Network Reconnaissance

Host discovery

ICMP

nmap -sn <subnet>

ARP

arp-scan -I <interface> --localnet --ignoredups

Port scanning

TCP SYN

nmap -p- -sSCV -n -Pn --min-rate 10000 -v <target_ip>

UDP

nmap --top-ports 1000 -sU -n -Pn --min-rate 10000 <target_ip>

Nmap scripts

nmap -p $PORTS --script <script> <target_ip>

You can list all available Nmap scripts using the following commands:

# List nmap nse scripts
ls /usr/share/nmap/scripts | grep <service>
# Get info about a script
nmap --script-help <script>