Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)
Section 7: Timing Options
Overview
Many Nmap features have configurable timing options. These timing options can be used to speed up or slow down scanning operations depending on your needs. When scanning a large number of hosts on a fast network, you may want to increase the number of parallel operations to get faster results. Alternatively, when scanning slow networks (or across the internet) you may want to throttle a scan to get more accurate results or evade intrusion detection systems. This section discusses Nmap’s options available for these timing features.
Summary of features covered in this section:
-T[0-5]
Timing Templates
--ttl
Set the Packet TTL
--min-parallelism
Minimum # of Parallel Operations
--max-parallelism
Maximum # of Parallel Operations
--min-hostgroup
Minimum Host Group Size
--max-hostgroup
Maximum Host Group Size
--max-rtt-timeout
Maximum RTT Timeout
--initial-rtt-timeout
Initial RTT Timeout
--max-retries
Maximum Retries
--host-timeout
Host Timeout
--scan-delay
Minimum Scan Delay
--max-scan-delay
Maximum Scan Delay
--min-rate
Minimum Packet Rate
--max-rate
Maximum Packet Rate
--defeat-rst-ratelimit
Defeat Reset Rate Limits
Timing Parameters
Certain Nmap options accept timing parameters to adjust various thresholds. You can manually specify timing parameters in milliseconds, seconds, minutes, or hours by appending a qualifier to the time argument. The table below provides examples of time parameter usage syntax.
Note: Nmap timing parameters in Nmap 6 are accepted as seconds by default. Versions 5 and earlier use milliseconds as the default timing parameter.
Nmap Timing Parameters:
Parameter: ms
Definition: Milliseconds (1/1000 of a second)
Example: 500ms (500 milliseconds)
Parameter: s or (none)
Definition: Seconds (default)
Example: 10 (10 seconds)
Parameter: m
Definition: Minutes
Example: 5m (5 minutes)
Parameter: h
Definition: Hours
Example: 1h (1 hour)
Take, for example, the --host-timeout option (discussed later in this section) which uses a timing parameter. To specify a five-minute timeout you can use any of the following forms of time specification:
nmap --host-timeout 300000ms 10.10.4.1
nmap --host-timeout 300s 10.10.4.1
nmap --host-timeout 300 10.10.4.1
nmap --host-timeout 5m 10.10.4.1
Since 300000 milliseconds and 300 seconds both equal 5 minutes, any of the above commands will produce the same result.
Timing Templates
The -T parameter is used to specify a timing template for an Nmap scan.
Usage syntax: nmap -T[0-5] [target]
$ nmap -T4 10.10.4.26
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 15:44 CST
Nmap scan report for 10.10.4.26
Host is up (0.0013s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
Using a timing template
Timing templates are handy shortcuts for various timing options (discussed later in this section). There are six templates (numbered 0-5) that can be used to speed up scanning (for faster results) or to slow down scanning (to evade firewalls). The table below describes each timing template.
Nmap Timing Templates:
-T0 (paranoid) - Extremely slow
-T1 (sneaky) - Useful for avoiding intrusion detection systems
-T2 (polite) - Unlikely to interfere with the target system
-T3 (normal) - This is the default timing template
-T4 (aggressive) - Produces faster results on speedy networks
-T5 (insane) - Extremely fast and aggressive scan
Minimum Number of Parallel Operations
The --min-parallelism option is used to specify the minimum number of parallel port scan operations Nmap should perform at any given time.
Usage syntax: nmap --min-parallelism [number] [target]
# nmap --min-parallelism 100 10.10.4.100-200
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 15:47 CST
Nmap scan report for 10.10.4.102
Host is up (0.0016s latency).
All 1000 scanned ports on 10.10.4.102 are closed
Nmap scan report for 10.10.4.104
Host is up (0.0013s latency).
All 1000 scanned ports on 10.10.4.104 are closed (932) or filtered (68)
[...]
Nmap done: 101 IP addresses (23 hosts up) scanned in 15.49 seconds
Specifying the minimum number of parallel operations
Nmap automatically adjusts parallel scanning options based on network conditions. In some cases, you may want to specify your own custom setting. The above example instructs Nmap to always perform at least 100 parallel operations at any given time.
Note: While manually setting the --min-parallelism option may increase scan performance; setting it too high may produce inaccurate results.
Maximum Number of Parallel Operations
The --max-parallelism option is used to control the maximum number of parallel port scan operations Nmap will perform at any given time.
Usage syntax: nmap --max-parallelism [number] [target]
# nmap --max-parallelism 1 scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 15:52 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.058s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 58.61 seconds
Specifying the maximum number of parallel operations
In the above example, --max-parallelism 1 is used to restrict Nmap so that only one operation is performed at a time. This scan will be considerably slow, but will be less likely to overwhelm the target system with a flood of packets. This can help prevent triggering red flags with intrusion detection systems.
