Nmap not only adjusts itself to different network and target conditions while scanning, but it also supports several parameters that affect the behavior of Nmap, such as the number of hosts scanned concurrently, number of retries, and number of allowed probes. Learning how to adjust these parameters properly will save you a lot of scanning time in your life.
The following recipe explains the Nmap parameters that can be adjusted to improve performance.
Enter the following command, adjusting the values according to your needs:
# nmap --min-hostgroup 100 --max-hostgroup 500 --max-retries 2 -iR 0
The command shown previously tells Nmap to scan and report by grouping no less than 100 (--min-hostgroup 100
) and no more than 500 hosts (--max-hostgroup 500
). It also tells Nmap to retry only twice before giving up on any port (--max-retries 2
).
# nmap --min-hostgroup 100 --max-hostgroup 500 --max-retries 2 -iR 0
It is important to note that setting these values incorrectly will most likely hurt the performance or accuracy rather than improving it.
Nmap sends many probes during its port scanning phase due to the ambiguity, or a lack of, a response; either the packet got lost, the service is filtered, or the service is not open. By default Nmap adjusts the number of retries based on the network conditions, but you can set this value manually by specifying the argument --max-retries
. By increasing the number of retries, we can improve Nmap's accuracy, but keep in mind that we also sacrifice speed:
# nmap -p80 --max-retries 1 192.168.1.1/16
The arguments --min-hostgroup
and --max-hostgroup
control the number of hosts that we probe concurrently. Keep in mind that reports are also generated based on this value, so adjust it depending on how often would you like to see the scan results. Larger groups are preferred and improve performance:
# nmap -A -p- --min-hostgroup 100 --max-hostgroup 500 <Range>
There is also a very important argument that can be used to limit the number of packets sent per second by Nmap. The arguments --min-rate
and --max-rate
need to be used carefully to avoid undesirable effects. These rates are set automatically by Nmap if the arguments are not present:
# nmap -A -p- --min-rate 50 --max-rate 100 <target>
Finally, the arguments --min-parallelism
and --max-parallelism
can be used to control the number of probes for a host group. By setting these arguments, Nmap will no longer adjust the values dynamically:
# nmap -A --max-parallelism 1 <target> # nmap -A --min-parallelism 10 --max-parallelism 250 <target>
If you would like Nmap to quit a scan after a certain amount of time, you can set the argument --host-timeout
, as shown in the following command:
# nmap -sV -A -p- --host-timeout 5m <target> Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.00075s latency). Skipping host scanme.nmap.org (74.207.244.221) due to host timeout OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.56 seconds
Interactive mode in Nmap allows users to press keys to dynamically change the runtime variables, but when this book was being written, there weren't any official patches available. However, there is an experimental patch, which was submitted in June 2012, that allows you to change the values of --max-rate
and --min-rate
dynamically. You can find this patch at http://seclists.org/nmap-dev/2012/q2/883.
Nmap scans are divided into the following phases:
-sC
or --script
, and it attempts to retrieve additional host information via a collection of NSE scripts.-Pn
can be used to skip this phase.-R
can be used to force DNS resolution, and the argument -n
can be used to skip it.-sn
.-sV
is set.-O
is present.--traceroute
is set.--script
is specified.3.149.26.176