Scan/Sniffer

Macchanger

macchanger -m <mac> <interface>

Sniffer / Passive scan

If possible, use Wireshark

netdiscover -i <interface> -p
tcpdump -i <interface> -s 65535 -vv -w <output.pcap>
use auxiliary/sniffer/psnuffle

Host discovery

Linux
netdiscover -r <range> -i <interface> -P | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" > list_ip.txt 
nbtscan -r <range>
arp-scan --interface=<interface> --localnet
for i in {1..255}; do arping -c 1 <192.168.0>.$i; done | grep reply
nmap <range> -sn -oG sweep.grep
grep Up sweep.grep |cut -d " " -f2 > list_ip.txt
for i in {1..254}; do ping -c 1 -W 1 <192.168.0.>$i | grep 'from'; done
prefix="172.16" && for i in {0..254}; do echo $prefix.$i/16; for j in {1..254}; do sh -c "ping -m 1 -c 1 -t 1 $prefix.$i.$j | grep \"icmp\" &" ; done; done
Windows
1..255 | % { ping -n 1 -w 500 <10.10.10>.$_ | Select-String ttl }
for /L %i in (1,1,255) do  @ping.exe -n 1 -w 50 <10.10.10>.%i | findstr TTL

Name resolution in a LAN

for /L %i in (1,1,255) do @nslookup <10.10.10>.%i <ip_dns_server> 2>nul | find "Name" && echo <10.10.10>.%i

Port scan

Windows
<1..1024> | % {echo ((New-Object Net.Sockets.TcpClient).Connect("<ip>",$_)) "Port $_ is open" } 2> $null
function portCheck () {
    param ($hostName,$port);

    $portTest = (new-object net.sockets.tcpclient);

    try { $portTest.connect($hostName, $port) } catch {}

    if ( $portTest.Connected -eq "True") {
        echo "$hostName,$port - Success";
        $portTest.Dispose();
    } else {
        echo "$hostName,$port - Failed";
    }
}

$portRange = ("22","80","3389");
#$portRange = [System.Linq.Enumerable]::Range(1,65535);

Foreach ( $prt in $portRange ) {
    portCheck -hostName "<ip>" -port $prt;
}
Linux
echo "" | nc -v -n -w1 <ip> <port_range>
nc -n -vz -w1 <ip> <port_min>-<port_max> 2>&1 | grep -v "timed out"
nc -n -vz -w1 <ip> <80 443 445 139 135 8080 22 21> 2>&1 | grep -v "timed out"

UDP

nmap -sU -sV -vv -oX quick_udp <ip>
unicornscan -mU -v -I <ip>

Port Knocking

for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x <ip>; done

Service identification - Banner grabbing

amap <ip> <port>
nmap -sV <ip> -p <port>
nc -vvv <ip> <port>
telnet <ip> <port>
curl -vX <ip>

Agressive scan

nmap -iL list_ip.txt -A -sT -T4 --open -Pn -oX output.xml
searchsploit --nmap output.xml

NSE

locate -r '\.nse$' | xargs grep categories

Bypass detection

Find Zombie

use auxiliary/scanner/ip/ipidseq 

Use zombie

nmap <ip> -sI <zombie> -p <ports> -D <127.0.0.1,gw,ip lan, ip externe> --source-port 53 --data-length 48 -f --mtu=24 -oX <out.xml>

Firewalking

tracepath -n -p <port> <ip>
traceroute -n -M default -p <port> <ip>

Firewall bypass

nmap -f --mtu=512 -D RND:10 --source-port 443 --data-length 20 --spoof-mac Apple <ip>