superscan - Ping sweep
nslookup
> Server ipaddress
> Set type=any
> Ls –d target.com
sqlping2
net view /domain - Identify domains on the wire
net view /domain:domain_name - Identify machines in the domain
net use \\10.1.1.20\ipc$ "" /user:"" - Establish null session connection
getmac \\10.1.1.20 - Obtain network transport information
psexec \\10.1.1.20 cmd.exe - Obtain a remote command shell
netmon 3.0
You may want to check the book: Hacking Exposed: Network Security Secrets and Solutions for more detailed tips and information.