Notes: -T is time template 0 to 5 choosing 0 scan will be slower and 5 is faster but not accurate data but 4 is good balance, choose -sn is no port scan,

1. Identify Live machine in given subnet → nmap -sn -t4 <0.0.0.0/24> (in live if output is 4 in answer enter 3 for default host ip will not count)
2. Identify IP address of Machine which has port 21 → nmap -t4 <0.0.0.0/24> nmap -sV -sC -p21 <0.0.0.0/24>
3. Identify IP address of domain controller → nmap -p53 -T4 <0.0.0.0/24>
4. Identify host discovery services like NETBIOS → nmap -sV -sC -p 137,138,139 <0.0.0.0/24> , nmap -T4 -A <0.0.0.0/24>, nmap -sV -sC -p- <0.0.0.0/24>
5. Identify DNS computer name DC → nmap -T4 -A <0.0.0.0>
6. Perform the Intense scan to find DC, FQDN → nmap -T4 -A <0.0.0.0>
7. Identify the services, vulnerable version scan → nmap -sV -sC <0.0.0.0/24>, nmap -sV -p <Service Port> <0.0.0.0/24>, nmap -sV -T4 -A <0.0.0.0/24>, nmap -sV -p22 <0.0.0.0/24>
8. Identify the OS of the traget → nmap -O -sV -p 3306 <0.0.0.0>, nmap -O -sV -p 3306 -T4 <0.0.0.0>
9. Identify the NFS service enable → nmap -T4 -p- <0.0..0>, nmap -T4 -p2049 <0.0.0.0>, nmap -T4 -A <0.0.0.0/24>
10. Identify the SMTP service → nmap -T4 -p- -sV <0.0.0.0/24>, nmap -T4 -p 25 <0.0.0.0/24>, nmap -T4 -sV <0.0.0.0/24>
11. Identify the SMB enumeration check weather the message signing feature enable or not → nmap -sV -T4 -A <0.0.0.0>
12. sudo netdiscover -r 192.168.1.0/24 -s 500 Alive Host suing ARP