diff --git a/.gitignore b/.gitignore
index a136337..af85f2a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,8 @@
-*.pdf
+*
+
+!*.md
+!img/
+!img/**
+!Makefile
+!.gitignore
+!*.yml
diff --git a/03_scanning.md b/03_scanning.md
index 10da540..2b76310 100644
--- a/03_scanning.md
+++ b/03_scanning.md
@@ -10,6 +10,14 @@
 
 ## Network tracing
 
+* discover routes that packets take between systems
+    * allows constructing network diagrams
+* sends ICMP/UDP/TCP packets with varying TTL
+* requires routers to properly report dropped packets
+    * often disabled for performance/security reasons
+* `traceroute` useful tool
+* web-based [tools](https://tools.keycdn.com/traceroute) also available
+
 ### IPv4 and IPv6
 
 * important IPv4 headers
@@ -21,23 +29,11 @@
     * simpler than IPv4
 
 
-![IPv4 diagram](./img/ch03/ipv4_diagram.png)
-![IPv6 diagram](./img/ch03/ipv6_diagram.png)
-
-### tracing
-
-* discover routes that packets take between systems
-    * allows constructing network diagrams
-* sends ICMP/UDP/TCP packets with varying TTL
-* requires routers to properly report dropped packets
-    * often disabled for performance/security reasons
-* `traceroute` useful tool
-* web-based [tools](https://tools.keycdn.com/traceroute) also available
+![IPv4 diagram](./img/ch03/ipv4_diagram.png) ![IPv6
+diagram](./img/ch03/ipv6_diagram.png)
 
 ## Scanning
 
-* Nmap does it all
-
 ### TCP
 
 * 16-bit ports
@@ -97,3 +93,140 @@
 * traceroute
 * redirect messages expose network topology
 * ICMP address mask requests: determine subnet used by target host
+
+### Nmap
+
+* port scanner and all-in toolkit
+* important tool when performing scanning
+* TCP port scanning
+    * connect scan
+        * complete 3-way handshake
+        * can run without root
+        * not stealthy (connections can be logged)
+        * doesn't use nmap to craft packets
+    * syn scan/half-open scan
+        * runs as root
+        * only send initial SYN and listen for response
+        * detectable by firewall/NIDS
+    * ACK scan
+    * playing with control bits
+        * FIN scan: FIN bit of all packets set
+        * NULL scan: all bits set to 0
+        * Xmas tree scan: FIN, PSH, URG set
+        * Maimon scan: FIN and ACK set
+* UDP scanning
+    * scans specific UDP ports
+    * sends protocol-specific messages to well-known ports
+* firewall spotting
+    * generate packets with invalid TCP or UDP checksum
+    * targets will drop these
+    * firewalls don't always check checksum and will send a RESET/ICMP port
+      unreachable instead
+    * allows detecting firewalls
+    * can also look for varying TTL values
+        * TTL on firewall RESET message will be higher as the firewall is
+          closer
+* full support for IPv6
+* OS fingerprinting
+    * detect quirks of protocol behaviors for OS versions
+    * **active**: send special packets to detect behavior
+    * **passive**: observe patterns of network traffic (stealthy but less
+      accurate)
+* version scanning
+    * detect versions of services running on host
+    * send packets to specific service types that reveal version information
+    * useful for crafting exploits
+
+### Other stuff
+
+* automated monitoring
+    * running nmap using cron can reveal changes in network
+    * tools like [masscan](https://github.com/robertdavidgraham/masscan) well
+      suited for this
+    * monitoring web applications also important
+        * [HTTPScreenshot](https://github.com/breenmachine/httpscreenshot):
+          take screenshots of websites
+        * [EyeWitness](https://github.com/RedSiege/EyeWitness): screenshots of
+          webpages, RDP and VNC servers, tries to login with default
+          credentials
+* scanning cloud infrastructure
+    * lots of cloud usage
+    * companies often don't configure cloud service correctly
+    * very large IP addresses to search through
+    * use tools like [Shodan](https://www.shodan.io/) or
+      [Censys](https://search.censys.io/)
+        * automatically perform scans that can be accessed online
+        * allow monitoring target without direct contact
+* badly configured S3
+    * buckets that allow writing without authorisation
+    * subdomain takeover allows attacker to take over bucket URL
+* packet crafting
+    * sometimes very specific/controlled packets are required
+    * tools like [Scapy](https://scapy.net/) allow crafting packets for various
+      protocols
+        * Python tool
+        * provides REPL to forge, send and receive packets
+
+## Vulnerability scanning
+
+* process used to identify security weaknesses and vulnerabilities in a system,
+  network or application
+  * involves using automated tools to scan systems for known vulnerabilities
+    and weaknesses
+  * critical component of a robust cybersecurity strategy
+  * automated scanning allows detecting problems before they're possibly
+    exploited
+* key aspects
+    * **goal**: identify and address security flaws before they're exploited
+    * **scan types**
+        * network scanning
+        * web app scanning
+        * host scanning
+    * **process**
+        1. discovery: identify all relevant devices, systems and applications
+        2. scanning: use automated tools to scan targets for known
+            vulnerabilities
+        3. analysis: analyse results for vulnerabilities and prioritize them
+        4. reporting: generate report detailing results
+    * **frequency**: how often to perform scans
+    * **compliance**: many regulatory standards require regular vulnerability scanning
+
+### Methods
+
+* Nmap Scripting Engine (NSE)
+    * allows extending nmap with Lua scripts
+    * greatly broadens scope of nmap
+    * nmap comes with a ton of ready-to-use scripts
+    * perfect for vulnerability scanning
+* [Tenable](https://www.tenable.com/) Nessus
+    * modern vulnerability scanner
+    * can detect tens of thousands of vulnerabilities
+    * free for personal use
+* [OpenVAS](https://github.com/greenbone/)
+    * open-source vulnerability scanner
+    * less expansive than Nessus
+
+### Enumerating users
+
+* process of retrieving list of usernames for system
+* numerous methods
+    * public sources of information (websites, emails...)
+    * pentest: ask for list of users (grey box)
+* Linux
+    * local: `/etc/passwd`
+    * remotely
+        * `finger @IP`
+        * query NIS or LDAP server if present
+        * `enum4linux` tool
+* Windows
+    * list users using SMB session
+        * possible anonymously on older versions of Windows
+        * if single user is known, listing all users is possible
+
+### Netcat
+
+* netcat is useful
+* general purpose TCP and UDP network tool
+* installed basically everywhere
+* used for setting up reverse shells among other things
+* it's just a useful network tunnel
diff --git a/Makefile b/Makefile
index ae1ddac..92fa6e5 100644
--- a/Makefile
+++ b/Makefile
@@ -1,2 +1,2 @@
 samenvatting.pdf: *.md metadata.yml
-	pandoc --toc -o $@ $^
+	pandoc --standalone --toc -o $@ $^
diff --git a/metadata.yml b/metadata.yml
index dd7082c..06d697a 100644
--- a/metadata.yml
+++ b/metadata.yml
@@ -1,5 +1,7 @@
 ---
+title: Network Security Summary
 geometry:
 - top=30mm
 - left=30mm
+- right=30mm
 ---