THC-Rut is your first knife on foreign network.
It offers a wide range of network discovery utilities like arp lookup on an IP range, spoofed DHCP request, RARP, BOOTP, ICMP-ping, ICMP address mask request, OS fingerprinting, high-speed host discovery, ...
THC-RUT comes with a OS host Fingerprinter which determines the remote OS by open/closed port characteristics, banner matching and nmap fingerprinting techniques (T1, tcpoptions).
The fingerprinter has been developerd to quickly (10mins) categorize hosts on a Class B network. Information sources are (amoung others) SNMP replies, telnetd (NVT) negotiation options, generic Banner Matching, HTTP-Server version, DCE request and tcp options. It is compatible to the nmap-os-fingerprints database and comes in addition to this with his own perl regex capable fingerprinting database (thcrut-os-fingerprints).
Example (OS fingerprinting):
# ./thcrut discover -O 192.168.0.1-192.168.255.254
128321 packets received by filter, 0 packets dropped by kernel
Completed in 8 minutes, 38 seconds.