Port recognition withnmapor you can use recon

┌──(root@ghost)-[/home/ghost]
└─# recon dancing.htb

    .o oOOOOOOOo                                            OOOo
    Ob.OOOOOOOo  OOOo.      oOOo.                      .adOOOOOOO
    OboO"""""""""""".OOo. .oOOOOOo.    OOOo.oOOOOOo.."""""""""'OO
    OOP.oOOOOOOOOOOO "POOOOOOOOOOOo.   `"OOOOOOOOOP,OOOOOOOOOOOB'
    `O'OOOO'     `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO'    `OOOOo
    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO
    OOOOO                 '"OOOOOOOOOOOOOOOO"`                oOO
   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.
  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO
 OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"`  '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
 "OOOO"       "YOoOOOOMOIONODOO"`  .   '"OOROAOPOEOOOoOY"     "OOO"
    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`
    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .
    .            oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
                 '%o  OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
                      `$"  `OOOO' `O"Y ' `OOOO'  o             .
    .                  .     OP"          : o     .
                              :
                              .

[R3C0N] by 0bfxgh0st 4 WWA with ❤
Captain Captain, I see an island :) WeaponShotgun

[OS] Windows (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-19 12:14 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Initiating Ping Scan at 12:14
Scanning dancing.htb (10.129.80.113) [4 ports]
Completed Ping Scan at 12:14, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:14
Scanning dancing.htb (10.129.80.113) [65535 ports]
Discovered open port 135/tcp on 10.129.80.113
Discovered open port 139/tcp on 10.129.80.113
Discovered open port 445/tcp on 10.129.80.113
Discovered open port 49667/tcp on 10.129.80.113
Discovered open port 49668/tcp on 10.129.80.113
Discovered open port 49665/tcp on 10.129.80.113
Discovered open port 5985/tcp on 10.129.80.113
Discovered open port 47001/tcp on 10.129.80.113
Discovered open port 49664/tcp on 10.129.80.113
Discovered open port 49666/tcp on 10.129.80.113
Discovered open port 49669/tcp on 10.129.80.113
Completed SYN Stealth Scan at 12:15, 17.60s elapsed (65535 total ports)
NSE: Script scanning 10.129.80.113.
Initiating NSE at 12:15
Completed NSE at 12:15, 0.00s elapsed
Nmap scan report for dancing.htb (10.129.80.113)
Host is up (0.075s latency).
Not shown: 65447 closed tcp ports (reset), 77 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown

NSE: Script Post-scanning.
Initiating NSE at 12:15
Completed NSE at 12:15, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 17.84 seconds
           Raw packets sent: 87171 (3.836MB) | Rcvd: 77388 (3.096MB)

[+] [smb]
SMB         dancing.htb     445    DANCING          [*] Windows 10.0 Build 17763 x64 (name:DANCING) (domain:Dancing) (signing:False) (SMBv1:False)
[+] IP: dancing.htb:445 Name: unknown                                           
                                
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk      
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[~] [smb knocker]
[ADMIN$]
tree connect failed: NT_STATUS_ACCESS_DENIED
[C$]
tree connect failed: NT_STATUS_ACCESS_DENIED
[IPC$]
Current directory is \\dancing.htb\IPC$\
NT_STATUS_INVALID_INFO_CLASS listing \*
[WorkShares]
Current directory is \\dancing.htb\WorkShares\
  .                                   D        0  Mon Mar 29 04:22:01 2021
  ..                                  D        0  Mon Mar 29 04:22:01 2021
  Amy.J                               D        0  Mon Mar 29 05:08:24 2021
  James.P                             D        0  Thu Jun  3 04:38:03 2021

                5114111 blocks of size 4096. 1748671 blocks available

recon reports eleven ports and drops some useful smb information

┌──(root@ghost)-[/home/ghost]
└─# smbclient -N \\\\dancing.htb\\WorkShares
Try "help" to get a list of possible commands.
smb: \> cd Amy.J
smb: \Amy.J\> dir
  .                                   D        0  Mon Mar 29 05:08:24 2021
  ..                                  D        0  Mon Mar 29 05:08:24 2021
  worknotes.txt                       A       94  Fri Mar 26 07:00:37 2021

                5114111 blocks of size 4096. 1748644 blocks available
smb: \Amy.J\> get worknotes.txt
getting file \Amy.J\worknotes.txt of size 94 as worknotes.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \Amy.J\> cd ../
smb: \> cd James.P
smb: \James.P\> dir
  .                                   D        0  Thu Jun  3 04:38:03 2021
  ..                                  D        0  Thu Jun  3 04:38:03 2021
  flag.txt                            A       32  Mon Mar 29 05:26:57 2021

                5114111 blocks of size 4096. 1747926 blocks available
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.1 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \James.P\> exit
┌──(root@ghost)-[/home/ghost]
└─# cat flag.txt
5f61c10dffbc77a704d76016a22f1664