In an ideal world, we have access to all of our tools but things being what they are, eventually we will find ourselves in a situation where we our separated from our attacking server.  Let's say you takeover a host and you need to enumerate from that host which doesn't even have Nmap?  First we need to find targets and once we find targets, we need to enumerate each target.

I'm sure there are a number of variations that get you to the same place and maybe even with fewer characters but this one-liner works well.



Once we have our targets, there are a couple of variations that hunt down open ports and it really depends on your version of netcat.  If you remove the last part where we grep, you can see what the output shows and from there, you can decide whether to grep for "succeeded" or "open".

Also, the difference isn't a Mac vs Linux issue, it solely depends on your version of Netcat.   

Nmap would obviously make life much easier but the goal is to continue to drive deeper into the environment with or without my preferred tools.