Once you have discovered all the IPs (external or internal) you want to scan in depth, different actions can be performed.
TCP
# Nmap fast scan for the most 1000tcp ports usednmap-sV-sC-O-T4-n-Pn-oAfastscan<IP># Nmap fast scan for all the portsnmap-sV-sC-O-T4-n-Pn-p--oAfullfastscan<IP># Nmap fast scan for all the ports slower to avoid failures due to -T4nmap-sV-sC-O-p--n-Pn-oAfullscan<IP># Nmap ports alive customnmap-p---open--min-rate=<seconds>-vvv-T3-n-Pn<IP>-oGallPorts# Nmap port recon with nmap scriptsnmap-p21,22,8080,9999-sC-sV-n-Pn<IP>-oGtargeted# Nmap quick regexnmap-A-p---open-T4-n-Pn<IP>-oGnmap_scan# Nmap TCP, UDP scan nmap-p--sX-sU<domain.com>--scanflagsPSH# Nmap Window TCP scannmap-v-p-<domain.com>-sW
UDP
# Check if any of the most common udp services is runningudp-proto-scanner.pl<IP># Nmap fast check if any of the 100 most common UDP services is runningnmap-sU-sV--version-intensity0-n-F-T4<IP># Nmap check if any of the 100 most common UDP services is running and launch defaults scriptsnmap-sU-sV-sC-n-F-T4<IP># Nmap "fast" top 1000 UDP portsnmap-sU-sV--version-intensity0-n-T4<IP># You could use nmap to test all the UDP ports, but that will take a lot of time
SCTP Scan
# Nmap fast SCTP scannmap-T4-sY-n-oASCTFastScan<IP># Nmap all SCTP scannmap-T4-p--sY-sV-sC-F-n-oASCTAllScan<IP>
Revealing Internal IP Addresses
Misconfigured routers, firewalls, and network devices sometimes respond to network probes using nonpublic source addresses. You can use tcpdump used to identify packets received from private addresses during testing. In this case, the eth2 interface in Kali Linux is addressable from the public Internet (If you are behind a NAT of a Firewall this kind of packets are probably going to be filtered).
