ARP Neighbor Cache Fingerprinter is a tool that provides a mechanism for remote operating system detection by extrapolating characteristics of the target system's underlying neighbor cache and general ARP behavior. Given the non-existence of any standard specification for how the neighbor cache should behave, several differences in network stack implementations can be used for unique identification. The main disadvantage of this tool versus traditional fingerprinting is that because it's based on a Layer 2 protocol instead of a Layer 3 protocol, the target machine that is being tested must reside on the same Ethernet broadcast domain (usually the same physical network).
Chaosmap is an information gathering tool and DNS, Whois, and Web server scanner. It can be used to look up DNS names with a dictionary with or without using a salt. Salting for DNS means it will append numbers from 1-9 to the name in the dictionary with or without a - and _ or a leading 0. Salting for Web stuff will try double slashes and some directory traversal tricks. It performs reverse DNS lookups of a whole IP range (with optional Whois lookup) and dictionary scans for hidden paths on one Web server or a range of IP addresses. Optionally you can encode a path with URL encoding use Google dict lookup mode to find the path on Google and only query the Webserver if there are no search results. It can also extract email addresses from domains using a Google search or perform a list of Google Hacking queries on your domain.