In order to start testing something you first want to find out if it has any network ports open. Discovering what ports are open and what service is running behind is crucial and should be one of the first things you do after recon.
Uses ARP to discover hosts.
netdiscover -r 192.168.1.0/24
Usefull on larger networks where speed is important.
masscan 10.11.0.0/16
masscan 10.11.0.0/16 -p22-25 --rate 1000
masscan 10.11.0.0/16 ‐‐top-ports 100 --rate 1000
-oX filename: Output to filename in XML.
-oG filename: Output to filename in Grepable format.
-oJ filename: Output to filename in JSON format.