Recently there has been an increasing need at my job to find which machines are on the network and which ones have vulnerable ports open on a fairly regular basis. A quick scan with nmap usually works best here. For example, if we need to figure out how many machines are currently live on the network with ssh and/or a web server exposed, we could run the following command: nmap -O -sS -p 22,80 '192.168.1.*'

This will scan the entire subnet of 192.168.1.0, and in our case came back with 28 lives machines, 3 of which had ssh and 2 with IIS.

Description of Syntax:

-O   Use TCP/IP fingerprinting to guess remote operating system
-sS  TCP SYN stealth port scan
-p   ports to scan