Big boy hacking, or The anatomy of the vulnerabilities on a network from a layer 2 and beyond perspective.

Layer2 is really the sweetspot, I know on any network when I get there, I have them. Okay so what's vulnerable on a network you have layer2 access to? EVERYTHING. Switches, routers, firewalls, "security appliances", client computers, servers, hell printers, some printers have fucking active directory users! I can't tell you how many times I have went into a place and told the sys admin that the switches had a defualt password still on them and he said "Those switches have an interface?"
Ignorance is how you win the war. The Sys Admins ignorance vs your knowldege.
There are times to be a pirate and times to be a ninja, this is a ninja time. Stealth, use it.Ok so you want a layout of the network, so....hey fuckin' stop it, I saw you fucking grabbing that AngryIP scanner, no, put that down. IP Scans will set of a well configured IDS or IPS. So let's be a little more subtle, let's do an arp scan and only five machines at a time. With something like cain it will try and give you the name of the company that the mac address is from so you can try to seprate the computers from switches and printers and the like. Ok now if you have done your research on this place you need to ask yourself, how many computers should they have, compare this to your scan. If your scan is way low they may spread themselves over multiple subnets and or vlans. Ok so always have a default password list with you. Your easiest targets on the network are the traffic itself and the device admins don't think about ie switches and printers. So if you can make yourself a trunk port on a switch you don't even have to arp poision the damn thing to get all those sweet nuggety passwords. If you just want to do a denial of service you can just put the switch in a loop. There are a host of switch attacks. Check out vlan hopping. Printers have buffer overflows just like anything else.
So this tutorial supposes you have layer2 access, well if you have physical access to one of the machines you could use any number of usb tricks to steal network credentials. But if you don't it's going to be hard becuase active directory uses kerb5 to protect it's passwords, your best bet is to look for an nt4 machine that just uses lanman. EVERY NETWORK has an NT4 machine, it's just in the closet and nobody remembers it until some archaic piece of accounting software breaks. So if you can just poision that guy, and the computers it seems to be talking to(probably accounting machines or a server). Also just observe as much of the infrastructure as you can. It will teach a lot. Well there is a lot more like what to do with routers / servers / "security devices", but really this is more about the take 'em down low where they don't see.
And I bet you thought I was going to talk about the new iphone today.