We recently had a red team where we had a lot of RDP endpoints, but not many other endpoints. We had some time pressure, so we looked to see if nmap had a script (we didn’t see one) and wrote a python script that grabbed the cert names. This is a good way to guess at internal hostnames.
more here.......http://webstersprodigy.net/2015/04/01/rdp-cert-scan-with-nmap/
more here.......http://webstersprodigy.net/2015/04/01/rdp-cert-scan-with-nmap/