Minimum Host Group Size
The --min-hostgroup option is used to specify the minimum number of targets Nmap should scan in parallel.
Usage syntax: nmap --min-hostgroup [number] [targets]
# nmap --min-hostgroup 30 10.10.4.0/24
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 15:56 CST
Nmap scan report for 10.10.4.1
Host is up (0.00021s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap scan report for 10.10.4.2
Host is up (0.00064s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
[...]
Nmap done: 256 IP addresses (66 hosts up) scanned in 34.26 seconds
Specifying a minimum host group size
Nmap will perform scans in parallel to save time when scanning multiple targets such as a range or entire subnet. By default, Nmap will automatically adjust the size of the host groups based on the type of scan being performed and network conditions. By specifying the --min-hostgroup option, Nmap will attempt to keep the group sizes above the specified number.
Maximum Host Group Size
The --max-hostgroup option is used to specify the maximum number of targets Nmap should scan in parallel.
Usage syntax: nmap --max-hostgroup [number] [targets]
# nmap --max-hostgroup 10 10.10.4.0/24
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 15:58 CST
Nmap scan report for 10.10.4.1
Host is up (0.00017s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap scan report for 10.10.4.2
Host is up (0.0017s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
[...]
Nmap done: 256 IP addresses (66 hosts up) scanned in 67.01 seconds
Specifying a maximum host group size
In contrast to the --min-hostgroup option, the --max-hostgroup option controls the maximum number of hosts in a group. This option is helpful if you want to reduce the load on a network or to avoid triggering any red flags with various network security systems.
Initial RTT Timeout
The --initial-rtt-timeout option controls the initial RTT (round-trip time) timeout value used by Nmap.
Usage syntax: nmap --initial-rtt-timeout [time] [target]
# nmap --initial-rtt-timeout 5s scanme.nmap.org
Starting Nmap 6.40 ( http://nmap.org ) at 2015-02-08 16:00 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.29s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds
Specifying the initial RTT timeout value used by Nmap
The default timing template has an --initial-rtt-timeout value of 1000 milliseconds. Increasing the value will reduce the number of packet retransmissions due to timeouts. By decreasing the value you can speed up scans − but do so with caution. Setting the RTT timeout value too low can negate any potential performance gains and lead to inaccurate results.
Maximum RTT Timeout
The --max-rtt-timeout option is used to specify the maximum RTT (round-trip time) timeout for a packet response.
Usage syntax: nmap --max-rtt-timeout [time] [target]
# nmap --max-rtt-timeout 400ms scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-21 15:10 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.17s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 4.93 seconds
Specifying a 400 millisecond maximum RTT timeout
Nmap dynamically adjusts RTT timeout options for best results by default. The default maximum RTT timeout is 10 seconds. Manually adjusting the maximum RTT timeout lower will allow for faster scan times (especially when scanning large blocks of addresses). Specifying a high maximum RTT timeout will prevent Nmap from giving up too soon when scanning over slow/unreliable connections. Typical values are between 100 milliseconds for fast/reliable networks and 10000 milliseconds for slow/unreliable connections.
Maximum Retries
The --max-retries option is used to control the maximum number of probe retransmissions Nmap will attempt to perform.
Usage syntax: nmap --max-retries [number] [target]
# nmap --max-retries 2 scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-21 15:14 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.12s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 4.52 seconds
Specifying the maximum number of retries
By default, Nmap will automatically adjust the number of probe retransmissions based on network conditions. The --max-retries option can be used if you want to override the default settings or troubleshoot a connectivity problem. Specifying a high number can increase the time it takes for a scan to complete, but will produce more accurate results. By lowering the --max-retries you can speed up a scan – although you may not get accurate results if Nmap gives up too quickly.
Set the Packet TTL
The --ttl option is used to specify the IP TTL (time-to-live) for the specified scan (in seconds/hops).
Usage syntax: nmap --ttl [0-256] [target]
# nmap --ttl 20 scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-21 15:13 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.11s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 4.53 seconds
Specifying a TTL parameter of 20
Packets sent using this option will have the specified TTL value. This option is useful when scanning targets on slow/distant connections where normal packets may time out before receiving a response. The TTL is specified in seconds, but each hop decreases the value by at least 1 regardless of the amount of time elapsed. Therefore, the TTL can also be referred to as a hop limit.
Host Timeout
The --host-timeout option causes Nmap to give up on slow hosts after the specified time.
