The PwnPulse helps a ton in scanning wired and wireless networks…and even Bluetooth! I’ve covered the Pulse in past episodes – check out part 1 and part 2.

Network Detective will do a ton of helpful Active Directory enumeration and point out potential red flags, such as:

Accounts that haven’t been logged into for a long time

Accounts with passwords that haven’t been refreshed in a long time

Privileged groups that need review (Domain Admins, Enterprise Admins, etc.)

AD policy issues (*warning: by default Network Detective only pulls back a few policies by default. Check out scripts such as my Environment Check to grab a dump of all GPOs.

Thycotic Privileged Account Discovery is a free tool that can crawl AD workstations and enumerate the local administrator accounts on each machine. It makes a good case for implementing LAPS.