Recently there has been an increasing need at my job to find which machines are on the network and which ones have vulnerable ports open on a fairly regular basis. A quick scan with nmap usually works best here. For example, if we need to figure out how many machines are currently live on the network with ssh and/or a web server exposed, we could run the following command:
nmap -O -sS -p 22,80 '192.168.1.*'
This will scan the entire subnet of 192.168.1.0, and in our case came back with 28 lives machines, 3 of which had ssh and 2 with IIS.
Description of Syntax:
-O Use TCP/IP fingerprinting to guess remote operating system -sS TCP SYN stealth port scan -p ports to scan