4. If you get a user list, try AS-REP roasting with GetNPUsers 5. If port 88 open, obtain SPN account tickets with GetUserSPNs and crack them 6. If an account is allowed to delegate control to domain (AllowToDelegate), request service tickets with impersonate (admin) and psexec
7. whoami /group, net user /domain, net localgroup /domain for user and group info 8. Setup bloodhound on Linux with neo4j database (apt install neo4j, neo4j console) 9. If WriteDacl is enabled for an account, perform DCSync attack with PowerView or mimikatz lsadump::dcsync