Scanning

ping $IP
//Ping Sweep (ICMP ECHO requests) :
fping -a -g $IP   //-a :show sys that are alive// -g:generate addr/mask
fping $IP -r 0 -e //-r:retry 0 times//-e: show elapsed time (can chk 4 IDS)
fping -q -a -g $IP/24 -r 0 -e //Finds all alive sys in subnet, -q: quiet 
nmap -sn $IP
nping $IP
ping6 $IPv6

// < --raw-ip, --icmp, --udp, --scan, -- listen>
// < -S, -A, -R, -F, -P, -U, -X> as <syn,ack,rst,fin,psh,urg,xmas>
// flags=RA means port is closed. flags=SA means port is open.

hping3 $IP
hping3 -c 1 $IP -p <port> -s      
hping3 -1 192.168.1.x --rand-dest -I eth0 // -1=tcp packet, -I = interface
nmap -f -f -sS $IP -p <port> -Pn -n --disable-arp-ping //16 bit fragmt
hping3 -S -f -p <port> $IP -c 2  //-S: TCP SYN scan, -f: fragment
nmap -D RND:10 $IP -p <port> -Pn -n --disable-arp-ping
nmap --source-port 53 $IP -sS //Default DNS port 53 often ignored by nw admin
nmap -sS --data-length 10 -p <port> $IP //Adding 10 extra to evade IDS
nmap --spoof-mac <vendor_name> $IP -p <port> -Pn --disable-arp-ping