# Scan Optimization

```
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
```

## Timing Templates

`T0` to `T5`—the lower the number, the **slower and stealthier the scan**. Higher numbers speed up the scan but may be more detectable.

Here’s a table on Nmap optimization with timing templates:

<table><thead><tr><th width="204">Timing Template</th><th width="108">Name</th><th>When to Ideally Use</th></tr></thead><tbody><tr><td>0</td><td>Paranoid</td><td>Use for stealth scans when avoiding detection is critical.</td></tr><tr><td>1</td><td>Sneaky</td><td>Use when scanning a network with strict security measures in place.</td></tr><tr><td>2</td><td>Polite</td><td>Use for slower scans that reduce the chance of overwhelming the target. Ideal for sensitive networks.</td></tr><tr><td>3</td><td>Normal</td><td>Use for general scanning purposes when you want a balance between speed and stealth.</td></tr><tr><td>4</td><td>Aggressive</td><td>Use when speed is a priority, and stealth is less of a concern, such as on friendly networks.</td></tr><tr><td>5</td><td>Insane</td><td>Use for very quick scans in controlled environments where speed is paramount and detection is not a concern.</td></tr></tbody></table>

## --max-retries

This option caps the number of times Nmap will retransmit a probe for a port scan if no response is received. Lowering this value can speed up scans but may result in missed open ports due to dropped packets.

```
nmap --max-retries 2 192.168.1.1
```

In this example, Nmap will attempt to resend probes for each port a maximum of 2 times.

## --host-timeout

This option sets a timeout for how long Nmap will wait for a response from a target before giving up. It can prevent long waits on unresponsive hosts.

```
nmap --host-timeout 30s 192.168.1.1
```

Here, Nmap will stop scanning the host if it takes longer than 30 seconds to respond.

## --scan-delay/--max-scan-delay

This option adjusts the delay between sending probes. Adding a delay can help to avoid detection by intrusion detection systems (IDS).

```
nmap --scan-delay 1s 192.168.1.1
```

In this case, Nmap will wait 1 second between sending each probe.

## --min-rate

This option ensures that Nmap sends packets at a minimum rate of the specified number per second. This is useful for increasing scan speed.

```
nmap --min-rate 100 192.168.1.1
```

Here, Nmap will send packets at a minimum rate of 100 packets per second.

## --max-rate

This option caps the maximum rate of packets sent per second. It can help manage network load and reduce the risk of triggering security alarms.

```
nmap --max-rate 50 192.168.1.1
```

In this example, Nmap will send no more than 50 packets per second during the scan.

## Example

{% code overflow="wrap" %}

```
nmap -Pn -T4 --open -sS -sC -sV --min-rate=1000 --max-retries=3 -p- -oN scanReportForHost2 [TARGET]
```

{% endcode %}

`-T4`: This sets the timing template to "Aggressive." It speeds up the scan by reducing the wait time for responses. It’s useful for scans on trusted networks where detection is not a major concern.

`--min-rate=1000`: This specifies that Nmap should send packets at a minimum rate of 1000 packets per second. This helps to accelerate the scanning process, allowing for quicker results, especially useful in high-speed networks.

`--max-retries=3`: This limits the number of times Nmap will retransmit a probe for a port scan to a maximum of 3 times. This setting balances speed and accuracy, allowing for a quick scan while still making an effort to receive responses from the target.
Timing Template	Name	When to Ideally Use
0	Paranoid	Use for stealth scans when avoiding detection is critical.
1	Sneaky	Use when scanning a network with strict security measures in place.
2	Polite	Use for slower scans that reduce the chance of overwhelming the target. Ideal for sensitive networks.
3	Normal	Use for general scanning purposes when you want a balance between speed and stealth.
4	Aggressive	Use when speed is a priority, and stealth is less of a concern, such as on friendly networks.
5	Insane	Use for very quick scans in controlled environments where speed is paramount and detection is not a concern.