Scanning Performance

Introduction

  • Scanning performance plays a significant role when we need to scan an extensive network or are dealing with low network bandwidth.

  • We can use various options to tell Nmap

    • How fast (-T <0-5>)

    • With which frequency (--min-parallelism <Number>)

    • Which timeouts (--max-rtt-timeout <Time> ) the test packets should have

    • How many packets should be sent simultaneously (--min-rate <Number> )

    • Number of retries (--max-retries <Number>) for the scanned ports the targets should be scanned.

Time-outs

  • When Nmap sends a packet, it takes some time (Round-Trip-Time - RTT) to receive a response from the scanned port. Generally, Nmap starts with a high timeout (--min-RTT-timeout) of 100ms.

  • The less the RTT, the faster the scan.

  • Example: sudo nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms

  • However, we must take care that that setting the initial RTT timeout (--initial-rtt-timeout) to too short a time period may cause us to overlook hosts.

Max Retries

  • Another way to increase the scans' speed is to specify the retry rate of the sent packets (--max-retries).

  • The default value for the retry rate is 10, so if Nmap does not receive a response for a port, it will not send any more packets to the port and will be skipped.

  • Example: sudo nmap 10.129.2.0/24 -F --max-retries 0

Rate

  • If we know the network bandwidth, we can work with the rate of packets sent, which significantly speeds up our scans with Nmap.

  • When setting the minimum rate (--min-rate) for sending packets, we tell Nmap to simultaneously send the specified number of packets.

  • Example: sudo nmap 10.129.2.0/24 -F -oN tnet.minrate300 --min-rate 300

Timing

  • Nmap offers six different timing templates (-T <0-5>) for us to use.

  • The timing templates adjust the values discussed earlier alongside other values to provide us with a timing template (Details: https://nmap.org/book/performance-timing-templates.html)

  • These values (0-5) determine the aggressiveness of our scans.

  • The default timing template used when we have defined nothing else is the normal (-T 3).

  • Timing options:

    • -T 0 / -T paranoid

    • -T 1 / -T sneaky

    • -T 2 / -T polite

    • -T 3 / -T normal

    • -T 4 / -T aggressive

    • -T 5 / -T insane

PreviousNmap Scripting EngineNextFirewall and IDS/IPS Evasion

Last updated