I'm currently analysing a compromised network(root access has been gained to a workstation and logs show that it has been used for port scanning and service brute forcing attacks on the remaining stations within the subnet) and am wondering what is the most effective attack that can be launched at this point?
Packet sniffing allows for easy credential retrieval in the case of plain text protocols but is otherwise less effective against their encrypted counterparts.
Brute forcing is ineffective given that a secure credential policy is employed.
At this point I'm thinking that the attack with the highest impact would consist in credential retrieval through the use of arp poisoning on services such as SSH. I've found a suite of tools that would allow for an attacker to retrieve the user name and password values for SSH v1
The tools presented there are, however, archaic and require numerous tweaks in order to compile on most modern distros.
Is there an equivalent for SSH v2? What are the most suitable means of prevention/detection?