Phish/Watering Hole:

Try to get the user to navigate to our webpage or maybe poison a webpage with fingerprinting code in a watering hole attack.

UserAgent Lookup:

If you can grab the user agent of a client then you can look it up at the following link.

Scan TTLs:

Nmap NSE:

The Nmap NSE scripts will often give fingerprinting results based off of the many ways a host machine can be identified.