Many have heard of nmap before, but do you know nmap has a scripting (plugin) language? This article covers some of those scripts that can be used to get more information from a box.
https://isc.sans.edu/diary/Enhancing+pentesting+recon+with+nmap/20331