External Network:

Weak Domain Passwords

Password Spraying

Cred Spraying from Amazon Lambda - CredKing

Find Usernames With:

OWA/Lync/Etc. verbose error messages or timing attacks.

Metasploit module for timing attack.

myBFF

Metadata from docs on public website (FOCA & Google Dorks).

File Properties --> Details

Weak Egress Filtering

SMB Hashes -Metasploit Module for this

Aaron Herndon has

Lack of MFA

SensePost Ruler to hit Outlook if everything is MFA'd.

Maybe OTP gets sent to e-mail

Look at CredSniper to bypass MFA and generate app password

Exposed Web Administrator Panels

Use ProcDump to find LSASS passwords offline

Group.xml file in group policy -> Metasploit module for this

Pull passwords from volume shadow copy (remotely?)

Secretsdump.py

Older versions of Windows - use ProcDump or ProcessExplorer to dump memory from LSASS and execute. Analyze with MimiKatz.

Windows 10 Kiosks - you can join a wireless network without privileges and use Responder to potentially pick up hashes.

Use ADExplorer to fish through ActiveDirectory. Can also use to capture a snapshot for offline viewing.

A bunch of schema fields in Active Directory have byte-enncoded ASCII passwords e.g., UserPassword, UnixUserPassword, UnicodePwd, msSFU30Password. These may or may not be the same as workstation password.

Use SSHFS to mount sftp as a filesystem so you can use find, grep, etc.