diff --git a/05_post_exploitation.md b/05_post_exploitation.md
index fd31ad0..1bc44c0 100644
--- a/05_post_exploitation.md
+++ b/05_post_exploitation.md
@@ -184,3 +184,25 @@
     2. attacker relays authentication request messages to real server -> acts
        as authenticating client
     3. attacker receives authentication and returns error message to client
+
+### Obtaining hashes
+
+* Linux: `/etc/passwd` & `/etc/shadow`
+* Windows
+    * Metasploit `hashdump`
+    * minikatz
+    * domain controller: Volume Shadow Copy Service (VSS) to create copy of OS
+      partition including password db
+        * requires shell access to target with system or admin
+    * sniff authentication challenge/responses
+
+## Pivoting
+
+* methods
+    * SSH port forwarding
+        * can also act as SOCKS proxy
+    * meterpreter
+        * use `route` command to route packets through open connections
+    * netcat
+    * TCP tunnel
+    * ...
diff --git a/metadata.yml b/metadata.yml
index 06d697a..2b8dd7b 100644
--- a/metadata.yml
+++ b/metadata.yml
@@ -1,7 +1,8 @@
 ---
 title: Network Security Summary
 geometry:
-- top=30mm
-- left=30mm
-- right=30mm
+- top=15mm
+- left=15mm
+- right=15mm
+- bottom=15mm
 ---