- Run Responder and mitm6 (beginning of the day or after lunch) and generate traffic for it using nmap or vuln scans or whatever scans
- if scans are too long, look at websites in scope. Enum them with msfconsole (http_version) and use it to sweep different networks (subnets) to find alive hosts.
- passback and default credentials!
^good steps until you find a lateral movement