2. Try ms17010 (win7), ms0708 (win server), ms0796 (win10), etc.
3. Intranet sniffing, dns spoofing, intranet phishing, etc. can also be used
Domain environment
1. Find the administrator in the domain, get the domain administrator authority and raise the authority
2. Intranet penetration, burst hash batch processing and try to log in
3. Sometimes the target has an internal network or a firewall, and if you want to achieve 3389 or ssh connection, you must try to do a port forwarding
4. If you want to continue to detect other resources in the intranet, if there is a firewall in the intranet, try to add a tunnel agent or build a tunnel from the network layer application layer