Start off with Responder and mitm6 at times where users are connecting to network drives
Scan the network and gather information
Bruteforce domain usernames with Kerbrute then password spray
Find internal websites in scope. They might have default credentials
Be creative
