Directory Enumeration: RPCClient (Hacking Articles)

Login as anonymous user

rpcclient -N -U "" $IP

Login as a specific user

rpcclient -U ${DOMAIN}/$USER $IP
[Enter password]

rpcclient -U ${DOMAIN}/$USER%${PASSWORD} $IP

Pass-the-Hash

Not tested

rpcclient -U $USER -pw-nt-hash $HASH $IP

Commands

rpcclient -N -U "" -c=enumdomusers $IP
rpcclient -N -U "" -c=enumdomusers $IP
rpcclient -N -U "" -c=enumdomgroups $IP
rpcclient -N -U "" -c="querygroup 0x200" # Change group id
rpcclient -N -U "" -c="queryuser myprecious" # Change username
rpcclient -N -U "" -c=enumprivs $IP

Create a user

createdomuser myprecious
setuserinfo2 myprecious 24 Pr3cious@1
enumdomusers