HakTip 100 – NMap 101: Timing Options Part 1
Shannon Morse covers several options you can use in NMap to change the timing of your port scans.
There are occasions where slowing down or speeding up your scan can help you receive better detailed outputs from NMap. For example, if you’re on a slow connection, you may want to slow down your scan to give you more accurate results. There are several options you can add to your command to make this happen, so lets go through some of the important ones. First off I should probably mention how NMap looks at times. It automatically puts time into a millisecond format, so for example, if you type 100, that would be 100 milliseconds. Pretty fast!
If you type 100s, that would be 100 seconds. 1m would be 1 minute. 1h would be one hour. 1000 milliseconds is the same as 1 second, so if my command included 1000, I could also type 1s instead.
There are also timing templates you can add to your NMap command. If I typed my command out as: nmap -T0 10.73.31.45, this would force nmap to go very slowly. I can add a parameter up to -T5 (0-5) to make it go extremely fast.
NMap will send out a scan with several parallel port scans at one time. You can control this, with the –max-parallelism or –min-parallelism option. If I type: nmap –max-parallelism 4 10.73.31.45, the maximum number of ports that nmap will scan at any given time will be 4.
Alternatively, using –min-parallelism 100 will tell NMap it can scan no less than 100 ports at the same time which may result in less accuracy.
Let’s move on to host group sizes. These commands will tell NMap how many hosts to scan at the same time on a network. So if I typed: nmap –min-hostgroup 10 10.73.31.1/24, it would scan a minimum of 10 hosts at the same time, which can speed up a scan. You can also use –max-hostgroup 10 10.73.31.1/24 to set the maximum number of hosts to scan.
Here’s another fun one: use this command to change the RTT Timeout value (which is the default round-trip time in milliseconds before NMap has a timeout). Use the command: nmap –initial-rtt-timeout 6000 10.73.31.45. Remember 6000 would be 6 seconds. You can also set the –max-rtt-timeout 350 10.73.31.45. The default in NMap is an RTT timeout at 10 seconds, which you can set lower to make a faster scan, or higher to keep NMap from giving up on a scan.
Lastly is the maximum retries NMap will try before it gives up. Use the command: nmap –max-retries 3 10.73.31.45.
And that’s it for today! We know plenty of timing options now! Next week we will cover the rest of the timing options. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.