When you want to discover LAN metadata without being part of that network. So, when you want to discover network address range, gateway, DNS IPs, DHCP server IPs, etc. this simple nmap parameter will help you so much.
# nmap --script broadcast-dhcp-discover
Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-19 15:07 CEST
Pre-scan script results:
| Response 1 of 1:
| IP Offered: 192.168.1.127
| DHCP Message Type: DHCPOFFER
| Subnet Mask: 255.255.255.0
| Renewal Time Value: 4d00h00m00s
| Rebinding Time Value: 7d00h00m00s
| IP Address Lease Time: 8d00h00m00s
| Server Identifier: 192.168.1.1
| Router: 192.168.1.1
|_ Domain Name Server: 22.214.171.124, 126.96.36.199
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.43 seconds
Reading time: < 1 minute
Using sslsnoop you can dump SSH keys used in a session and decode ciphered traffic. Supported algorithms are: aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc.
Basic sslsnoop information:
$ sudo sslsnoop # try ssh, sshd and ssh-agent… for various things
$ sudo sslsnoop-openssh live `pgrep ssh` # dumps SSH decrypted traffic in outputs/
$ sudo sslsnoop-openssh offline –help # dumps SSH decrypted traffic in outputs/ from a pcap file
$ sudo sslsnoop-openssl `pgrep ssh-agent` # dumps RSA and DSA keys