-Pnoption which will disable the host discovery stage altogether on a scan. This option can be useful when the target is reported as down when it’s actually up but not responding to host discovery probes (e.g. due to host-based firewall that drops ICMP packets). Using this option with the intense scans below can be helpful.
--script-argsoption or from a file using the
vrfycommand to check if email addresses are valid. You can also check mailing list membership with
srvinforesponse, because googling it may give you the exact exploit you need. It looks like gibberish:
srvinfothat is helpful when searching for exploits:
common.txtwhich works well in most lab situations. However, if you're enumerating a machine with a very small attack surface (e.g. only port 80 is open) you may want to try