When the scanning process is in progress there are typical steps a penetration tester usually perform. This methodology is designed so that all important steps are planned and performed. During all penetration tests a plan of attack is needed so that nothing important is missed and so that the penetration testing team does not tray too far from the grand plan while looking for potential issues that the doesn't do the tests that was agreed upon with the customer.

Some of these steps include the following:

Check for live systems
This is usually done with ICMP echo packets by pinging a target device to determine if it is live or not. Live hosts may sometimes return an ICMP echo reply packet. Several devices can be scanned once using a ping sweep. Ping sweeping in an IPv6 environment is less feasible because of the huge amount of addresses present and discovering live systems may be done by sniffing network traffic, looking through logs, header information etc.

Check for Open ports
For each device found to be live, a port scan is performed to determine which services the devices offer. This may include both TCP and UDP services. This may include services that are scanned using multicast addresses such as SSDP which is a part of UPnP that works on UDP port 1900 and listen on IPv4 multicast address 239.255.255.250 and the IPv6 well-known address ff02::c for link local, ff05:c for the deprecated site local scope, ff08::c for organization local and ff0e::c for the global scope. SSDP is known to be used as an reflection attack with amplification.

Scanning beyond IDS
Attempt to bypass IDS systems in place by the use of fragmented IP packages, source address spoofing, source routing. Use proxies or compromised hosts to launch attacks from.

Banner grabbing
Banner grabbing and OS fingerprinting can sometimes help determining the service software version and the operation system. When performing active banner grabbing the target is actively being probed using specially crafted packages and the response is analyzed in different ways to find which services and operating systems the target may be running. Passive banner grabbing is performed by looking at error messages, capturing and analyzing packets and examining web page extensions that may reveal application version information.

Scan for vulnerabilities
Perform a scan to determine if any known vulnerabilities or weaknesses are present. This includes both network, application and service vulnerabilities. While scanning for vulnerabilities, application and services configuration issues are in scope and may present a risk and may give an attacker options for different kinds of attacks.

Draw network diagrams
Drawing out the findings may help a penetration tester get an overview and will also aid in memorizing the network layout. Don't count on memory for everything. This will also benefit the rest of the penetration testing team and will assist as a reference when planning and executing various attacks. Both physical and logical drawings can benefit when doing a penetration test and should contain important IP addresses.

Prepare proxies
Most organizations implement the use of both forwarding and reverse proxies. When proxies are utilized bare a penetration testing team or an attacker for that matter, the purpose is to hide the source address or use a source IP address that is not blocked on the path to the target or on the target itself by impersonating a whitelisted IP address. They can also be utilized to remotely access intranets and other web resources that are normally off limits. If needed proxy servers can be daisy chained by the use of proxy chaining to enhance the level of stealth and mask the source of the attack.