NMAP

root@oco:~$ sudo nmap -sn -PE -PS 80,443 {targetIP} 

root@oco:~$ nmap -sn -T4 {networkAddress/CIDR} -sn -oA targetNet | grep for | cut -d" " -f5
 10.129.2.4
 10.129.2.10
 10.129.2.11
 10.129.2.18
 10.129.2.19
 10.129.2.20
 10.129.2.28
 
 * the -sn option only performs host discovery via ping scan w/o port scanning
    - by default, newer versions of Windows OS automatically block ping (ICMP Echo Requests)
    - for external networks, use ICMP Echo Requests (-PE) to check for live hosts 
      along with the -sn option (ping scan only) and -PS {port} which sends TCP SYN packets
      to specified ports (e.g., -PS80,443) to elicit a response
    - for local networks, Nmap uses ARP pings by default when -sn is used
       - these are faster and more reliable for discovering devices on the same 
         subnet, since ARP replies are guaranteed if the host is up and on the LAN.
          - This behavior can be confirmed and analyzed in detail using the --packet-trace option.
             - NOTE: arp is internal only
 * -oA targetNet stores the results in all formats starting with the name targetNet
 * this scanning method works only if the firewalls of the hosts allow it

root@oco:~$ cat hosts.lst
 10.129.2.4
 10.129.2.10
 10.129.2.11
 10.129.2.18
 10.129.2.19
 10.129.2.20
 10.129.2.28

root@oco:~$ sudo nmap -sn -oA targetNet -iL hosts.lst | grep for | cut -d" " -f5
 10.129.2.18
 10.129.2.19
 10.129.2.20
 
 * -iL Performs defined scans against targets in provided 'hosts.lst' list.

root@oco:~$ sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20 | grep for | cut -d" " -f5
 10.129.2.18
 10.129.2.19
 10.129.2.20
 
 * ALT: 
    - sudo nmap -sn -oA tnet 10.129.2.18-20| grep for | cut -d" " -f5
       - this alternate method only works when the defined ips are
         in the respective octet range

root@oco:~$ sudo nmap 10.129.2.18 -sn -oA host 
 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 23:59 CEST
 Nmap scan report for 10.129.2.18
 Host is up (0.087s latency).
 MAC Address: DE:AD:00:00:BE:EF
 Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
 
 * this is similar to icmp scan via ping
 
 If we disable port scan (-sn), Nmap automatically ping scan with ICMP Echo Requests (-PE). Once such a request is sent, we usually expect an ICMP reply if the pinging host is alive. The more interesting fact is that our previous scans did not do that because before Nmap could send an ICMP echo request, it would send an ARP ping resulting in an ARP reply. We can confirm this with the "--packet-trace" option. To ensure that ICMP echo requests are sent, we also define the option (-PE) for this.

root@oco:~$ nmap -sV {ipAddress | networkAddress/CIDR} -p-
 * the -sV option enables version detection

root@oco:~$ nmap --script-help all
 * displays all available scripts

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 23
 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.

root@htb:~$ sudo nmap --script=vuln {targetIP} -p {port}
 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 23
    - e.g., weak Telnet configurations, or known vulnerabilities in the Telnet 
      service
       - if no results are found then the service may be fully patched!