Run responder Run mitm (can affect the network so don't run it for more than 10 mins and make sure u give it a domain with -d) Run enum4linux on the domain controllers see if there is a null session Run your vuln scan Run port scan Run ntlmrelayx If you manage to get a list of users from enum4linux try the username as the password with the smb_login metasploit module Try a weak password every now and then but don't go over the password policy. If you get user creds Try bloodhound to give u a better idea Try cpassword Try kerberoasting If you manage to get local admin creds. Dump the sam hashes and LSA secrets with crackmapexec Try cracking these or passing the hash to see where else you have admin rights (user --local-auth on crackmapexec) Check bloodhound to see who is a local admin on the domain controllers. These are valuable targets. Bloodhound and pingcastle