Take it like a gift
EyeWitness
Take screenshots of websites, provide server header info and identify default credentials.
Burp NTLM Challenge Decoder
Burp extension to decode NTLM SSP headers and extract domain/host information.
hakfindinternaldomains
Feed it a list of subdomains, it will resolve them and tell you which ones are internal.