Post  Honorable Mention: Null Sessions
Null sessions are old school. they used to be useful for pretty much every host in a domain. Unfortunately, I very rarely run into an environment where all workstations let you connect anonymously AND get data.
Where they can come in useful is
- Against mis-configured servers
- Against domain controllers to pull info
Low? actually a medium...
More than once I've had a PT where a master_browser was exposed to the Internet. We were able to connect to the server using rpcclient and enumerate users. After that we had a full list of the users in the domain to conduct external brute forcing attacks with.
If you like pretty pictures, it kinda looks like this, there are command line utilities as well...
Cain uses null sessions by default to try to pull information. On modern systems this will fail.
But domain controllers/master_browsers do allow this, so if you find yourself in the position to be able to speak with one you can a list of users for the domain
You can then take that list of users and do brute force attacks against various services. I rarely don't find at least one username/username in an environment.