Scan Optimization

TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second

Timing Templates

T0 to T5—the lower the number, the slower and stealthier the scan. Higher numbers speed up the scan but may be more detectable.

Here’s a table on Nmap optimization with timing templates:

Timing Template
Name
When to Ideally Use

0

Paranoid

Use for stealth scans when avoiding detection is critical.

1

Sneaky

Use when scanning a network with strict security measures in place.

2

Polite

Use for slower scans that reduce the chance of overwhelming the target. Ideal for sensitive networks.

3

Normal

Use for general scanning purposes when you want a balance between speed and stealth.

4

Aggressive

Use when speed is a priority, and stealth is less of a concern, such as on friendly networks.

5

Insane

Use for very quick scans in controlled environments where speed is paramount and detection is not a concern.

--max-retries

This option caps the number of times Nmap will retransmit a probe for a port scan if no response is received. Lowering this value can speed up scans but may result in missed open ports due to dropped packets.

nmap --max-retries 2 192.168.1.1

In this example, Nmap will attempt to resend probes for each port a maximum of 2 times.

--host-timeout

This option sets a timeout for how long Nmap will wait for a response from a target before giving up. It can prevent long waits on unresponsive hosts.

nmap --host-timeout 30s 192.168.1.1

Here, Nmap will stop scanning the host if it takes longer than 30 seconds to respond.

--scan-delay/--max-scan-delay

This option adjusts the delay between sending probes. Adding a delay can help to avoid detection by intrusion detection systems (IDS).

nmap --scan-delay 1s 192.168.1.1

In this case, Nmap will wait 1 second between sending each probe.

--min-rate

This option ensures that Nmap sends packets at a minimum rate of the specified number per second. This is useful for increasing scan speed.

nmap --min-rate 100 192.168.1.1

Here, Nmap will send packets at a minimum rate of 100 packets per second.

--max-rate

This option caps the maximum rate of packets sent per second. It can help manage network load and reduce the risk of triggering security alarms.

nmap --max-rate 50 192.168.1.1

In this example, Nmap will send no more than 50 packets per second during the scan.

Example

nmap -Pn -T4 --open -sS -sC -sV --min-rate=1000 --max-retries=3 -p- -oN scanReportForHost2 [TARGET]

-T4: This sets the timing template to "Aggressive." It speeds up the scan by reducing the wait time for responses. It’s useful for scans on trusted networks where detection is not a major concern.

--min-rate=1000: This specifies that Nmap should send packets at a minimum rate of 1000 packets per second. This helps to accelerate the scanning process, allowing for quicker results, especially useful in high-speed networks.

--max-retries=3: This limits the number of times Nmap will retransmit a probe for a port scan to a maximum of 3 times. This setting balances speed and accuracy, allowing for a quick scan while still making an effort to receive responses from the target.

Last updated