After probing a few of my PC's with Nmap I've found 1 particular PC with all the netbios ports completely open. So i do the usual test by creating a null user session, that was successful. Now I want to enumerate the users off this PC to attempt a Logon as any of the Administrator accounts. This is where im stuck completely. The PC is a XP SP2 fully patched system (I cheated and checked this myself) and everytime I try to get the users off here I get some sort of Acess Denied depending on the tool I've tried. I started up metasploit to see if I couldn't run any smb exploits on this system and I come up empty handed no matter what exploit I try. Metasploit feels pretty script kiddie to me but I'm not to the point where im able to write my own exploits. I went looking through the forums/google to find any sort of answers to how I could use these open ports and the null session. Is there anyway through netbios? Can I use these ports for anything else? I've thought of bruteforcing the netbios login but I can't seem to find the Admin account. It isn't connected to a server to sniff the credentials across the wire. How was enumeration and Access accomplished prior to Metasploit? Nessus was ran and gave me very little information besides what I already knew. I can pull the PC name out from netbios but thats about it.