HakTip 100 – NMap 101: Timing Options Part 1

Shannon Morse covers several options you can use in NMap to change the timing of your port scans.

Download HD  |   Download MP4

There are occasions where slowing down or speeding up your scan can help you receive better detailed outputs from NMap. For example, if you’re on a slow connection, you may want to slow down your scan to give you more accurate results. There are several options you can add to your command to make this happen, so lets go through some of the important ones. First off I should probably mention how NMap looks at times. It automatically puts time into a millisecond format, so for example, if you type 100, that would be 100 milliseconds. Pretty fast!

If you type 100s, that would be 100 seconds. 1m would be 1 minute. 1h would be one hour. 1000 milliseconds is the same as 1 second, so if my command included 1000, I could also type 1s instead.

There are also timing templates you can add to your NMap command. If I typed my command out as: nmap -T0, this would force nmap to go very slowly. I can add a parameter up to -T5 (0-5) to make it go extremely fast.

NMap will send out a scan with several parallel port scans at one time. You can control this, with the –max-parallelism or –min-parallelism option. If I type: nmap –max-parallelism 4, the maximum number of ports that nmap will scan at any given time will be 4.

Alternatively, using –min-parallelism 100 will tell NMap it can scan no less than 100 ports at the same time which may result in less accuracy.

Let’s move on to host group sizes. These commands will tell NMap how many hosts to scan at the same time on a network. So if I typed: nmap –min-hostgroup 10, it would scan a minimum of 10 hosts at the same time, which can speed up a scan. You can also use –max-hostgroup 10 to set the maximum number of hosts to scan.

Here’s another fun one: use this command to change the RTT Timeout value (which is the default round-trip time in milliseconds before NMap has a timeout). Use the command: nmap –initial-rtt-timeout 6000 Remember 6000 would be 6 seconds. You can also set the –max-rtt-timeout 350 The default in NMap is an RTT timeout at 10 seconds, which you can set lower to make a faster scan, or higher to keep NMap from giving up on a scan.

Lastly is the maximum retries NMap will try before it gives up. Use the command: nmap –max-retries 3

And that’s it for today! We know plenty of timing options now! Next week we will cover the rest of the timing options. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.

  • MalissaUMinshew

    Hi, I do think this is a great web site. I stumbledupon it 😉 I’m going
    to revisit once again since I book-marked it. Money and freedom is the
    best way to change, may you be rich and continue to guide others.

  • AdrianeQBrunot

    Hey there! I’ve been reading your weblog
    for a while now and finally got the bravery to go ahead and give you a shout out from
    Atascocita Texas! Just wanted to say keep up the great work!

  • AronTLemmons

    Hi there! I could have sworn I’ve been to this website before but after checking through some of the post I realized it’s new to me.

    Anyhow, I’m definitely glad I found it and I’ll be bookmarking
    and checking back frequently!

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>