Usage syntax: nmap --host-timeout [time] [target]
$ nmap --host-timeout 500ms scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 16:19 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.059s latency).
Skipping host scanme.nmap.org (74.207.244.221) due to host timeout
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
Output of an Nmap scan when specifying a short host timeout
A host may take a long time to scan if it is located on a slow or unreliable network. Systems that are protected by rate limiting firewalls may also take a considerable amount of time to scan. The --host-timeout option instructs Nmap to give up on the target system if it fails to complete after the specified time interval. In the above example, the scan takes longer than 500 milliseconds to complete (as specified by the 500ms parameter) which causes Nmap to terminate the scan. This is an unrealistic host timeout option, but it can be particularly useful in other scenarios. One example is when scanning multiple systems across a WAN or internet connection where you don’t mind waiting for slow systems to get better results. Another is when trying to do a quick scan on a large number of hosts when accuracy isn’t a priority.
Note: Nmap performs parallel operations when scanning multiple targets. In the event that one host is taking a long time to respond, Nmap is likely scanning other hosts during that time. This reduces potential bottlenecks that slow hosts can create.
Warning: When the --host-timeout option is specified, Nmap will not display any results if a host exceeds the timeout (even if it discovered open ports).
Minimum Scan Delay
The --scan-delay option instructs Nmap to pause for the specified time interval between probes.
Usage syntax: nmap --scan-delay [time] [target]
# nmap --scan-delay 1s -F 10.10.3.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 16:36 CST
Nmap scan report for 10.10.3.1
Host is up (0.00080s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 101.17 seconds
Specifying a 1 second minimum scan delay
Nmap attempts to strike a balance between performance and reliability when sending probes. Some systems employ rate limiting which can hamper Nmap scanning attempts. Nmap will automatically adjust the scan delay by default on systems where rate limiting is detected. In some cases it may be useful to specify your own scan delay if you know that rate limiting or IDS (Intrusion Detection Systems) are in use. In the example above, the scan delay of 1s instructs Nmap to wait one second between probes. This can take a considerable amount of time but helps prevent triggering any red flags.
Maximum Scan Delay
The --max-scan-delay is used to specify the maximum amount of time Nmap should wait between probes.
Usage syntax: nmap --max-scan-delay [time] [target]
# nmap --max-scan-delay 50ms 10.10.3.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 16:39 CST
Nmap scan report for 10.10.3.1
Host is up (0.072s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds
Specifying a 50 millisecond maximum scan delay
Nmap automatically adjusts the scan delay to accommodate network conditions and/or rate limiting hosts. The --max-scan-delay option can be used to provide an upper limit to the amount of time between probes. This can speed up a scan, but comes at the expense of accurate results and added network stress. In the example above, a 50 millisecond scan delay is specified. This causes Nmap to wait a maximum of 50ms between probes.
Minimum Packet Rate
The --min-rate option is used to specify the minimum number of packets Nmap should send per second.
Usage syntax: nmap --min-rate [number] [target]
$ nmap --min-rate 30 scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 10:54 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.056s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 1.07 seconds
Specifying a minimum packet transmission rate of 30
Nmap, by default, will automatically adjust the packet rate for a scan based on network conditions. In some cases you may want to specify your own minimum rate - although this is generally not necessary. In the above example --min-rate 30 instructs Nmap to send at least 30 packets per second. Nmap will use the number as a low threshold but may scan faster than this if network conditions allow.
Warning: Setting the --min-rate too high may reduce the accuracy of a scan.
Maximum Packet Rate
The --max-rate option specifies the maximum number of packets Nmap should send per second.
Usage syntax: nmap --max-rate [number] [target]
$ nmap --max-rate 30 scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 10:54 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.055s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 33.58 seconds
Using a maximum packet transmission rate of 30
In the example above, specifying --max-rate 30 instructs Nmap to send no more than 30 packets per second. This can dramatically slow down a scan but can be helpful when attempting to avoid intrusion detection systems or a target that uses rate limiting.
Tip: To perform a very sneaky scan use --max-rate 0.1 which instructs Nmap to send one packet every ten seconds.
Defeat Reset Rate Limits
The --defeat-rst-ratelimit is used to defeat targets that apply rate limiting to RST (reset) packets.
Usage syntax: nmap --defeat-rst-ratelimit [target]
# nmap --defeat-rst-ratelimit scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 10:56 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 4.36 seconds
Defeating RST rate limits
The --defeat-rst-ratelimit option can be useful if you want to speed up scans on targets that implement RST packet rate limits. It can, however, lead to inaccurate results and as such is rarely used.
Note: The --defeat-rst-ratelimit option is rarely used because, in most cases, Nmap will automatically detect rate limiting hosts and adjust itself accordingly.