Finding Live Hosts

fping -a -g x.x.x.x/xx 2>/dev/null
nmap -sn x.x.x.x/xx
nmap -n -sn x.x.x.x/xx #no ping
nmap -sL --dns-servers x.x.x.x/xx  #Host Identification
for i in {1..254}; do dig +noall +answer @x.x.x.x -x x.x.x.$i; done

#metasploit
msf > use auxiliary/scanner/discovery/arp_sweep
set SHOST 192.168.1.101
set SMAC d6:46:a7:38:15:65
set RHOSTS 192.168.1.200-254
run

Finding Domains

nslookup -type=PTR x.x.x.x
dig x.x.x.x PTR

If you're given a domain, you may want to check some information using DNS such as tied IPs and various records. You can also check these with just an IP as well.

#nslookup
nslookup target.com #basic DNS query
nslookup -type=MX target.com #mail exchange query
nslookup -type=NS target.com #name server query
#zone transfer below, a server misconfig that allows a complete dns lookup
nslookup
> server target.com
> ls -d target.com

#dig equivalents to the above nslookup commands
dig target.com
dig target.com A #Only present in forward zones
dig target.com TXT #Text records
dig target.com MX
dig target.com NS
dig target axfr @x.x.x.x target.com #zone transfer

#other tools
dnsrecon -d target.com -a --name-server server
nmap -sU -p53 x.x.x.x/xx
dnsmap target.com
dnsenum --dnsserver x.x.x.x -f /usr/share/seclists/Discovery/DNS/namelist.txt example.com
#Google and Bing
ip:x.x.x.x

If you've been able to isolate a specific host and find which services are running or which ports are open, you can do so with nmap and hping.

nmap -sS x.x.x.x #TCP
nmap -sU x.x.x.x #UDP
#Scan all ports quickly, very loud
ports=$(nmap -p- --min-rate=1000 -T4 x.x.x.x | grep ^[0-9] | cut -d '/' -f1 | tr '\n' ',' | sed s/,$//)
nmap -sV -sC -p $ports x.x.x.x
#Zombie scan, better for stealth
nmap -O -v x.x.x.x #look for incremental sequence gen
nmap -Pn -sI zombieIP:xx targetIP -p$ports -v
#zombie with hping3
hping3 -S --scan known x.x.x.x #identify ports
hping3 -S -r -p$ports x.x.x.x #identify zombie