Who does not know nmap? Use it as follows, to only scan the common ports:
namp -sS -F -P0 "IP"nmap -v -sS -p1-65535 -P0 -O "ip" be sure to have some time with this
netcat for UDP scans is nice:
nc -v -v -w 4 -z -u "ip" 1-1024
hping can be used to send arbitrary packes to a host:
hping "ip" -S -A -p 139 -c 1sends a packet with a SYN and ACK bit. This is useful to see whether a firewall lets through certain packets.
Banner grabbing
Grab banners and find the OS of the target
ICMP
sing is a nice tool to issue ICMP requests, like Timestamp requests or alike:
sing -tstamp "IP" -c 1 or sing -mask "IP"
DNS
Use dig:
dig @server domain axfr does a zone transfer!
Mail
Sending a mail to an incorrect address of the domain that is of interest will return an error message back to you, where some interesting information might be hidden.
mailsnarf from the dsniff-package can be used to view SMTP traffic easily.
SNMP
Guessing community names can be done via:
ADMsnmp "ip -wor snmp.passwd -sleep 1
