Nmap not only adjusts itself to different network and target conditions while scanning, but it also supports several parameters that affect the behavior of Nmap, such as the number of hosts scanned concurrently, number of retries, and number of allowed probes. Learning how to adjust these parameters properly will save you a lot of scanning time in your life.
The following recipe explains the Nmap parameters that can be adjusted to improve performance.
Enter the following command, adjusting the values according to your needs:
# nmap --min-hostgroup 100 --max-hostgroup 500 --max-retries 2 -iR 0
The command shown previously tells Nmap to scan and report by grouping no less than 100 (--min-hostgroup 100) and no more than 500 hosts (--max-hostgroup 500). It also tells Nmap to retry only twice before giving up on any port (--max-retries 2).
# nmap --min-hostgroup 100 --max-hostgroup 500 --max-retries 2 -iR 0
It is important to note that setting these values incorrectly will most likely hurt the performance or accuracy rather than improving it.
Nmap sends many probes during its port scanning phase due to the ambiguity, or a lack of, a response; either the packet got lost, the service is filtered, or the service is not open. By default Nmap adjusts the number of retries based on the network conditions, but you can set this value manually by specifying the argument --max-retries. By increasing the number of retries, we can improve Nmap's accuracy, but keep in mind that we also sacrifice speed:
# nmap -p80 --max-retries 1 192.168.1.1/16
The arguments --min-hostgroup and --max-hostgroup control the number of hosts that we probe concurrently. Keep in mind that reports are also generated based on this value, so adjust it depending on how often would you like to see the scan results. Larger groups are preferred and improve performance:
# nmap -A -p- --min-hostgroup 100 --max-hostgroup 500 <Range>
There is also a very important argument that can be used to limit the number of packets sent per second by Nmap. The arguments --min-rate and --max-rate need to be used carefully to avoid undesirable effects. These rates are set automatically by Nmap if the arguments are not present:
# nmap -A -p- --min-rate 50 --max-rate 100 <target>
Finally, the arguments --min-parallelism and --max-parallelism can be used to control the number of probes for a host group. By setting these arguments, Nmap will no longer adjust the values dynamically:
# nmap -A --max-parallelism 1 <target> # nmap -A --min-parallelism 10 --max-parallelism 250 <target>
If you would like Nmap to quit a scan after a certain amount of time, you can set the argument --host-timeout, as shown in the following command:
# nmap -sV -A -p- --host-timeout 5m <target> Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.00075s latency). Skipping host scanme.nmap.org (74.207.244.221) due to host timeout OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.56 seconds
Interactive mode in Nmap allows users to press keys to dynamically change the runtime variables, but when this book was being written, there weren't any official patches available. However, there is an experimental patch, which was submitted in June 2012, that allows you to change the values of --max-rate and --min-rate dynamically. You can find this patch at http://seclists.org/nmap-dev/2012/q2/883.
Nmap scans are divided into the following phases:
- Script pre-scanning: This phase is only executed when you use the options
-sCor--script, and it attempts to retrieve additional host information via a collection of NSE scripts. - Target enumeration: In this phase Nmap parses the target(s) and resolves it into an IP address.
- Host discovery: This is the phase where Nmap determines if the target(s) is on-line and in the network by performing the specified host discovery technique(s). The option
-Pncan be used to skip this phase. - Reverse DNS resolution: In this phase, Nmap performs a reverse DNS lookup to obtain a hostname for each target. The argument
-Rcan be used to force DNS resolution, and the argument-ncan be used to skip it. - Port scanning: During this phase, Nmap determines the state of the ports. It can be skipped by using the argument
-sn. - Version detection: This phase is in charge of detecting the advanced version for the ports that were found open. It is only executed when the argument
-sVis set. - OS detection: In this phase, Nmap attempts to determine the operating system of the target. It is only executed when the option
-Ois present. - Traceroute: In this phase, Nmap performs a traceroute to the targets. This phase only runs when the option
--tracerouteis set. - Script scanning: In this phase, the NSE scripts are run depending on their execution rules.
- Output: In this phase, Nmap formats all the gathered information, and returns it to the user in the specified format.
- Script post-scanning: In this phase, NSE scripts with post-scan execution rules are evaluated and given a chance to run. If there are no post-scan NSE scripts in the default category, this phase will be skipped unless the argument
--scriptis specified.