Scan Optimization
Timing Templates
T0
to T5
—the lower the number, the slower and stealthier the scan. Higher numbers speed up the scan but may be more detectable.
Here’s a table on Nmap optimization with timing templates:
0
Paranoid
Use for stealth scans when avoiding detection is critical.
1
Sneaky
Use when scanning a network with strict security measures in place.
2
Polite
Use for slower scans that reduce the chance of overwhelming the target. Ideal for sensitive networks.
3
Normal
Use for general scanning purposes when you want a balance between speed and stealth.
4
Aggressive
Use when speed is a priority, and stealth is less of a concern, such as on friendly networks.
5
Insane
Use for very quick scans in controlled environments where speed is paramount and detection is not a concern.
--max-retries
This option caps the number of times Nmap will retransmit a probe for a port scan if no response is received. Lowering this value can speed up scans but may result in missed open ports due to dropped packets.
In this example, Nmap will attempt to resend probes for each port a maximum of 2 times.
--host-timeout
This option sets a timeout for how long Nmap will wait for a response from a target before giving up. It can prevent long waits on unresponsive hosts.
Here, Nmap will stop scanning the host if it takes longer than 30 seconds to respond.
--scan-delay/--max-scan-delay
This option adjusts the delay between sending probes. Adding a delay can help to avoid detection by intrusion detection systems (IDS).
In this case, Nmap will wait 1 second between sending each probe.
--min-rate
This option ensures that Nmap sends packets at a minimum rate of the specified number per second. This is useful for increasing scan speed.
Here, Nmap will send packets at a minimum rate of 100 packets per second.
--max-rate
This option caps the maximum rate of packets sent per second. It can help manage network load and reduce the risk of triggering security alarms.
In this example, Nmap will send no more than 50 packets per second during the scan.
Example
-T4
: This sets the timing template to "Aggressive." It speeds up the scan by reducing the wait time for responses. It’s useful for scans on trusted networks where detection is not a major concern.
--min-rate=1000
: This specifies that Nmap should send packets at a minimum rate of 1000 packets per second. This helps to accelerate the scanning process, allowing for quicker results, especially useful in high-speed networks.
--max-retries=3
: This limits the number of times Nmap will retransmit a probe for a port scan to a maximum of 3 times. This setting balances speed and accuracy, allowing for a quick scan while still making an effort to receive responses from the target.
Last updated