Nmap includes six templates that set different timing and performance arguments to optimize your scans. Even though Nmap automatically adjusts some of these values, it is recommended that you set the correct timing template to hint Nmap with a provide as to the speed of your network connection and the target's response time.
The following recipe will teach you about Nmap's timing templates and how to choose the correct one.
Open your terminal and type the following command to use the "aggressive" timing template:
# nmap -T4 -d 192.168.4.20 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 500, min 100, max 1250 max-scan-delay: TCP 10, UDP 1000, SCTP 10 parallelism: min 0, max 0 max-retries: 6, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- ...
You may use the integers between 0
and 5
, for example -T[0-5]
.
The option -T
is used to set the timing template in Nmap. Nmap provides six timing templates to help users tune some of the timing and performance arguments.
The available timing templates and their initial configuration values are as follows:
-0
): This template is useful for avoiding detection systems, but it is painfully slow because only one port is scanned at a time, and the timeout between probes is 5 minutes.--------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 300000, min 100, max 300000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 1 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 ---------------------------------------------
-1
): This template is useful for avoiding detection systems but is still very slow.--------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 15000, min 100, max 15000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 1 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 ---------------------------------------------
-2
): This template is used when scanning is not supposed to interfere with the target system.--------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 1 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 ---------------------------------------------
-3
): This is Nmap's default timing template, which is used when the argument -T
is not set.--------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 ---------------------------------------------
-4
): This is the recommended timing template for broadband and Ethernet connections.--------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 500, min 100, max 1250 max-scan-delay: TCP 10, UDP 1000, SCTP 10 parallelism: min 0, max 0 max-retries: 6, host-timeout: 0 min-rate: 0, max-rate: 0 ---------------------------------------------
-5
): This timing template sacrifices accuracy for speed.--------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 250, min 50, max 300 max-scan-delay: TCP 5, UDP 1000, SCTP 5 parallelism: min 0, max 0 max-retries: 2, host-timeout: 900000 min-rate: 0, max-rate: 0 ---------------------------------------------
Interactive mode in Nmap allows users to press keys to dynamically change the runtime variables. Although the discussion of including timing and performance options in interactive mode has come up a few times in the development mailing list, when this book was being written, there weren't any official patches available. However, there is an experimental patch, which was submitted in June 2012, that allows you to change the values of --max-rate
and --min-rate
dynamically. If you would like to try it out, it's located at http://seclists.org/nmap-dev/2012/q2/883.
18.118.163.250