Nmap scans can be very time taking, for one target it’s not much, but if we are scanning for a number of targets then it adds up, Nmap gives full control on how to use the tool, user can change certain parameters to increase the timing and performance hence saving more time.The first and the foremost tip by Nmap itself is to always tun the latest version of Nmap. Now let’s look at few other options.
When Nmap tries to scan a port and if no response is received, Nmap retransmits the initial probes again, we can specify if we want Nmap to retransmit probes or not .
nmap --max-retries 0 nmap.scanme.org
Using this option we can specify how much time we want Nmap to spend on each host, if the time exceeds, Nmap will skip that particular host.
nmap --host-timeout 1m nmap.scanme.org #to spend one minute, remember we can give a lists of host we well, in that case Nmap will spend 1m on each host.
This option allows us to adjust the delay time between probes, this is useful in case of rate limiting, which can also be helpful in evading IDS or IPS.
nmap --scan-delay 2s nmap.scanme.org #delay of 2 seconds between each probe
There are many options other than the options mentioned above, but they can be confusing sometimes, that is why Nmap created a template option that can work in five different modes.
- Paranoid ( -T 0 )
- Sneaky ( -T 1 )
- Polite ( -T 2 )
- Normal. ( -T 3 )
- Aggressive ( -T 4 )
- Insane ( -T 5 )
All these options decides the speed, basically how fast the probes should be sent.
nmap -T5 nmap.scanme.org
It’s always better to use -T 4, because -T 5 is very aggressive it can even crash hosts sometimes, and -T 0, -T 1, -T 2, and -T 3 are polite but they can take some time when scanning for multiple hosts.
Another good way to increase performance is to only scan for things that are needed, for example, Nmap scans for 1000 ports by default, which is quite big, so it’s always better to specify the ports you want to scan for, to save time.
This is it for this blog, thanks for reading , next time we’ll look some options for Firewall/IDS evasion.
If you have any doubt, you can ping me at A3h1nt.