Skip to content

11. Nmap Scan Timing & Performance

1. nmap -sT -T0 192.168.1.1

  • Options:
    • -sT: Initiates a TCP connect scan, completing the three-way handshake for each port.
    • -T0: Specifies the slowest timing template (range: T0 to T5). Slower scans minimize detection but take much longer.
  • Usage: Useful for stealth scanning or when dealing with unstable networks to avoid overwhelming the target.

Note: Timing templates (T0-T5) determine the speed of the scan. Higher values are faster but more aggressive.

2. nmap -sS -p21-80 --min-parallelism 30 192.168.1.1

  • Options:
    • -sS: Initiates a SYN scan (stealthier than -sT as it doesn’t complete the TCP handshake).
    • -p21-80: Scans ports in the range 21 to 80.
    • --min-parallelism 30: Ensures at least 30 probes are sent in parallel.
  • Usage: Increases scan speed by sending more probes simultaneously, ideal for larger networks.

3. nmap -sS -p21-80 --max-parallelism 5 192.168.1.1

  • Options:
    • --max-parallelism 5: Limits to a maximum of 5 probes at a time.
  • Usage: Slows down the scan to avoid detection by IDS/IPS systems or when targeting fragile networks.

Note: Parallelism controls the number of concurrent probes. Higher values increase speed but may trigger alarms.

4. nmap -sS -F --min-hostgroup 20 192.168.1.1

  • Options:
    • -F: Performs a fast scan, scanning only the most common 100 ports.
    • --min-hostgroup 20: Ensures at least 20 hosts are scanned in parallel (if scanning multiple targets).
  • Usage: Speeds up scans for larger target lists when focusing on fewer ports.

5. nmap -sS -F --max-hostgroup 10 192.168.1.1

  • Options:
    • --max-hostgroup 10: Limits the scan to a maximum of 10 hosts in parallel.
  • Usage: Slows down host scanning to reduce the risk of detection or when working with limited bandwidth.

Note: Hostgroup options (--min-hostgroup and --max-hostgroup) control how many hosts are scanned concurrently.

6. nmap -Pn -p- 192.168.1.1/24 --host-timeout 30s

  • Options:
    • -Pn: Disables pinging, assuming the host is online.
    • -p-: Scans all 65,535 ports.
    • 192.168.1.1/24: Scans all hosts in the 192.168.1.x subnet.
    • --host-timeout 30s: Aborts scanning a host if it takes longer than 30 seconds.
  • Usage: Effective for quick scans on a subnet, especially when dealing with unresponsive hosts.

Note: -Pn is helpful when ICMP echo requests are blocked, and --host-timeout ensures time efficiency.

7. nmap -sT --scan-delay 5s 192.168.1.1

  • Options:
    • --scan-delay 5s: Introduces a 5-second delay between each probe.
  • Usage: Avoids detection by IDS/IPS systems by slowing down the scan to mimic legitimate traffic.

8. nmap -sT --min-rate 20 192.168.1.1

  • Options:
    • --min-rate 20: Ensures a minimum rate of 20 packets per second.
  • Usage: Speeds up the scan by maintaining a consistent flow of packets.

9. nmap -sT --max-rate 2 192.168.1.1

  • Options:
    • --max-rate 2: Limits the scan to a maximum of 2 packets per second.
  • Usage: Slows down the scan for stealth or when avoiding network overload.

Summary Notes

  • Timing and Speed:
    • Use -T templates for quick adjustments, or fine-tune with --min-rate and --max-rate.
  • Parallelism:
    • Adjust parallelism (--min-parallelism, --max-parallelism) for better speed control during scans.
  • Hostgroup:
    • Use --min-hostgroup and --max-hostgroup for multi-host scans.
  • Delays:
    • Use --scan-delay for stealth, or timeout (--host-timeout) for efficiency.
  • Port Ranges:
    • Use -p to focus on specific ports or -p- for all ports.