I am currently reading up on NMAP (Network Mapper) as I prepare for my Offensive Security Certified Professional (PWK OSCP). – I will definitely be writing further blog posts on this subject but I found this tidbit extremely useful.
Scan the entire subnet to find the DNS server. Once you have the DNS server, you can leverage it to get the hostnames on your scans as well:
nmap --top-ports 10 --open --dns-server 10.11.1.??? -oA nmap/top10_all_hosts 10.11.1.0/24
This will help you better understand some of the relationships between the machines. It’s also a great way of finding the hard boxes (the “big four”) right away in the OSCP exam.