Scan Optimization
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per secondTiming Templates
T0 to T5—the lower the number, the slower and stealthier the scan. Higher numbers speed up the scan but may be more detectable.
Here’s a table on Nmap optimization with timing templates:
0
Paranoid
Use for stealth scans when avoiding detection is critical.
1
Sneaky
Use when scanning a network with strict security measures in place.
2
Polite
Use for slower scans that reduce the chance of overwhelming the target. Ideal for sensitive networks.
3
Normal
Use for general scanning purposes when you want a balance between speed and stealth.
4
Aggressive
Use when speed is a priority, and stealth is less of a concern, such as on friendly networks.
5
Insane
Use for very quick scans in controlled environments where speed is paramount and detection is not a concern.
--max-retries
This option caps the number of times Nmap will retransmit a probe for a port scan if no response is received. Lowering this value can speed up scans but may result in missed open ports due to dropped packets.
nmap --max-retries 2 192.168.1.1In this example, Nmap will attempt to resend probes for each port a maximum of 2 times.
--host-timeout
This option sets a timeout for how long Nmap will wait for a response from a target before giving up. It can prevent long waits on unresponsive hosts.
nmap --host-timeout 30s 192.168.1.1Here, Nmap will stop scanning the host if it takes longer than 30 seconds to respond.
--scan-delay/--max-scan-delay
This option adjusts the delay between sending probes. Adding a delay can help to avoid detection by intrusion detection systems (IDS).
nmap --scan-delay 1s 192.168.1.1In this case, Nmap will wait 1 second between sending each probe.
--min-rate
This option ensures that Nmap sends packets at a minimum rate of the specified number per second. This is useful for increasing scan speed.
nmap --min-rate 100 192.168.1.1Here, Nmap will send packets at a minimum rate of 100 packets per second.
--max-rate
This option caps the maximum rate of packets sent per second. It can help manage network load and reduce the risk of triggering security alarms.
nmap --max-rate 50 192.168.1.1In this example, Nmap will send no more than 50 packets per second during the scan.
Example
nmap -Pn -T4 --open -sS -sC -sV --min-rate=1000 --max-retries=3 -p- -oN scanReportForHost2 [TARGET]-T4: This sets the timing template to "Aggressive." It speeds up the scan by reducing the wait time for responses. It’s useful for scans on trusted networks where detection is not a major concern.
--min-rate=1000: This specifies that Nmap should send packets at a minimum rate of 1000 packets per second. This helps to accelerate the scanning process, allowing for quicker results, especially useful in high-speed networks.
--max-retries=3: This limits the number of times Nmap will retransmit a probe for a port scan to a maximum of 3 times. This setting balances speed and accuracy, allowing for a quick scan while still making an effort to receive responses from the target.
Last updated